Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report X4WVDz35mI.exe

Overview

General Information

Sample Name:X4WVDz35mI.exe
Analysis ID:510404
MD5:36d837ee33175839b0fe83c09b5098d4
SHA1:735a4d10a58adab64deef3f4a63104d40dd8586a
SHA256:a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • X4WVDz35mI.exe (PID: 2628 cmdline: 'C:\Users\user\Desktop\X4WVDz35mI.exe' MD5: 36D837EE33175839B0FE83C09B5098D4)
    • AddInProcess32.exe (PID: 5696 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • WerFault.exe (PID: 4808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 172 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dfwbcs.com/upi8/"], "decoy": ["portavella.net", "wraphollywood.com", "uodpik.website", "1h30m.online", "taziyesayfalari.net", "bigredtrucking.net", "thr33h3ad3ddragon.art", "magentavar.com", "crowliz.net", "italianexpresshouston.com", "laminaparfum.com", "xn--espaol101-o6a.online", "orderonlinegift.com", "fittuning.com", "jurisligne.com", "palmbeachdb.com", "vatikanlottery.com", "worldtravelcostarica.com", "treeplantco.com", "veloci-cloud.com", "bjfengshibing.com", "standbyez.digital", "heidiscuss.xyz", "usbgdt.com", "njkhmj.com", "halloweensells.com", "rocket-bet.net", "cloudofthings.net", "cosachgetolk.quest", "outgenerallytap.xyz", "terabyte-hosting.com", "kkp72.com", "thesugarlanding.com", "orangeroofingcompany.com", "investecholdingsuk.com", "americanmamallc.com", "dragondrax.com", "riyiflower.com", "szhemgc.com", "kusum.group", "daniellestienstra.com", "jenniferseltz.com", "salon-dolphin.com", "isiticisizhavaperdesi.com", "hsbgs-asia.com", "crishantha.info", "medio-news.store", "preceslume.quest", "franlend.com", "gsjbd24.club", "davantra.com", "adornel.online", "zopl-49boa.com", "dashmints.com", "keyakiya.com", "yuanyindongman.com", "once-only.info", "icaterlunch.com", "stafftaculer.net", "wildcatweedbarrier.com", "alexmorton.online", "zylyt.com", "esnadhc.com", "cataractusa.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19c3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x15bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x15af8:$sqlite3text: 68 38 2A 90 C5
    • 0x15c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x15b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15c33:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19c3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.0.AddInProcess32.exe.5d0000.13.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.0.AddInProcess32.exe.5d0000.13.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.0.AddInProcess32.exe.5d0000.13.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        7.0.AddInProcess32.exe.5d0000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.AddInProcess32.exe.5d0000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dfwbcs.com/upi8/"], "decoy": ["portavella.net", "wraphollywood.com", "uodpik.website", "1h30m.online", "taziyesayfalari.net", "bigredtrucking.net", "thr33h3ad3ddragon.art", "magentavar.com", "crowliz.net", "italianexpresshouston.com", "laminaparfum.com", "xn--espaol101-o6a.online", "orderonlinegift.com", "fittuning.com", "jurisligne.com", "palmbeachdb.com", "vatikanlottery.com", "worldtravelcostarica.com", "treeplantco.com", "veloci-cloud.com", "bjfengshibing.com", "standbyez.digital", "heidiscuss.xyz", "usbgdt.com", "njkhmj.com", "halloweensells.com", "rocket-bet.net", "cloudofthings.net", "cosachgetolk.quest", "outgenerallytap.xyz", "terabyte-hosting.com", "kkp72.com", "thesugarlanding.com", "orangeroofingcompany.com", "investecholdingsuk.com", "americanmamallc.com", "dragondrax.com", "riyiflower.com", "szhemgc.com", "kusum.group", "daniellestienstra.com", "jenniferseltz.com", "salon-dolphin.com", "isiticisizhavaperdesi.com", "hsbgs-asia.com", "crishantha.info", "medio-news.store", "preceslume.quest", "franlend.com", "gsjbd24.club", "davantra.com", "adornel.online", "zopl-49boa.com", "dashmints.com", "keyakiya.com", "yuanyindongman.com", "once-only.info", "icaterlunch.com", "stafftaculer.net", "wildcatweedbarrier.com", "alexmorton.online", "zylyt.com", "esnadhc.com", "cataractusa.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: X4WVDz35mI.exeVirustotal: Detection: 36%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: X4WVDz35mI.exeJoe Sandbox ML: detected
          Source: 7.0.AddInProcess32.exe.5d0000.11.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.AddInProcess32.exe.5d0000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.AddInProcess32.exe.5d0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.AddInProcess32.exe.5d0000.13.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.AddInProcess32.exe.5d0000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.AddInProcess32.exe.5d0000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: X4WVDz35mI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.4:49775 version: TLS 1.0
          Source: X4WVDz35mI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: X4WVDz35mI.exe, 00000000.00000003.739997187.0000000006227000.00000004.00000001.sdmp, AddInProcess32.exe, WerFault.exe, 0000000A.00000002.779377326.0000000002BC0000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: X4WVDz35mI.exe, 00000000.00000003.739997187.0000000006227000.00000004.00000001.sdmp, AddInProcess32.exe, 00000007.00000000.741455566.0000000000402000.00000002.00020000.sdmp, WerFault.exe, 0000000A.00000002.779377326.0000000002BC0000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_062ACA64
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_062AD4E8
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_062AD4E8
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 4x nop then jmp 062A8701h0_2_062A7E88
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_062ADB58

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.dfwbcs.com/upi8/
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.4:49775 version: TLS 1.0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
          Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
          Source: X4WVDz35mI.exe, 00000000.00000003.673405142.0000000006872000.00000004.00000001.sdmp, X4WVDz35mI.exe, 00000000.00000002.758281772.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
          Source: X4WVDz35mI.exe, 00000000.00000003.673405142.0000000006872000.00000004.00000001.sdmp, X4WVDz35mI.exe, 00000000.00000002.758281772.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: X4WVDz35mI.exe, 00000000.00000003.673405142.0000000006872000.00000004.00000001.sdmp, X4WVDz35mI.exe, 00000000.00000002.758281772.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
          Source: X4WVDz35mI.exe, 00000000.00000003.670401557.0000000006871000.00000004.00000001.sdmpString found in binary or memory: http://ns.d
          Source: X4WVDz35mI.exe, 00000000.00000002.751854330.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
          Source: X4WVDz35mI.exe, 00000000.00000002.751854330.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: X4WVDz35mI.exe, 00000000.00000002.751854330.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
          Source: unknownDNS traffic detected: queries for: www.google.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: X4WVDz35mI.exe, p1P/r6P.csLarge array initialization: .cctor: array initializer size 3331
          Source: X4WVDz35mI.exe, Ng9/Xj7.csLarge array initialization: .cctor: array initializer size 4377
          Source: X4WVDz35mI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 172
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_00336E350_2_00336E35
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_0033ABA50_2_0033ABA5
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_0033A7F50_2_0033A7F5
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_003394560_2_00339456
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_003398C50_2_003398C5
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_00339B4C0_2_00339B4C
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_062A04600_2_062A0460
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_062A63080_2_062A6308
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_062A7E880_2_062A7E88
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_062AE6420_2_062AE642
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_062AE6500_2_062AE650
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_062A87180_2_062A8718
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_00339B760_2_00339B76
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004020507_2_00402050
          Source: X4WVDz35mI.exeBinary or memory string: OriginalFilename vs X4WVDz35mI.exe
          Source: X4WVDz35mI.exe, 00000000.00000002.756514171.00000000037A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs X4WVDz35mI.exe
          Source: X4WVDz35mI.exe, 00000000.00000002.751931195.0000000002853000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs X4WVDz35mI.exe
          Source: X4WVDz35mI.exe, 00000000.00000003.739997187.0000000006227000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs X4WVDz35mI.exe
          Source: X4WVDz35mI.exe, 00000000.00000000.664109734.0000000000332000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDemoProject2.exe: vs X4WVDz35mI.exe
          Source: X4WVDz35mI.exeBinary or memory string: OriginalFilenameDemoProject2.exe: vs X4WVDz35mI.exe
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: X4WVDz35mI.exeVirustotal: Detection: 36%
          Source: X4WVDz35mI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\X4WVDz35mI.exe 'C:\Users\user\Desktop\X4WVDz35mI.exe'
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 172
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X4WVDz35mI.exe.logJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@4/8@1/2
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: X4WVDz35mI.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5696
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: X4WVDz35mI.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: X4WVDz35mI.exeStatic file information: File size 1091072 > 1048576
          Source: X4WVDz35mI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: X4WVDz35mI.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x109c00
          Source: X4WVDz35mI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: X4WVDz35mI.exe, 00000000.00000003.739997187.0000000006227000.00000004.00000001.sdmp, AddInProcess32.exe, WerFault.exe, 0000000A.00000002.779377326.0000000002BC0000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: X4WVDz35mI.exe, 00000000.00000003.739997187.0000000006227000.00000004.00000001.sdmp, AddInProcess32.exe, 00000007.00000000.741455566.0000000000402000.00000002.00020000.sdmp, WerFault.exe, 0000000A.00000002.779377326.0000000002BC0000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000A.00000003.759379428.0000000004B01000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeCode function: 0_2_0033B771 push es; retf 0_2_0033B77F
          Source: X4WVDz35mI.exe, r8H/Wi2.csHigh entropy of concatenated method names: '.ctor', 'Qy9', 'q3Z', 'Ko3', 'd1M', 'r8D', 's8E', 'Ew1', 'Mg1', 's6S'
          Source: X4WVDz35mI.exe, m2X/b8S.csHigh entropy of concatenated method names: '.ctor', 'Ct0', 'j9W', 'Mk6', 'Fc5', 'n6J', 'Lm9', 'd4C', 'i8R', 'Mf7'
          Source: X4WVDz35mI.exe, Xt31/b8LT.csHigh entropy of concatenated method names: '.ctor', 'e8F4', 'Zg4', 'f2R', 't6P', 'x0D', 'c3P', 'd1C', 'p2P', 'w5J'
          Source: X4WVDz35mI.exe, j5Y/q6D.csHigh entropy of concatenated method names: '.ctor', 'k8B', 'c7T1', 'Ns3n', 'Ny2o', 'p0M3', 'Dc72', 'k0R8', 'n9H4', 'y4SJ'
          Source: X4WVDz35mI.exe, Ab16/Bm42.csHigh entropy of concatenated method names: '.ctor', 'Qi41', 'Ap6', 'Gi4', 'Sw3', 'Px9', 'Ne0', 'Pr6', 't2Y', 'Pr6'
          Source: X4WVDz35mI.exe, n8TL/m0MN.csHigh entropy of concatenated method names: '.ctor', 'j8KN', 'i2J7', 'r2B0', 'Wn8s', 'i6TP', 'o0X2', 'Qk6i', 'Zd41', 'k2A7'
          Source: X4WVDz35mI.exe, Yg3/Ma7.csHigh entropy of concatenated method names: '.ctor', 'Ns0', 'Ao2', 'm3S', 'j7P', 'Zp0', 'x2M', 'Bt8', 'm3N', 'q9T'
          Source: X4WVDz35mI.exe, Jb3/Tq7.csHigh entropy of concatenated method names: '.ctor', 'Cd0', 'Tg7', 'Jz6', 'x0G', 't1L', 'So2', 'Ri0', 'Xn2', 'Ty5'
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeFile opened: C:\Users\user\Desktop\X4WVDz35mI.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exe TID: 6872Thread sleep time: -17524406870024063s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exe TID: 6872Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exe TID: 6892Thread sleep count: 308 > 30Jump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exe TID: 6892Thread sleep count: 9547 > 30Jump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeWindow / User API: threadDelayed 9547Jump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeThread delayed: delay time: 30000Jump to behavior
          Source: Amcache.hve.10.drBinary or memory string: VMware
          Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: Amcache.hve.10.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.10.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
          Source: X4WVDz35mI.exeBinary or memory string: IHGFSD
          Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
          Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.10.drBinary or memory string: VMware7,1
          Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.me
          Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 5D0000Jump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 5D1000Jump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 7BB008Jump to behavior
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 5D0000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 5D0000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Users\user\Desktop\X4WVDz35mI.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\X4WVDz35mI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.5d0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.5d0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection311Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection311NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          X4WVDz35mI.exe37%VirustotalBrowse
          X4WVDz35mI.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.0.AddInProcess32.exe.5d0000.11.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.AddInProcess32.exe.5d0000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.AddInProcess32.exe.5d0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.AddInProcess32.exe.5d0000.13.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.AddInProcess32.exe.5d0000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.AddInProcess32.exe.5d0000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://ns.d0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          www.dfwbcs.com/upi8/0%Avira URL Cloudsafe
          http://ns.ado/10%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.google.com
          		142.250.185.228
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://www.google.com/false
              		high
              www.dfwbcs.com/upi8/true
              • Avira URL Cloud: safe
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://ns.dX4WVDz35mI.exe, 00000000.00000003.670401557.0000000006871000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.google.comX4WVDz35mI.exe, 00000000.00000002.751854330.00000000027A1000.00000004.00000001.sdmpfalse
                		high
                http://upx.sf.netAmcache.hve.10.drfalse
                  		high
                  http://ns.adobe.c/gX4WVDz35mI.exe, 00000000.00000003.673405142.0000000006872000.00000004.00000001.sdmp, X4WVDz35mI.exe, 00000000.00000002.758281772.0000000006872000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ns.adobe.cobjX4WVDz35mI.exe, 00000000.00000003.673405142.0000000006872000.00000004.00000001.sdmp, X4WVDz35mI.exe, 00000000.00000002.758281772.0000000006872000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX4WVDz35mI.exe, 00000000.00000002.751854330.00000000027A1000.00000004.00000001.sdmpfalse
                    		high
                    http://ns.ado/1X4WVDz35mI.exe, 00000000.00000003.673405142.0000000006872000.00000004.00000001.sdmp, X4WVDz35mI.exe, 00000000.00000002.758281772.0000000006872000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    142.250.185.228
                    		www.google.comUnited States
                    		15169GOOGLEUSfalse

                    Private

                    IP
                    192.168.2.1

                    General Information

                    Joe Sandbox Version:33.0.0 White Diamond
                    Analysis ID:510404
                    Start date:27.10.2021
                    Start time:19:15:27
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 8m 22s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:X4WVDz35mI.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:19
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@4/8@1/2
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 33.3% (good quality ratio 0%)
                    • Quality average: 0%
                    • Quality standard deviation: 0%
                    HCA Information:
                    • Successful, ratio: 94%
                    • Number of executed functions: 27
                    • Number of non-executed functions: 11
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 131.253.33.200, 13.107.22.200, 20.82.209.183, 209.197.3.8, 52.168.117.173, 20.54.110.249, 40.112.88.60, 40.91.112.76, 80.67.82.235, 80.67.82.242, 20.50.102.62
                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    19:16:28API Interceptor209x Sleep call for process: X4WVDz35mI.exe modified
                    19:17:14API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    54328bd36c14bd82ddaa0c04b25ed9adEh36aKpvNOXJcT8.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    2098765434567890098765.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    0987234567890.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    LENEEsYC55YCboo.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    Justificante de pago 876345864792456647625346347457453535.vbsGet hashmaliciousBrowse
                    • 142.250.185.228
                    GAWEVQV50254.vbsGet hashmaliciousBrowse
                    • 142.250.185.228
                    409876543456789.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    583475.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    TEaKKn2Dkf.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    Km5KAxQLLV.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    P.O_45030090VT_Glaserei_Gueney.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    mJ1frOovsp.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    PRODUCT ENQUIRY #20211027.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    IB5eMmKwbD.exeGet hashmaliciousBrowse
                    • 142.250.185.228
                    Duty invoice & clearance document.vbsGet hashmaliciousBrowse
                    • 142.250.185.228
                    Shipment #45523666245.vbsGet hashmaliciousBrowse
                    • 142.250.185.228
                    PO No-512 3111.vbsGet hashmaliciousBrowse
                    • 142.250.185.228
                    IDSTATEMENTS.vbsGet hashmaliciousBrowse
                    • 142.250.185.228
                    avocFyG.vbsGet hashmaliciousBrowse
                    • 142.250.185.228
                    r18qGHf6vL.exeGet hashmaliciousBrowse
                    • 142.250.185.228

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe583475.exeGet hashmaliciousBrowse
                      NewOrderPDF.exeGet hashmaliciousBrowse
                        DHLExpress_Shipment101909.exeGet hashmaliciousBrowse
                          Niki-Gmbh Germany Inquiry.exeGet hashmaliciousBrowse
                            Enquiry MW886079 ( Flowstar.CO.UK ).exeGet hashmaliciousBrowse
                              Order18102021.exeGet hashmaliciousBrowse
                                DHL_Ship_152021.exeGet hashmaliciousBrowse
                                  DO854.exeGet hashmaliciousBrowse
                                    DrAlj265av.exeGet hashmaliciousBrowse
                                      masa_prot.exeGet hashmaliciousBrowse
                                        75lT7DuXrs.exeGet hashmaliciousBrowse
                                          dark.exeGet hashmaliciousBrowse
                                            tortilla.exeGet hashmaliciousBrowse
                                              dark.exeGet hashmaliciousBrowse
                                                2xYyRwsd4z.exeGet hashmaliciousBrowse
                                                  bNaLNMv3po.exeGet hashmaliciousBrowse
                                                    uUdLeF2vh0.exeGet hashmaliciousBrowse
                                                      DHL_Express1102021.exeGet hashmaliciousBrowse
                                                        VsRff7UbXL.exeGet hashmaliciousBrowse
                                                          DHL_Shipment_20210621.exeGet hashmaliciousBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AddInProcess32.e_6938981f836a293208bafbbe4c03d33d048f2_60bce973_13e44fc2\Report.wer
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):0.6381599818476756
                                                            Encrypted:false
                                                            SSDEEP:192:TKKEw8siC4HBUZMXaygjl/u7s1S274It6ks:mKEw8siCgBUZMXaygjl/u7s1X4It6ks
                                                            MD5:9723451D2D928730D97E2F97CD7B4219
                                                            SHA1:76581DD16007A6789C66BEFB995947F85464BE64
                                                            SHA-256:5F565A5AFDE7A3FE5EBF948DEAAEC4C10C388A5B400058DE7810F2216834D0FF
                                                            SHA-512:B5807A04106720BB04D5F6022448BA2801A410001E65434BB34218002A525A520747BA0D6F69E83D3C886811080798FCB74F6BC690145C8C2F0742B17B688940
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.9.8.2.8.6.2.7.3.0.2.0.1.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.9.8.2.8.6.3.3.2.0.8.2.1.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.e.f.2.7.8.c.-.f.1.a.4.-.4.e.5.e.-.b.c.9.3.-.7.0.b.6.9.7.6.b.6.4.8.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.4.d.4.4.e.9.-.f.e.c.3.-.4.3.2.c.-.8.a.f.1.-.f.9.b.7.7.5.c.4.8.6.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.d.d.I.n.P.r.o.c.e.s.s.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.d.d.I.n.P.r.o.c.e.s.s.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.4.0.-.0.0.0.1.-.0.0.1.b.-.d.5.a.e.-.4.7.7.3.5.6.c.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.f.d.5.e.1.2.8.2.3.d.6.b.d.e.a.c.7.2.a.5.5.8.e.7.d.d.e.9.2.2.4.0.0.0.0.0.9.0.4.!.0.0.0.0.9.0.d.f.7.1.9.2.4.1.c.e.0.4.8.2.8.f.0.d.d.4.d.3.1.d.6.8.3.f.
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3238.tmp.dmp
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Mini DuMP crash report, 14 streams, Wed Oct 27 17:17:07 2021, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):18720
                                                            Entropy (8bit):2.0512571341984205
                                                            Encrypted:false
                                                            SSDEEP:96:5m8E8NGYEzOyTKQ3oi7w3dzDIv/s150Fph5slq6V6WInWIXmIxfoR9:LLnyTrYO4DIHsf0Fph5so6VQQR9
                                                            MD5:F7A67AB13011CC43BA7B15546333E554
                                                            SHA1:FF99D5810DDC3B81754689ADFEAD510CBF67DA05
                                                            SHA-256:29DF56695837E3C39BBC0E17393DC573BD47407CE3124C33F1B8DDFAF9E26714
                                                            SHA-512:CBE4F8603138F692D346ACE839FC9CEFA1C9A1EDE780203D51C351FFCD01D3154506AF6374653F91FF915E67865CB58E1672B2B18081DC6F98DBBF7C1C91EA9E
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: MDMP....... .........ya............4...............<.......T...............T.......8...........T...........@....A...........................................................................................U...........B......t.......GenuineIntelW...........T.......@.....ya.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3594.tmp.WERInternalMetadata.xml
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8370
                                                            Entropy (8bit):3.6984128708779505
                                                            Encrypted:false
                                                            SSDEEP:192:Rrl7r3GLNixPs6NI6YEc62gmfrUSm+prP89bf7sfI1m:RrlsNixU6i6Y362gmfrUSafAf3
                                                            MD5:8748348ACF1A6DA9CB8C56BF4A5E7DB6
                                                            SHA1:DFA6C81985894F466BCF129AD81F122B9D907D83
                                                            SHA-256:6CF183CEA7703BAE591C5AF547C7AC4D9B5026BBBE4B3720C03A6FD6C7790123
                                                            SHA-512:86749EEB44D3CAEAAECE2884376FFFADB06FEAC44D011F8BBF2FE1944A558F0165D798B7D10C65429BC7EDA732C0E90F30903519FC8C1C3A60DE3C0B9B35ECA0
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.9.6.<./.P.i.d.>.......
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER38E1.tmp.xml
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4803
                                                            Entropy (8bit):4.5049844183947
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwSD8zsqJgtWI9MM/JWSC8BK8fm8M4JfT9TMFke+q8vS9T34/Jrb7gr/Ad:uITf4rM/4SN5JJdeKA34/tHmId
                                                            MD5:ACE9918A9C8AB3FDF3BB826FBFD4CCE6
                                                            SHA1:FB447B8761236B2B64785E561D53D5E1372A3581
                                                            SHA-256:D086AFDF166922883DBB1CE3277A72839E1C700ADD639461610498013254CC10
                                                            SHA-512:9AFDC44C68B8A187DCC36E99ACB9E60E38666796D17C64A66A814B67F14530CBFF5F9FFA37EB30101B567A2BC916B62E66B96A76036C656E819FBEC37694445A
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1228467" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X4WVDz35mI.exe.log
                                                            Process:C:\Users\user\Desktop\X4WVDz35mI.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1402
                                                            Entropy (8bit):5.338819835253785
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoesX3:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoe
                                                            MD5:F2152F0304453BCFB93E6D4F93C3F0DC
                                                            SHA1:DD69A4D7F9F9C8D97F1DF535BA3949E9325B5A2F
                                                            SHA-256:5A4D59CD30A1AF620B87602BC23A3F1EFEF792884053DAE6A89D1AC9AAD4A411
                                                            SHA-512:02402D9EAA2DF813F83A265C31D00048F84AD18AE23935B428062A9E09B173B13E93A3CACC6547277DA6F937BBC413B839620BA600144739DA37086E03DD8B4F
                                                            Malicious:true
                                                            Reputation:moderate, very likely benign file
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                            Process:C:\Users\user\Desktop\X4WVDz35mI.exe
                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):42080
                                                            Entropy (8bit):6.2125074198825105
                                                            Encrypted:false
                                                            SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                            MD5:F2A47587431C466535F3C3D3427724BE
                                                            SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                            SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                            SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: 583475.exe, Detection: malicious, Browse
                                                            • Filename: NewOrderPDF.exe, Detection: malicious, Browse
                                                            • Filename: DHLExpress_Shipment101909.exe, Detection: malicious, Browse
                                                            • Filename: Niki-Gmbh Germany Inquiry.exe, Detection: malicious, Browse
                                                            • Filename: Enquiry MW886079 ( Flowstar.CO.UK ).exe, Detection: malicious, Browse
                                                            • Filename: Order18102021.exe, Detection: malicious, Browse
                                                            • Filename: DHL_Ship_152021.exe, Detection: malicious, Browse
                                                            • Filename: DO854.exe, Detection: malicious, Browse
                                                            • Filename: DrAlj265av.exe, Detection: malicious, Browse
                                                            • Filename: masa_prot.exe, Detection: malicious, Browse
                                                            • Filename: 75lT7DuXrs.exe, Detection: malicious, Browse
                                                            • Filename: dark.exe, Detection: malicious, Browse
                                                            • Filename: tortilla.exe, Detection: malicious, Browse
                                                            • Filename: dark.exe, Detection: malicious, Browse
                                                            • Filename: 2xYyRwsd4z.exe, Detection: malicious, Browse
                                                            • Filename: bNaLNMv3po.exe, Detection: malicious, Browse
                                                            • Filename: uUdLeF2vh0.exe, Detection: malicious, Browse
                                                            • Filename: DHL_Express1102021.exe, Detection: malicious, Browse
                                                            • Filename: VsRff7UbXL.exe, Detection: malicious, Browse
                                                            • Filename: DHL_Shipment_20210621.exe, Detection: malicious, Browse
                                                            Reputation:moderate, very likely benign file
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..
                                                            C:\Windows\appcompat\Programs\Amcache.hve
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:MS Windows registry file, NT/2000 or above
                                                            Category:dropped
                                                            Size (bytes):1572864
                                                            Entropy (8bit):4.2433181593587035
                                                            Encrypted:false
                                                            SSDEEP:12288:O6qS53JF5DPZ/r43RQ9eQctCCNIiguQYaLKujm/+bHQs0JjX:/qS53JF5DPtr43ZMC
                                                            MD5:89EF13BD755EB7B503C7784278A5894C
                                                            SHA1:AE9EAEA56FBABF472DCEF98801AE374EDBC1020F
                                                            SHA-256:A3A1BC0271142DCA020E9A899D0310F896F78960CC5370D2B267517CEBB365FA
                                                            SHA-512:95B1A674D3E482663E0FC77F168E47A9DA94EBA338619E4AF40DD03CFDCA11771FD4A6CA4074F32C512EF0B51A29470E33A21D76C6E8F1F8ACF1B1B61E6F63B8
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..vwV.................................................................................................................................................................................................................................................................................................................................................r*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:MS Windows registry file, NT/2000 or above
                                                            Category:dropped
                                                            Size (bytes):20480
                                                            Entropy (8bit):3.42130999489111
                                                            Encrypted:false
                                                            SSDEEP:384:7rx5K5Zmv4KgnVVeeDzeO1NKZtjGT8G2w3lrfcclvcYNOu:XvKAg/eeDzegNYtjjG2w33cY8
                                                            MD5:08B74070DBF03A32DFD8A9A5D921609A
                                                            SHA1:C8D521563F990EFBE01FF14329BF3E910C38D57E
                                                            SHA-256:ACD0368F730393180FAE598ECBB3081CB3FF332D469AA536C6A996111A24C86C
                                                            SHA-512:B13CAB7F228946B5072DC436E16E26771142741A978DE78C4083BC1AE453D4C73EF1F15BFF6EC5026F7878EDCBE5A2FFE7840957D06A27735E364A26AAD693EF
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..vwV.................................................................................................................................................................................................................................................................................................................................................r*HvLE.N......G...........h&q.fZ...$I.9(S..................... ..hbin................p.\..,..........nk,...xwV................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...xwV....... ........................... .......Z.......................Root........lf......Root....nk ...xwV................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):6.298569674665354
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:X4WVDz35mI.exe
                                                            File size:1091072
                                                            MD5:36d837ee33175839b0fe83c09b5098d4
                                                            SHA1:735a4d10a58adab64deef3f4a63104d40dd8586a
                                                            SHA256:a5731442f5716f83eca02e956d6ec3c42aca7eda54eea7643cf18f95d6817546
                                                            SHA512:47623b569c18c35fb2da1860d58e483a22f1edde72efb1ed0575255e9dbf2dcc3c0463c6c774488cde0c6eaa4e91eb7d63a4bdd0350eb8c03cd1dc6911fb830c
                                                            SSDEEP:24576:y0x9FdgxqOhvSj8aSC5dAMlOddPBDxHT7mS:yYgxqOhELOddPHz7
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.+............................N.... ........@.. ....................................`................................

                                                            File Icon

                                                            Icon Hash:00828e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x50ba4e
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                            Time Stamp:0x2BDB24EC [Sun Apr 25 23:55:24 1993 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x10b9f40x57.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x5c6.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x109a540x109c00False0.535125933384data6.30311945482IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x10c0000x5c60x600False0.418619791667data4.12085319226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x10e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_VERSION0x10c0a00x33cdata
                                                            RT_MANIFEST0x10c3dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyrightCopyright 2018
                                                            Assembly Version1.0.0.0
                                                            InternalNameDemoProject2.exe
                                                            FileVersion1.0.0.0
                                                            CompanyName
                                                            LegalTrademarks
                                                            Comments
                                                            ProductNameDemoProject2
                                                            ProductVersion1.0.0.0
                                                            FileDescriptionDemoProject2
                                                            OriginalFilenameDemoProject2.exe

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 27, 2021 19:16:25.685406923 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:25.685457945 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:25.685575008 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:25.721246004 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:25.721276999 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:25.790509939 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:25.790657997 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:25.794080019 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:25.794123888 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:25.794996977 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:25.838486910 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.099530935 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.140880108 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.172451019 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.172501087 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.172522068 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.172580957 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.172641039 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.172657967 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.172723055 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.172732115 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.174604893 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.174864054 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.175322056 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.175368071 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.175384998 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.175395012 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.175445080 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.176767111 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.178591967 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.178612947 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.178692102 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.178709030 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.179611921 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.191653013 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.191935062 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.192007065 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.192022085 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.192042112 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.192085028 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.193139076 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.197729111 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.197801113 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.197837114 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.197863102 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.197902918 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.197925091 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.198321104 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.198422909 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.200063944 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.200123072 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.200226068 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.200237989 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.200320959 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.200762033 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.201989889 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.202037096 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.202071905 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.202092886 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.203505039 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.206234932 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.206294060 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.206321001 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.206353903 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.206371069 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.206523895 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.206583023 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.206593037 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.207067966 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:16:26.207914114 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.208023071 CEST44349775142.250.185.228192.168.2.4
                                                            Oct 27, 2021 19:16:26.208806038 CEST49775443192.168.2.4142.250.185.228
                                                            Oct 27, 2021 19:17:00.022914886 CEST49775443192.168.2.4142.250.185.228

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 27, 2021 19:16:25.643246889 CEST5802853192.168.2.48.8.8.8
                                                            Oct 27, 2021 19:16:25.662795067 CEST53580288.8.8.8192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Oct 27, 2021 19:16:25.643246889 CEST192.168.2.48.8.8.80xcc7cStandard query (0)www.google.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Oct 27, 2021 19:16:25.662795067 CEST8.8.8.8192.168.2.40xcc7cNo error (0)www.google.com142.250.185.228A (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • www.google.com

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.449775142.250.185.228443C:\Users\user\Desktop\X4WVDz35mI.exe
                                                            TimestampkBytes transferredDirectionData
                                                            2021-10-27 17:16:26 UTC0OUTGET / HTTP/1.1
                                                            Host: www.google.com
                                                            Connection: Keep-Alive
                                                            2021-10-27 17:16:26 UTC0INHTTP/1.1 200 OK
                                                            Date: Wed, 27 Oct 2021 17:16:26 GMT
                                                            Expires: -1
                                                            Cache-Control: private, max-age=0
                                                            Content-Type: text/html; charset=ISO-8859-1
                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                            Server: gws
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            Set-Cookie: CONSENT=PENDING+598; expires=Fri, 27-Oct-2023 17:16:26 GMT; path=/; domain=.google.com; Secure
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
                                                            Accept-Ranges: none
                                                            Vary: Accept-Encoding
                                                            Connection: close
                                                            Transfer-Encoding: chunked
                                                            2021-10-27 17:16:26 UTC0INData Raw: 34 63 37 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65
                                                            Data Ascii: 4c76<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image
                                                            2021-10-27 17:16:26 UTC1INData Raw: 36 2c 31 36 33 32 30 2c 39 30 38 2c 32 2c 39 34 31 2c 31 35 37 35 36 2c 33 2c 33 34 36 2c 32 33 30 2c 31 30 31 34 2c 31 2c 35 34 34 34 2c 31 34 39 2c 31 31 33 32 33 2c 32 36 35 32 2c 34 2c 31 35 32 38 2c 32 33 30 34 2c 31 32 33 36 2c 35 32 32 36 2c 35 37 37 2c 37 34 2c 31 39 38 33 2c 32 36 32 37 2c 32 30 31 31 2c 31 33 36 31 34 2c 34 37 36 34 2c 32 36 35 38 2c 37 33 35 35 2c 33 32 2c 35 36 31 36 2c 38 30 31 32 2c 32 33 30 35 2c 36 33 38 2c 31 38 32 38 30 2c 36 35 32 2c 35 31 31 35 2c 32 35 39 30 2c 34 30 39 34 2c 33 31 33 38 2c 36 2c 39 30 38 2c 33 2c 33 35 34 31 2c 31 2c 31 31 33 37 34 2c 33 33 33 36 2c 31 38 31 34 2c 32 38 33 2c 39 31 32 2c 35 39 39 32 2c 31 35 34 32 34 2c 32 2c 32 31 2c 31 32 38 31 2c 31 37 31 35 2c 32 2c 38 34 39 36 2c 37 31 37 2c 36
                                                            Data Ascii: 6,16320,908,2,941,15756,3,346,230,1014,1,5444,149,11323,2652,4,1528,2304,1236,5226,577,74,1983,2627,2011,13614,4764,2658,7355,32,5616,8012,2305,638,18280,652,5115,2590,4094,3138,6,908,3,3541,1,11374,3336,1814,283,912,5992,15424,2,21,1281,1715,2,8496,717,6
                                                            2021-10-27 17:16:26 UTC2INData Raw: 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6c 65 69 64 22 29 29 29 3b 29 61 3d 61 2e
                                                            Data Ascii: bhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.
                                                            2021-10-27 17:16:26 UTC3INData Raw: 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 22 31 22 3d 3d 3d 63 7c 7c 22 71 22 3d 3d 3d 63 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20
                                                            Data Ascii: ])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a="1"===c||"q"===c&&!a.elements.q.value?!0:!1}else
                                                            2021-10-27 17:16:26 UTC5INData Raw: 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 62 61 63 6b 67 72 6f 75
                                                            Data Ascii: ity:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;backgrou
                                                            2021-10-27 17:16:26 UTC6INData Raw: 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61
                                                            Data Ascii: dding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgba(0,0,0,.2);-moz-box-shadow:0 2px 4px rgba
                                                            2021-10-27 17:16:26 UTC7INData Raw: 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75
                                                            Data Ascii: mage:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focu
                                                            2021-10-27 17:16:26 UTC8INData Raw: 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69
                                                            Data Ascii: 7 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:vi
                                                            2021-10-27 17:16:26 UTC10INData Raw: 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63 2c 23 67 62 6d 70 61 73 20 2e 67 62 6d 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 37 70 78 7d 23 67 62 64 34 20 2e 67 62 70 67 73 20 2e 67 62 6d 74 63 7b 6c 69 6e 65 2d
                                                            Data Ascii: index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-
                                                            2021-10-27 17:16:26 UTC11INData Raw: 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 36 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 67 62
                                                            Data Ascii: xt-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block;padding-right:10px;margin-bottom:6px;margin-top:10px}.gb
                                                            2021-10-27 17:16:26 UTC12INData Raw: 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62 71 66 62 61 3a 3a 2d 6d 6f 7a
                                                            Data Ascii: -moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1)}.gbqfb::-moz-focus-inner,.gbqfba::-moz
                                                            2021-10-27 17:16:26 UTC14INData Raw: 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30
                                                            Data Ascii: 8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-color:inherit;-webkit-box-shadow:inset 0 1px 2px rgba(0, 0
                                                            2021-10-27 17:16:26 UTC15INData Raw: 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 62 66 62 66 62 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74
                                                            Data Ascii: );filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#fbfbfb));background-image:-webkit-linear-gradient
                                                            2021-10-27 17:16:26 UTC16INData Raw: 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b 6d 61 78 2d 68 65 69 67 68 74 3a 32 32 30 70 78 7d 23 67 62 6d 6d 7b 6d 61 78 2d 68 65 69 67 68 74 3a 35 33 30 70 78 7d 2e 67 62 73 62 7b 2d 77 65 62 6b 69 74 2d 62 6f 78
                                                            Data Ascii: lor:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{max-height:220px}#gbmm{max-height:530px}.gbsb{-webkit-box
                                                            2021-10-27 17:16:26 UTC17INData Raw: 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f 28 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74
                                                            Data Ascii: ent(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to(rgba(0,0,0,0)));background-image:-webkit-linear-gradient
                                                            2021-10-27 17:16:26 UTC19INData Raw: 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 57 71 51 41 4e 62 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 32 70 78 7d 2e 6c 73 62 7b 62 61 63 6b 67 72 6f 75
                                                            Data Ascii: ng-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#WqQANb a{display:inline-block;margin:0 12px}.lsb{backgrou
                                                            2021-10-27 17:16:26 UTC19INData Raw: 64 61 0d 0a 21 3d 3d 67 3f 67 3a 31 2c 6c 3d 6e 75 6c 6c 21 3d 3d 28 68 3d 66 2e 73 64 6f 29 26 26 76 6f 69 64 20 30 21 3d 3d 68 3f 68 3a 21 30 2c 6e 3d 30 2c 70 2c 71 3d 67 6f 6f 67 6c 65 2e 65 72 64 2c 74 3d 71 2e 6a 73 72 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 65 2c 6d 2c 64 29 7b 64 3d 76 6f 69 64 20 30 3d 3d 3d 64 3f 32 3a 64 3b 62 26 26 28 70 3d 61 26 26 61 2e 6d 65 73 73 61 67 65 29 3b 69 66 28 67 6f 6f 67 6c 65 2e 64 6c 29 72 65 74 75 72 6e 20 67 6f 6f 67 6c 65 2e 64 6c 28 61 2c 64 2c 65 29 2c 6e 75 6c 6c 3b 69 66 28 30 3e 74 29 7b 77 69 6e 64 6f 77 2e 63 6f 6e 73 6f 6c 65 26 26 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 0d 0a
                                                            Data Ascii: da!==g?g:1,l=null!==(h=f.sdo)&&void 0!==h?h:!0,n=0,p,q=google.erd,t=q.jsr;google.ml=function(a,b,e,m,d){d=void 0===d?2:d;b&&(p=a&&a.message);if(google.dl)return google.dl(a,d,e),null;if(0>t){window.console&&console.error
                                                            2021-10-27 17:16:26 UTC20INData Raw: 37 33 32 36 0d 0a 28 61 2c 65 29 3b 69 66 28 2d 32 3d 3d 3d 74 29 74 68 72 6f 77 20 61 3b 62 3d 21 31 7d 65 6c 73 65 20 62 3d 21 61 7c 7c 21 61 2e 6d 65 73 73 61 67 65 7c 7c 22 45 72 72 6f 72 20 6c 6f 61 64 69 6e 67 20 73 63 72 69 70 74 22 3d 3d 3d 61 2e 6d 65 73 73 61 67 65 7c 7c 6e 3e 3d 6b 26 26 21 6d 3f 21 31 3a 21 30 3b 69 66 28 21 62 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 6e 2b 2b 3b 65 3d 65 7c 7c 7b 7d 3b 62 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 3b 76 61 72 20 63 3d 22 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 65 69 3d 22 2b 62 28 67 6f 6f 67 6c 65 2e 6b 45 49 29 3b 67 6f 6f 67 6c 65 2e 6b 45 58 50 49 26 26 28 63 2b 3d 22 26 6a 65 78 70 69 64 3d 22 2b 62 28 67 6f 6f 67 6c 65 2e 6b 45 58 50 49 29 29 3b 63 2b 3d 22 26 73 72
                                                            Data Ascii: 7326(a,e);if(-2===t)throw a;b=!1}else b=!a||!a.message||"Error loading script"===a.message||n>=k&&!m?!1:!0;if(!b)return null;n++;e=e||{};b=encodeURIComponent;var c="/gen_204?atyp=i&ei="+b(google.kEI);google.kEXPI&&(c+="&jexpid="+b(google.kEXPI));c+="&sr
                                                            2021-10-27 17:16:26 UTC21INData Raw: 6e 74 29 61 2e 61 74 74 61 63 68 45 76 65 6e 74 28 64 2c 63 29 3b 65 6c 73 65 7b 76 61 72 20 66 3d 61 5b 64 5d 3b 61 5b 64 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6b 3d 66 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 2c 6d 3d 63 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6d 3a 76 6f 69 64 20 30 3d 3d 6d 3f 6b 3a 6d 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e
                                                            Data Ascii: nt)a.attachEvent(d,c);else{var f=a[d];a[d]=function(){var k=f.apply(this,arguments),m=c.apply(this,arguments);return void 0==k?m:void 0==m?k:m&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.
                                                            2021-10-27 17:16:26 UTC22INData Raw: 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69 22 2c 6c 61 29 3b 70 28 22 62 6e 63 22 2c 77 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 42 29 3b 70 28 22 71 64 22 2c 78 29 3b 70 28 22 6c 62 22 2c 44 29 3b 70 28 22 6d 63 66 22 2c 70 61 29 3b 70 28 22 62 63 66 22 2c 6f 61 29 3b 70 28 22 61 71 22 2c 41 29 3b 70 28 22 6d 64 64 22 2c 22 22 29 3b 0a 70 28 22 68 61 73 22 2c 71 61 29 3b 70 28 22 74 72 68 22 2c 76 61 29 3b 70 28 22 74 65 76 22 2c 73 61 29 3b 69 66 28 68 2e 61 28 22 6d 3b 2f 5f 2f 73 63 73 2f 61 62 63 2d 73 74 61 74 69 63 2f 5f 2f 6a 73 2f 6b 3d 67 61 70
                                                            Data Ascii: b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("mdi",la);p("bnc",w);p("qGC",ta);p("qm",B);p("qd",x);p("lb",D);p("mcf",pa);p("bcf",oa);p("aq",A);p("mdd","");p("has",qa);p("trh",va);p("tev",sa);if(h.a("m;/_/scs/abc-static/_/js/k=gap
                                                            2021-10-27 17:16:26 UTC23INData Raw: 72 20 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 2c 22 26 6a 65 78 70 69 64 3d 22 2c 64 28 22 32 38 38 33 34 22 29 2c 22 26 73 72 63 70 67 3d 22 2c 64 28 22 70 72 6f 70 3d 31 22 29 2c 22 26 6a 73 72 3d 22 2c 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 46 61 29 2c 22 26 6f 67 65 76 3d 22 2c 64 28 22 61 6f 6c 35 59 65 47 57 43 4d 4b 52 78 63 38 50 70 4f 36 37 34 41 6b 22 29 2c 22 26 6f 67 66 3d 22 2c 67 2e 62 76 2e 66 2c 22 26 6f 67 72 70 3d 22 2c 64 28 22 22 29 2c 22 26 6f 67 76 3d 22 2c 64 28 22 34 30 35 32 39 35 34 37 31 2e 30 22 29 2c 22 26 6f 67 67 76 3d 22
                                                            Data Ascii: r d=encodeURIComponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Date).getTime(),"&jexpid=",d("28834"),"&srcpg=",d("prop=1"),"&jsr=",Math.round(1/Fa),"&ogev=",d("aol5YeGWCMKRxc8PpO674Ak"),"&ogf=",g.bv.f,"&ogrp=",d(""),"&ogv=",d("405295471.0"),"&oggv="
                                                            2021-10-27 17:16:26 UTC25INData Raw: 73 39 69 42 62 44 47 34 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 74 6c 2d 69 55 75 6d 6c 34 79 34 62 52 68 75 69 63 4e 5a 62 30 63 52 63 32 5a 37 41 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74 3d 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 26 62 75 73 74 3d 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 69 30 52 68 38 2d 6c 31 44 4e 34 2e 44 55 22 29 3b 61 3d 61 2e 6a 6f 69 6e 28 22 22 29 3b 72 61 28 61 29 7d 3b 70 28 22 63 61 22 2c 4a 29 3b 70 28 22 63 72 22 2c 4b 29 3b 70 28 22 63 63 22 2c 48 29 3b 68 2e 6b 3d 4a 3b 68 2e 6c 3d 4b 3b 68 2e 6d 3d 48 3b 68 2e 6e 3d 4c 61 3b 68 2e 70 3d 4e 61 3b 68 2e 71 3d 4d 61 3b 76 61 72 20 4f 61 3d 5b 22 67 62 5f 37 31 22 2c 22 67 62 5f 31 35 35 22 5d 2c 50
                                                            Data Ascii: s9iBbDG4.O","/rt=j/m=",a,"/rs=","AA2YrTtl-iUuml4y4bRhuicNZb0cRc2Z7A"];Ka&&a.push("?host=www.gstatic.com&bust=og.og2.en_US.i0Rh8-l1DN4.DU");a=a.join("");ra(a)};p("ca",J);p("cr",K);p("cc",H);h.k=J;h.l=K;h.m=H;h.n=La;h.p=Na;h.q=Ma;var Oa=["gb_71","gb_155"],P
                                                            2021-10-27 17:16:26 UTC26INData Raw: 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6c 26 26 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4b 28 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 22 67 62 74 6f 22 29 7d 7d 7d 5a 61 28 66 29 26 26 24 61 28 66 29 3b 4f 3d 64 3b 4a 28 6b 2c 22 67 62 74 6f 22 29 7d 7d 7d 7d 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 74 67 28 61 2c 62 2c 21 30 29 7d 29 3b 61 62 28 61 29 7d 63 61 74 63 68 28 71 29 7b 72 28 71 2c 22 73 62 22 2c 22 74 67 22 29 7d 7d 2c 63 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 63 6c 6f 73 65 28 61 29 7d 29 7d 2c 64 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 66
                                                            Data Ascii: ("aria-owner");if(n.length){var l=document.getElementById(n);l&&l.parentNode&&K(l.parentNode,"gbto")}}}Za(f)&&$a(f);O=d;J(k,"gbto")}}}}B(function(){g.tg(a,b,!0)});ab(a)}catch(q){r(q,"sb","tg")}},cb=function(a){B(function(){g.close(a)})},db=function(a){B(f
                                                            2021-10-27 17:16:26 UTC27INData Raw: 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63 68 28 44 62 29 7b 72 28 44 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c 65 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 62 2e 6c 65 6e 67 74 68 2c 0a 64 3d 30 3b 64 3c 63 3b 64 2b 2b 29 69 66 28 48 28 61 2c 62 5b 64 5d 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 67 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 66 62 28 61 2c 62 2c 63 29 7d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 62 28 61 2c 22 67 62 65 22 2c 62 29 7d 2c 69 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 63 6d 26 26 67 2e
                                                            Data Ascii: .addHover&&g.addHover(a)}else k.appendChild(m)}}catch(Db){r(Db,"sb","al")}},eb=function(a,b){for(var c=b.length,d=0;d<c;d++)if(H(a,b[d]))return!0;return!1},gb=function(a,b,c){fb(a,b,c)},hb=function(a,b){fb(a,"gbe",b)},ib=function(){B(function(){g.pcm&&g.
                                                            2021-10-27 17:16:26 UTC28INData Raw: 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 62 5d 3b 62 2b 2b 29 69 66 28 48 28 63 2c 22 67 62 6d 73 67 22 29 29 72 65 74 75 72 6e 20 63 7d 2c 50 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 70 62 26 26 77 69 6e 64 6f 77 2e 63 6c 65 61 72 54 69 6d 65 6f 75 74 28 70 62 29 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 69 6e 6e 65 72 22 2b 61 3b 61 3d 22 6f 66 66 73 65 74 22 2b 61 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 5b 62 5d 3f 77 69 6e 64 6f 77 5b 62 5d 3a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 26 26 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 5b 61 5d 3f 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e
                                                            Data Ascii: a){for(var b=0,c;c=a.childNodes[b];b++)if(H(c,"gbmsg"))return c},P=function(){pb&&window.clearTimeout(pb)},tb=function(a){var b="inner"+a;a="offset"+a;return window[b]?window[b]:document.documentElement&&document.documentElement[a]?document.documentElemen
                                                            2021-10-27 17:16:26 UTC30INData Raw: 29 29 7d 3b 70 28 22 6c 47 43 22 2c 42 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28 22 6c 50 57 46 22 2c 42 62 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54 3d 22 22 3b 69 66 28 68 2e 61 28 22 31 22 29 26 26 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 43 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 62 28 66 75 6e 63 74 69 6f 6e 28 29 7b 41 28 22 70 77 22 2c 61 29 3b 44 28 22 70 77 22 29 7d 29 7d 3b 70 28 22 6c 50 57 22 2c 43 62 29 3b 77 2e 70 75 73 68 28 5b 22 70 77 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 70 77 6d 5f 34 35 66 37 33 65 34 64 66 30 37 61 30 65 33 38 38 62 30 66 61 31 66 33 64 33 30 65 37 32 38 30 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 45 62 3d 5b 5d 2c 46 62 3d 66 75 6e 63 74 69
                                                            Data Ascii: ))};p("lGC",Bb);h.a("1")&&p("lPWF",Bb)};window.__PVT="";if(h.a("1")&&h.a("1")){var Cb=function(a){Bb(function(){A("pw",a);D("pw")})};p("lPW",Cb);w.push(["pw",{url:"//ssl.gstatic.com/gb/js/abc/pwm_45f73e4df07a0e388b0fa1f3d30e7280.js"}]);var Eb=[],Fb=functi
                                                            2021-10-27 17:16:26 UTC31INData Raw: 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78 3d 22 2c 6b 2c 22 26 6f 67 65 76 3d 22 2c 6d 2c 22 26 6f 67 66 3d 22 2c 6c 2c 22 26 6f 67 70 3d 22 2c 71 2c 22 26 6f 67 72 70 3d 22 2c 6e 2c 22 26 6f 67 73 72 3d 22 2c 63 2c 22 26 6f 67 76 3d 22 2c 45 2c 55 2c 22 26 6f 67 64 3d 22 2c 49 2c 22 26 6f 67 6c 3d 22 2c 56 2c 22 26 6f 67 63 3d 22 2c 57 2c 22 26 6f 67 75 73 3d 22 2c 79 5d 3b 69 66 28 62 29 7b 22 6f 67 77 22 69 6e 20 62 26 26 28 61 2e 70 75
                                                            Data Ascii: GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",f,"&oge=",a,"&ogex=",k,"&ogev=",m,"&ogf=",l,"&ogp=",q,"&ogrp=",n,"&ogsr=",c,"&ogv=",E,U,"&ogd=",I,"&ogl=",V,"&ogc=",W,"&ogus=",y];if(b){"ogw"in b&&(a.pu
                                                            2021-10-27 17:16:26 UTC32INData Raw: 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 65 6c 65 67 61 74 65 64 29 22 2c 6d 64 3a 22 25 31 24 73 20 28 64 65 66 61 75 6c 74 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 59 62 2c 70 70 6c 3a 68 2e 61 28 22 22 29 2c 70 70 61 3a 68 2e 61 28 22 22 29 2c 0a 70 70 6d 3a 22 47 6f 6f 67 6c 65 2b 20 70 61 67 65 22 7d 3b 76 2e 70 72 66 3d 24 62 7d 3b 76 61 72 20 53 2c 61 63 2c 54 2c 62 63 2c 58 3d 30 2c 63 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 2e 69 6e 64 65 78 4f 66 29 72 65 74 75 72 6e 20 61 2e 69 6e 64 65 78 4f 66 28 62 2c 63 29 3b 69 66 28 41 72 72 61
                                                            Data Ascii: eusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (delegated)",md:"%1$s (default)",mh:"220",s:"1",pp:Yb,ppl:h.a(""),ppa:h.a(""),ppm:"Google+ page"};v.prf=$b};var S,ac,T,bc,X=0,cc=function(a,b,c){if(a.indexOf)return a.indexOf(b,c);if(Arra
                                                            2021-10-27 17:16:26 UTC34INData Raw: 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 69 63 28 64 6f 63 75 6d 65 6e 74 29 7c 7c 28 64 7c 7c 28 62 3d 22 6f 67 2d 75 70 2d 22 2b 62 29 2c 6a 63 28 29 3f 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 65 74 49 74 65 6d 28 62 2c 63 29 3a 6b 63 28 61 29 26 26 28 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 62 2c 63 29 2c 61 2e 73 61 76 65 28 61 2e 69 64 29 29 29 7d 63 61 74 63 68 28 66 29 7b 66 2e 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55 4f 54 41 5f 45 58 43 45 45 44 45 44 5f 45 52 52 26 26 72 28 66 2c 22 75 70 22 2c 22 73 70 64 22 29 7d 7d 2c 6d 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c
                                                            Data Ascii: .behavior&&"undefined"!=typeof a.load},lc=function(a,b,c,d){try{ic(document)||(d||(b="og-up-"+b),jc()?e.localStorage.setItem(b,c):kc(a)&&(a.setAttribute(b,c),a.save(a.id)))}catch(f){f.code!=DOMException.QUOTA_EXCEEDED_ERR&&r(f,"up","spd")}},mc=function(a,
                                                            2021-10-27 17:16:26 UTC35INData Raw: 75 72 6c 26 26 72 61 28 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 6c 5b 31 5d 2e 6c 69 62 73 29 29 3b 6d 3c 6b 2e 6c 65 6e 67 74 68 26 26 73 65 74 54 69 6d 65 6f 75 74 28 61 2c 30 29 7d 66 75 6e 63 74 69 6f 6e 20 62 28 29 7b 30 3c 66 2d 2d 3f 73 65 74 54 69 6d 65 6f 75 74 28 62 2c 30 29 3a 61 28 29 7d 76 61 72 20 63 3d 68 2e 61 28 22 31 22 29 2c 64 3d 68 2e 61 28 22 22 29 2c 66 3d 33 2c 6b 3d 77 2c 6d 3d 30 2c 6e 3d 77 69 6e 64 6f 77 2e 67 62 61 72 4f 6e 52 65 61 64 79 3b 69 66 28 6e 29 74 72 79 7b 6e 28 29 7d 63 61 74 63 68 28 6c 29 7b 72 28 6c 2c 22 6d 6c 22 2c 22 6f 72 22 29 7d 64 3f 70 28 22 6c 64 62 22 2c 61 29 3a 63 3f 63 61 28 77 69 6e 64 6f 77 2c 22 6c 6f 61 64 22 2c 62 29 3a 62 28 29 7d 70 28 22
                                                            Data Ascii: url&&ra(l[1].url,l[0]),l[1].libs&&C&&C(l[1].libs));m<k.length&&setTimeout(a,0)}function b(){0<f--?setTimeout(b,0):a()}var c=h.a("1"),d=h.a(""),f=3,k=w,m=0,n=window.gbarOnReady;if(n)try{n()}catch(l){r(l,"ml","or")}d?p("ldb",a):c?ca(window,"load",b):b()}p("
                                                            2021-10-27 17:16:26 UTC36INData Raw: 67 62 6d 74 5c 62 2f 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 67 29 2c 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 61 29 3b 62 26 26 66 2e 6c 28 62 2c 68 2e 74 65 73 74 28 62 2e 63 6c 61 73 73 4e 61 6d 65 29 3f 22 67 62 6d 30 6c 22 3a 22 67 62 7a 30 6c 22 29 3b 63 26 26 66 2e 6b 28 63 2c 68 2e 74 65 73 74 28 63 2e 63 6c 61 73 73 4e 61 6d 65 29 3f 22 67 62 6d 30 6c 22 3a 22 67 62 7a 30 6c 22 29 7d 63 61 74 63 68 28 6c 29 7b 64 28 6c 2c 22 73 6a 22 2c 22 73 73 70 22 29 7d 67 3d 61 7d 2c 6d 3d 65 2e 71 73 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 61 2e 68 72 65 66
                                                            Data Ascii: gbmt\b/,k=function(a){try{var b=document.getElementById("gb_"+g),c=document.getElementById("gb_"+a);b&&f.l(b,h.test(b.className)?"gbm0l":"gbz0l");c&&f.k(c,h.test(c.className)?"gbm0l":"gbz0l")}catch(l){d(l,"sj","ssp")}g=a},m=e.qs,n=function(a){var b=a.href
                                                            2021-10-27 17:16:26 UTC37INData Raw: 63 74 2e 70 72 6f 74 6f 74 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 77 69 6e 64 6f 77 2e 67 62 61 72 2e 72 64 6c 28 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72
                                                            Data Ascii: ct.prototype[l]?k[l]:k[l]={}:k[l]=g;}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/window.gbar.rdl();}catch(e){window.gbar
                                                            2021-10-27 17:16:26 UTC39INData Raw: 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 38 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 50 6c 61 79 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 33 36 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 3f 67 6c 3d 47 42 26 74 61 62 3d 77 31 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74
                                                            Data Ascii: bt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=en&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></a></li><li class=gbt><a class=gbzt id=gb_36 href="https://www.youtube.com/?gl=GB&tab=w1"><span class=gbtb2></span><span class=gbt
                                                            2021-10-27 17:16:26 UTC40INData Raw: 6c 65 6e 64 61 72 3f 74 61 62 3d 77 63 22 3e 43 61 6c 65 6e 64 61 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 35 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 6e 73 6c 61 74 65 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 54 22 3e 54 72 61 6e 73 6c 61 74 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 31 30 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 6f 6f 6b 73 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 70 22 3e 42 6f 6f 6b 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d
                                                            Data Ascii: lendar?tab=wc">Calendar</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="https://translate.google.co.uk/?hl=en&tab=wT">Translate</a></li><li class=gbmtc><a class=gbmt id=gb_10 href="https://books.google.co.uk/?hl=en&tab=wp">Books</a></li><li class=gbm
                                                            2021-10-27 17:16:26 UTC41INData Raw: 20 63 6c 61 73 73 3d 67 62 78 78 3e 41 63 63 6f 75 6e 74 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63 6c 61 73 73 3d 67 62 74 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 74 61 72 67 65 74 3d 5f 74 6f 70 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 63 63 6f 75 6e 74 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 53 65 72 76 69 63 65 4c 6f 67 69 6e 3f 68 6c 3d 65 6e 26 70 61 73 73 69 76 65 3d 74 72 75 65 26 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 26 65 63 3d 47 41 5a 41 41 51 22 20 6f 6e 63 6c 69 63 6b 3d 22 67 62 61 72 2e 6c 6f 67 67 65 72 2e 69 6c 28 39 2c 7b 6c 3a 27 69 27 7d 29 22 20 69 64 3d 67 62 5f 37 30
                                                            Data Ascii: class=gbxx>Account Options</h2><span class=gbtcb></span><ol class=gbtc><li class=gbt><a target=_top href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com/&ec=GAZAAQ" onclick="gbar.logger.il(9,{l:'i'})" id=gb_70
                                                            2021-10-27 17:16:26 UTC42INData Raw: 72 3d 22 61 6c 6c 22 20 69 64 3d 22 6c 67 70 64 22 3e 3c 64 69 76 20 69 64 3d 22 6c 67 61 22 3e 3c 69 6d 67 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 77 68 69 74 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 63 6f 6c 6f 72 5f 32 37 32 78 39 32 64 70 2e 70 6e 67 22 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 38 70 78 20 30 20 31 34 70 78 22 20 77 69 64 74 68 3d 22 32 37 32 22 20 69 64 3d 22 68 70 6c 6f 67 6f 22 3e 3c 62 72 3e 3c 62 72 3e 3c 2f 64 69 76 3e 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 73 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 66 22 3e 3c 74 61 62 6c 65 20 63 65 6c 6c
                                                            Data Ascii: r="all" id="lgpd"><div id="lga"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cell
                                                            2021-10-27 17:16:26 UTC44INData Raw: 3c 2f 73 63 72 69 70 74 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 41 4c 73 2d 77 41 4d 41 41 41 41 41 59 58 6d 58 65 73 48 30 63 67 48 56 75 46 34 69 62 77 33 5f 5a 39 61 6f 32 39 70 47 47 30 6c 44 22 20 6e 61 6d 65 3d 22 69 66 6c 73 69 67 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 74 64 20 63 6c 61 73 73 3d 22 66 6c 20 73 62 6c 63 22 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 20 6e 6f 77 72 61 70 3d 22 22 20 77 69 64 74 68 3d 22 32 35 25 22 3e 3c 61 20 68 72 65 66 3d 22 2f 61 64 76 61 6e 63 65 64 5f 73 65 61 72 63 68 3f 68 6c 3d 65 6e 2d 47 42 26 61 6d 70 3b 61 75 74 68 75 73 65 72 3d 30 22 3e 41 64 76 61 6e 63 65 64 20 73 65 61 72 63 68 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61
                                                            Data Ascii: </script><input value="ALs-wAMAAAAAYXmXesH0cgHVuF4ibw3_Z9ao29pGG0lD" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en-GB&amp;authuser=0">Advanced search</a></td></tr></ta
                                                            2021-10-27 17:16:26 UTC45INData Raw: 4a 6d 36 4d 25 33 44 22 3e 47 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 70 74 3b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 22 3e 26 63 6f 70 79 3b 20 32 30 32 31 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 70 6f 6c 69 63 69 65 73 2f 70 72 69 76 61 63 79 2f 22 3e 50 72 69 76 61 63 79 3c 2f 61 3e 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 3c 2f 61 3e 3c 2f 70 3e 3c 2f 73 70 61 6e 3e 3c 2f 63 65 6e 74 65 72 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 39 71 55 75 78 34 62 78 79 75 72 70 6f 37 41 69 30 39 4b 43 64 67 3d 3d 22 3e 28 66 75 6e 63 74 69 6f 6e
                                                            Data Ascii: Jm6M%3D">Google.co.uk</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2021 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="9qUux4bxyurpo7Ai09KCdg==">(function
                                                            2021-10-27 17:16:26 UTC46INData Raw: 3d 62 2e 63 6f 6e 74 65 6e 74 54 79 70 65 26 26 28 63 3d 63 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 63 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 63 29 3b 69 66 28 76 6f 69 64 20 30 3d 3d 3d 67 29 7b 62 3d 6e 75 6c 6c 3b 76 61 72 20 6b 3d 65 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 6b 26 26 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 67 6f 6f 67 23 68 74 6d 6c 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 66 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 66 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 66 7d 29 7d 63 61 74 63 68 28 70 29 7b 65 2e 63 6f 6e 73 6f 6c 65 26 26 65 2e 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 70 2e 6d 65 73 73 61 67 65 29 7d 67 3d 62 7d
                                                            Data Ascii: =b.contentType&&(c=c.toLowerCase());c=b.createElement(c);if(void 0===g){b=null;var k=e.trustedTypes;if(k&&k.createPolicy){try{b=k.createPolicy("goog#html",{createHTML:f,createScript:f,createScriptURL:f})}catch(p){e.console&&e.console.error(p.message)}g=b}
                                                            2021-10-27 17:16:26 UTC48INData Raw: 67 6c 65 2e 63 6f 6d 5c 78 32 32 2c 5c 78 32 32 69 73 62 68 5c 78 32 32 3a 32 38 2c 5c 78 32 32 6a 73 6f 6e 70 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6d 73 67 73 5c 78 32 32 3a 7b 5c 78 32 32 63 69 62 6c 5c 78 32 32 3a 5c 78 32 32 43 6c 65 61 72 20 53 65 61 72 63 68 5c 78 32 32 2c 5c 78 32 32 64 79 6d 5c 78 32 32 3a 5c 78 32 32 44 69 64 20 79 6f 75 20 6d 65 61 6e 3a 5c 78 32 32 2c 5c 78 32 32 6c 63 6b 79 5c 78 32 32 3a 5c 78 32 32 49 5c 5c 75 30 30 32 36 23 33 39 3b 6d 20 46 65 65 6c 69 6e 67 20 4c 75 63 6b 79 5c 78 32 32 2c 5c 78 32 32 6c 6d 6c 5c 78 32 32 3a 5c 78 32 32 4c 65 61 72 6e 20 6d 6f 72 65 5c 78 32 32 2c 5c 78 32 32 6f 73 6b 74 5c 78 32 32 3a 5c 78 32 32 49 6e 70 75 74 20 74 6f 6f 6c 73 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a
                                                            Data Ascii: gle.com\x22,\x22isbh\x22:28,\x22jsonp\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Clear Search\x22,\x22dym\x22:\x22Did you mean:\x22,\x22lcky\x22:\x22I\\u0026#39;m Feeling Lucky\x22,\x22lml\x22:\x22Learn more\x22,\x22oskt\x22:\x22Input tools\x22,\x22psrc\x22:
                                                            2021-10-27 17:16:26 UTC48INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Code Manipulations

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: X4WVDz35mI.exe PID: 2628 Parent PID: 5224

                                                            General

                                                            Start time:19:16:23
                                                            Start date:27/10/2021
                                                            Path:C:\Users\user\Desktop\X4WVDz35mI.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\Desktop\X4WVDz35mI.exe'
                                                            Imagebase:0x330000
                                                            File size:1091072 bytes
                                                            MD5 hash:36D837EE33175839B0FE83C09B5098D4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.756711736.0000000003887000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.756640614.000000000381B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.756889780.0000000003953000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: AddInProcess32.exe PID: 5696 Parent PID: 2628

                                                            General

                                                            Start time:19:16:59
                                                            Start date:27/10/2021
                                                            Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                            Imagebase:0x400000
                                                            File size:42080 bytes
                                                            MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.780255110.00000000005D1000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.753256685.00000000005D1000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.744326016.00000000005D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.752638358.00000000005D1000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.744906566.00000000005D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Antivirus matches:
                                                            • Detection: 0%, Metadefender, Browse
                                                            • Detection: 0%, ReversingLabs
                                                            Reputation:moderate

                                                            Chronological Activities

                                                            Analysis Process: WerFault.exe PID: 4808 Parent PID: 5696

                                                            General

                                                            Start time:19:17:05
                                                            Start date:27/10/2021
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 172
                                                            Imagebase:0x8e0000
                                                            File size:434592 bytes
                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Chronological Activities

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >

                                                              Analysis Process: X4WVDz35mI.exe PID: 2628 Parent PID: 5224 X4WVDz35mI.exeCOMMON

                                                              Executed Functions

                                                              Function 062A0460, Relevance: 4.7, Strings: 3, Instructions: 901COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D0*l$D0*l$D0*l
                                                              • API String ID: 0-1574081070
                                                              • Opcode ID: e42d67315c2826b6e9e13d75a6a7cf5c5da7fe1bfe1cab17f7667f187e75d595
                                                              • Instruction ID: 3590f2e6cc9f2d23bef6dc3c7b82b943c9adb5deac1cdfb4a8ff2f9aab9b9010
                                                              • Opcode Fuzzy Hash: e42d67315c2826b6e9e13d75a6a7cf5c5da7fe1bfe1cab17f7667f187e75d595
                                                              • Instruction Fuzzy Hash: 3C728070A102099FDB54DFA4C994AAEBBF6FF88348F148469E805EB391DB70DD41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062A7E88, Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: x%l$x%l
                                                              • API String ID: 0-2143060240
                                                              • Opcode ID: 993e3bd4862c698429ac7c897d54aeba6655c3978cfa21f766d80fcfc2fa08bc
                                                              • Instruction ID: b0598876e07b4109e5380ad3849870dae9b612f4d0cd388b49a8aac2f02dd4b2
                                                              • Opcode Fuzzy Hash: 993e3bd4862c698429ac7c897d54aeba6655c3978cfa21f766d80fcfc2fa08bc
                                                              • Instruction Fuzzy Hash: 3B32F474D11218CFCB68DF64D894BADBBB2FB89301F1094AAD80AA7354DB359E81CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062A6308, Relevance: .5, Instructions: 460COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c22d7919bb5af2872e524362d3f5604176e1584cabf776844e44c4ad2c67be3a
                                                              • Instruction ID: 92d8ce6b057a099cf356e25f1f45d5e1771729d279fc03fe60fe1fd65f3a2b07
                                                              • Opcode Fuzzy Hash: c22d7919bb5af2872e524362d3f5604176e1584cabf776844e44c4ad2c67be3a
                                                              • Instruction Fuzzy Hash: C322D275A00218DFDB55CFA8C944F98BBB2FF88304F1580E9E609AB262CB719D95DF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062ADB58, Relevance: .3, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ddee06055d25e9ea12366928ce23d09a6841f8494c7523b7f272416f10e6fa46
                                                              • Instruction ID: ea0b3b0404940e15d9b0f9e80ad1202b0d1d7639c7a0c9119dfe48636e3b09c1
                                                              • Opcode Fuzzy Hash: ddee06055d25e9ea12366928ce23d09a6841f8494c7523b7f272416f10e6fa46
                                                              • Instruction Fuzzy Hash: 6BB14B70E003099FCB14DFA9C844ADEBBF5EF49300F248529E819AB360DB74A945CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062ACA64, Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed2f21cb7c2c158f8b0ea6c6224ba257b261ba16c36ebadc6117f810c5ff064e
                                                              • Instruction ID: c4f16885ae317d4f1300552c13f8c73cd30178ba5e591ac69991335d4c0f3da1
                                                              • Opcode Fuzzy Hash: ed2f21cb7c2c158f8b0ea6c6224ba257b261ba16c36ebadc6117f810c5ff064e
                                                              • Instruction Fuzzy Hash: 88419BB4D113089FDB50CFE9C584BDEBBF4AB09314F20942AE815BB250DBB4A945CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062AD4E8, Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b9d6980f2c7ac54266ff16409d78de7cf1a82207a8d28ae66d8495f317f124b
                                                              • Instruction ID: 24901a28a1eee7aa3ded0693fe59eac7576241b8fa38bd15d53d62b158efc598
                                                              • Opcode Fuzzy Hash: 5b9d6980f2c7ac54266ff16409d78de7cf1a82207a8d28ae66d8495f317f124b
                                                              • Instruction Fuzzy Hash: 5B218EB4D002099FDB44CFAAD4846EEBBF1BF49314F20E529E824B7250D7749A41CF98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6F818, Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xc*l$Xc*l
                                                              • API String ID: 0-1041941440
                                                              • Opcode ID: be2852f3d98efa9698b7e3f54e350704f9df1049e525082bba3ff8781ebfb5f9
                                                              • Instruction ID: 1c2b05ebf481d5cdebc03419b27a281d5e71465e6fbd8303b91e742acac5b110
                                                              • Opcode Fuzzy Hash: be2852f3d98efa9698b7e3f54e350704f9df1049e525082bba3ff8781ebfb5f9
                                                              • Instruction Fuzzy Hash: 2FF1D130700218AFCB159FA4E859BBE7BA6EB88385F149439E906DB384DF34DC06C791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062A5A14, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID: DeleteFile
                                                              • String ID:
                                                              • API String ID: 4033686569-0
                                                              • Opcode ID: b2895b412cabc18f3ea20e90fb96c315ece3c6904544fb7429b46d0b654d3152
                                                              • Instruction ID: 07ab06d8b858ff9a790c0e746113ad4da2fd5ef5630996341668bb12fb376f46
                                                              • Opcode Fuzzy Hash: b2895b412cabc18f3ea20e90fb96c315ece3c6904544fb7429b46d0b654d3152
                                                              • Instruction Fuzzy Hash: 2431AAB4D012589FCB10CFA9D884AEEFBF5BB49314F14906AE805B7250D7B4A945CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E69868, Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: f R
                                                              • API String ID: 0-2011472542
                                                              • Opcode ID: 2ae03eb7951a1f84848be42288af8c1d16ec08aee80498728b6ddaae3f09c6de
                                                              • Instruction ID: ed89a0fabdcdef8c0dea3f6419c55dc9cc0ae1cb1b850441ccd7cf1dd9d3ed73
                                                              • Opcode Fuzzy Hash: 2ae03eb7951a1f84848be42288af8c1d16ec08aee80498728b6ddaae3f09c6de
                                                              • Instruction Fuzzy Hash: 59519871B44215CBE7185AA5E9443FB769EEB813A4F14507A940BFB2C3DA3CCD8097A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E68D98, Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be6afe5427c8f0ee639d953ebe2668a6b2eea00a1123a4d2af5390d3d0e07a3f
                                                              • Instruction ID: aa2306ec82810d873169997d5aaab12c8ade5ea495f9acd37d6781d81ddbc853
                                                              • Opcode Fuzzy Hash: be6afe5427c8f0ee639d953ebe2668a6b2eea00a1123a4d2af5390d3d0e07a3f
                                                              • Instruction Fuzzy Hash: DC91F4743401419BF744ABB8E8187AA326FEBC6745F20D825E1069F7C9CF7E9C419BA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6E7C8, Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09a651383836becdd7bdc24ff43966a9a368e1ad0ec8968196f7e4ce3aef6106
                                                              • Instruction ID: f84f2e3e54649a57fd212c825a9f18ec609316a55a5d893abda7fb21786044d5
                                                              • Opcode Fuzzy Hash: 09a651383836becdd7bdc24ff43966a9a368e1ad0ec8968196f7e4ce3aef6106
                                                              • Instruction Fuzzy Hash: 1D61D338B541149BD714DBF8D451AAEB2A7AFC4394F24943AE406AF384EF34ED019B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6FE68, Relevance: .1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba2f7e8fbca72ec286d5de79bfc376e7362fc05ca17183ad28c0dc42989938e4
                                                              • Instruction ID: 66d038139acd463484611765162ba1d547cf33b7f2c03fb2725540234f7c2e5c
                                                              • Opcode Fuzzy Hash: ba2f7e8fbca72ec286d5de79bfc376e7362fc05ca17183ad28c0dc42989938e4
                                                              • Instruction Fuzzy Hash: 9131F0347143485BCB4AA7B85C246BF76AF9FC6254F198839D50ACB381DE348D0683E2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6EBD8, Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 244bcbced7d7cad4e03768a31d29c350a988214f05241d2daf84bf4fd6f5803e
                                                              • Instruction ID: 181fedf52471f7e30bf42060de5092d266b1b913b5ae6f3562047579d51fe7cc
                                                              • Opcode Fuzzy Hash: 244bcbced7d7cad4e03768a31d29c350a988214f05241d2daf84bf4fd6f5803e
                                                              • Instruction Fuzzy Hash: 6731AB3534024DAFCF059F64E849AAEBBA2EF88354F009028F905AB390CB35DD11DB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6D710, Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8263b3987f2956d930655d809328a2ea459cdb81c5d913ffc8c1ff95f3cfcede
                                                              • Instruction ID: ecbbd747e3872c5f13f09a765914ee1984fbe7d3b44deac53aeb72da2e1939dc
                                                              • Opcode Fuzzy Hash: 8263b3987f2956d930655d809328a2ea459cdb81c5d913ffc8c1ff95f3cfcede
                                                              • Instruction Fuzzy Hash: 91310538F482458FD7009FB8EC187BA77B6EB84380F50443AE402EB381DB789C459792
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6A800, Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0ee7cc0d3650b0027dd8edfc5a8ca50910509e1e64a2560ab09929f47298871
                                                              • Instruction ID: 07675ed8032ff05e837c905170c47b0db312f1c385e55c11bfeb04d403b3be1c
                                                              • Opcode Fuzzy Hash: b0ee7cc0d3650b0027dd8edfc5a8ca50910509e1e64a2560ab09929f47298871
                                                              • Instruction Fuzzy Hash: 0421C231E84106C7D7588A9DE9183AAF2A6EBC0390F28E137E516F7280D6749D475B93
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD4A0, Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751608495.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7702a2a0473169eb153c7c16893b93ad7197b6fab64a11d609d1b7b882f8e1f
                                                              • Instruction ID: 1f87600ebbeca2bacc873724ecd8c36e04c569174e39491f68073e4284ded24d
                                                              • Opcode Fuzzy Hash: d7702a2a0473169eb153c7c16893b93ad7197b6fab64a11d609d1b7b882f8e1f
                                                              • Instruction Fuzzy Hash: F02148B1500248DFDF01CF50D8C0B27BF66FB84328F208568EA060B206C336E846DBA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD3B4, Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751608495.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8af2303bc6b7b2495b2e61ca7869e2fafbd55252c0791aa544dbb0cfe4d48286
                                                              • Instruction ID: 4ce55aa7e049217bf9728a6f653c64cc47a37c242ddd57c962a3115eb1ccdacd
                                                              • Opcode Fuzzy Hash: 8af2303bc6b7b2495b2e61ca7869e2fafbd55252c0791aa544dbb0cfe4d48286
                                                              • Instruction Fuzzy Hash: 502103B1500248DFDB41CF50D8C0B66BF66FB94324F24C969EA060B246C336E856DAA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6EAC0, Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef367693420a536295de1a0ebf9dbffdac898fbd7711aedf109f0e0dba946f23
                                                              • Instruction ID: 5d34841e3828ddc83484e24ed3e33d1ee25cb327a40a908a794c65d9db12d73c
                                                              • Opcode Fuzzy Hash: ef367693420a536295de1a0ebf9dbffdac898fbd7711aedf109f0e0dba946f23
                                                              • Instruction Fuzzy Hash: BE21D53964411987DB148EA9EC006EBB7A6FBC8390F249236F916E33D0D734C950D351
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6A928, Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f8b664aeaf659ce2cd8c5900bcd6d7f2834248d6c1a9c92cd2a4595d2182684
                                                              • Instruction ID: d1b815efec895b80e22ecbb9ecceea4715cf9c6f1d6e7fcfc1b4cfed23cd9dc5
                                                              • Opcode Fuzzy Hash: 0f8b664aeaf659ce2cd8c5900bcd6d7f2834248d6c1a9c92cd2a4595d2182684
                                                              • Instruction Fuzzy Hash: 7D118F32E48004CBC7109A6DF8006BAF2B9EFD43A4F7A9536E556FB250EA30D9419F53
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD49B, Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751608495.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                              • Instruction ID: 6a8a6f5e850c1e43d10a5f8d5817dde087ca1b95d0ecfc945e7d17d8d8327170
                                                              • Opcode Fuzzy Hash: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                              • Instruction Fuzzy Hash: 8411D6B6404284DFCF12CF14D5C4B26BF72FB84324F24C5A9D9050B656C336D956CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD3AF, Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751608495.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                              • Instruction ID: bf037245a51c9ff152a6c553b235e02d28fff8591f1195cfae6d98d0aa19ec3d
                                                              • Opcode Fuzzy Hash: 4e84e0a810b078f59bf680f02f443504771625cd364d6cf2adbe6498a920f295
                                                              • Instruction Fuzzy Hash: C611D3B6404284DFCF11CF10D5C4B26BF72FB94324F24C6A9D9454B656C336E95ACBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD835, Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751608495.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a03ac3e291d1d7dc8ed0302cbac994c7b2a1b1f2758c8a4eb6ee14790fa91ca
                                                              • Instruction ID: 410babba133e1648b123e82370f0d41eddd1c572be72261b32c5d0863ce0717c
                                                              • Opcode Fuzzy Hash: 4a03ac3e291d1d7dc8ed0302cbac994c7b2a1b1f2758c8a4eb6ee14790fa91ca
                                                              • Instruction Fuzzy Hash: 1901F771408348AAE7504A56CCC0777BB9DEF417B8F18C55AEA165B282D378A844DAF3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E63E4B, Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: db4311c1bf0cfbf93935235af1d28c23d80820112f6f6bf8e2f61a057dee0ac9
                                                              • Instruction ID: f13ce30092df8089dd7b9bd01a9721a1506193e8482c5c992630d3f6c0b1ecca
                                                              • Opcode Fuzzy Hash: db4311c1bf0cfbf93935235af1d28c23d80820112f6f6bf8e2f61a057dee0ac9
                                                              • Instruction Fuzzy Hash: 210152B4D0110DAFDB40EFE8C4405EEBBF6FF45304F1089A9D1259B354EB345A15AB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6DFC0, Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7182541cdc47b3a1f2e4cb709298bcc3a632ad1f1f62dc722d96c22d4137714
                                                              • Instruction ID: f7ed65d8016bc78b9c710addb0004133e19a1bad9d0560cfdc0265c21587ed8c
                                                              • Opcode Fuzzy Hash: b7182541cdc47b3a1f2e4cb709298bcc3a632ad1f1f62dc722d96c22d4137714
                                                              • Instruction Fuzzy Hash: B6F04679304200ABD7006BA9BC5AB7A769AEBC63A0F50483BF607DB381DFB94C444361
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E63E50, Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fd08a1f60e10dc6a0b550ff520371038dd3dd38c3f96abf71c1d2b737f900d1
                                                              • Instruction ID: 5c38a6b346d56b1eebb8f7e351ab1d9186915fcd6008f4d1fa46bff6f4e0e00f
                                                              • Opcode Fuzzy Hash: 7fd08a1f60e10dc6a0b550ff520371038dd3dd38c3f96abf71c1d2b737f900d1
                                                              • Instruction Fuzzy Hash: 090121B4D0110DAFDB40EFE8C4415EEBBF6FF85304F1089AAC126AB354EB345A55AB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD834, Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751608495.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0d48e9981158164aa6ba9676ba6c3d06ecf2318b418e13be1241e37e0f6e38f
                                                              • Instruction ID: 751463b9ec8bdd66cbcb4b9ec89eebc15813fab8717f33fe95a74d3db8aee5fc
                                                              • Opcode Fuzzy Hash: d0d48e9981158164aa6ba9676ba6c3d06ecf2318b418e13be1241e37e0f6e38f
                                                              • Instruction Fuzzy Hash: 93F0C271404388AEE7508E05CCC4B66FB98EB81774F18C55AEE485F286C3789844CAB2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6A548, Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bdddd1f8cb401ead835892c54a93ef6984043e4388f915a1316af59219ef68a
                                                              • Instruction ID: c38205b435536bb327bdf8e51c67e8aa33ae060a290f4cc16ee9791ef99d1b9b
                                                              • Opcode Fuzzy Hash: 3bdddd1f8cb401ead835892c54a93ef6984043e4388f915a1316af59219ef68a
                                                              • Instruction Fuzzy Hash: BBF09030F40229ABCB10AB98A8096AE7675EB45B50F104036E507F7384CAB58D00CFC3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 00339B4C, Relevance: 2.2, Instructions: 2159COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751082637.0000000000332000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true
                                                              • Associated: 00000000.00000002.751076257.0000000000330000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1b72f83a860e71cb1cb0fc8a41a8ead9688278bb9db321829cf80d3b90c76f5
                                                              • Instruction ID: 02db1425350c1428003788b856568605176ec9843ca89bd541e801f0e657fa34
                                                              • Opcode Fuzzy Hash: b1b72f83a860e71cb1cb0fc8a41a8ead9688278bb9db321829cf80d3b90c76f5
                                                              • Instruction Fuzzy Hash: B503C26294D1C59FCB176BBCA8E16E17FB0ED7B208B1E19C2D4C04F463E12862A7E745
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 003398C5, Relevance: .4, Instructions: 393COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751082637.0000000000332000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true
                                                              • Associated: 00000000.00000002.751076257.0000000000330000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b8482f55fbba3c750c4c56c84449ebf9b59b83e98a2d8c5649eae15deed60ee
                                                              • Instruction ID: 5ccadff6ed1b14d46b42bfa97b9667a69dc6908f719fcbfcd2616d94494ac08f
                                                              • Opcode Fuzzy Hash: 9b8482f55fbba3c750c4c56c84449ebf9b59b83e98a2d8c5649eae15deed60ee
                                                              • Instruction Fuzzy Hash: 2EE1915254D1C69FCB132B7CA8E11E2BFB0DD6F208B6E1AC2D4C01F463E16861A7E744
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0033A7F5, Relevance: .4, Instructions: 371COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751082637.0000000000332000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true
                                                              • Associated: 00000000.00000002.751076257.0000000000330000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7daf7482a6b5b788f30ec184d5e00c65a228dd3b140e38bb5e8f33801c203bd5
                                                              • Instruction ID: 927ee2813b1399383f385319f598fd8026df752b14ed7c76bcb074cadce09af0
                                                              • Opcode Fuzzy Hash: 7daf7482a6b5b788f30ec184d5e00c65a228dd3b140e38bb5e8f33801c203bd5
                                                              • Instruction Fuzzy Hash: B5D1B66254D2C59FC703AB78D8E16D17FF0EE6B214B1E19C2D4C09F163E228A5A7E711
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00339456, Relevance: .4, Instructions: 371COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751082637.0000000000332000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true
                                                              • Associated: 00000000.00000002.751076257.0000000000330000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 386a83cb716c56718d385f89b480bfb805d4c99df4df2d870067c48146f90152
                                                              • Instruction ID: 644f6df135d96bf650c51139931d0f7b40e6bf4b0432c3e3d1ae38c208062555
                                                              • Opcode Fuzzy Hash: 386a83cb716c56718d385f89b480bfb805d4c99df4df2d870067c48146f90152
                                                              • Instruction Fuzzy Hash: ADE1A26254D1C19FCB076B78A8E56E17FB0EE7B218B1E09C2D4C11F427E16C66A7E704
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00336E35, Relevance: .3, Instructions: 349COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751082637.0000000000332000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true
                                                              • Associated: 00000000.00000002.751076257.0000000000330000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f79ff1167b4495626eaa08cafdfa4b2e11e1a3d015b5a7d70ea1a72cdfa43d2
                                                              • Instruction ID: aabbf6be3f7e66f8b6fd793a8db29139cab18f3e1109dea4d0c14a4bcb917df2
                                                              • Opcode Fuzzy Hash: 7f79ff1167b4495626eaa08cafdfa4b2e11e1a3d015b5a7d70ea1a72cdfa43d2
                                                              • Instruction Fuzzy Hash: A3D1CA6194E3C19FCB172B78A8E55D5BFB0ED6B218B1E05C2C0C09E4A7F12C1AABD715
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0033ABA5, Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751082637.0000000000332000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true
                                                              • Associated: 00000000.00000002.751076257.0000000000330000.00000002.00020000.sdmp Download File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8a9f32246bc6488c105040ace2660f91d198980a3a108bd80b85c192f0036b1
                                                              • Instruction ID: f076062ae58a44042e9a4ddbfe2508d646f7f4c4e37eb61f204a17b5c0bd73de
                                                              • Opcode Fuzzy Hash: a8a9f32246bc6488c105040ace2660f91d198980a3a108bd80b85c192f0036b1
                                                              • Instruction Fuzzy Hash: 104183765485859FCB13DB68E8E26A17FF4EE7B344B2D19C1C0C04B563E228B1A7E701
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062AE642, Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63e4eb242b29a2e6a430033cdc9ef546794da378ffc2ec3d9cf8fa2b1d179099
                                                              • Instruction ID: 4f03d363ee6f1165c2f9ca9d2abd4a7228ac3d96e07a67add675ba17cb3eed22
                                                              • Opcode Fuzzy Hash: 63e4eb242b29a2e6a430033cdc9ef546794da378ffc2ec3d9cf8fa2b1d179099
                                                              • Instruction Fuzzy Hash: 8C213771E116188BEB18CF6BD94078EFBF3AFC8300F14C5AAD858A7255EB7049428F50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062A8718, Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1bc74d81aedd98635c892fdc007fa1304d41113261b7a91d5129d85b42f6e26
                                                              • Instruction ID: ade817c3ff2ea6a8de5acdacaa00c39137af6f390f068bdfb0beaeea89094e0c
                                                              • Opcode Fuzzy Hash: b1bc74d81aedd98635c892fdc007fa1304d41113261b7a91d5129d85b42f6e26
                                                              • Instruction Fuzzy Hash: 8521CBB1E046088BEB58CFABC94469EFBF3AFC9300F14C56AC518AB265EB754506CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 062AE650, Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.757688824.00000000062A0000.00000040.00000001.sdmp, Offset: 062A0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c2f64f44c0808fa214d08b76b08071385dba2c36d2d8ef2aa8a902d619a5758
                                                              • Instruction ID: acaca882bc943370a5d2230f9d4d0856da30db87bb47cde6144ba00f327f4853
                                                              • Opcode Fuzzy Hash: 6c2f64f44c0808fa214d08b76b08071385dba2c36d2d8ef2aa8a902d619a5758
                                                              • Instruction Fuzzy Hash: 2B21EFB1E116189BEB18CFABD94078EFAF7AFC8300F14C56AD918A7255EB7149428F40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6E068, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: aw R$dw R$nw R$xw R${w R$|w R$}w R
                                                              • API String ID: 0-138774791
                                                              • Opcode ID: a15c48d8272d14587cb6cf7bd8218b24a30623007ca16e048c9f6120475d141c
                                                              • Instruction ID: 267e9b62526fdbaea9d12ea5bb2ba271a605a07a38d9e06eccde7b0b2d8eaa73
                                                              • Opcode Fuzzy Hash: a15c48d8272d14587cb6cf7bd8218b24a30623007ca16e048c9f6120475d141c
                                                              • Instruction Fuzzy Hash: 514149783401545BE744A7E8DC217BF618F9BC6BC0F209439A10AEF3DACDB5AC0197A6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E6FDB0, Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.751703450.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: K*l$K*l$K*l$K*l
                                                              • API String ID: 0-521590805
                                                              • Opcode ID: 6c18f661cc3424ce397c31e54551d6d015b0716988a4e5d3a6ed7b7cffdc6f91
                                                              • Instruction ID: af5630ba198ef21efd7dbf5d5da53fc503386dde21166854b265fd289c6aae73
                                                              • Opcode Fuzzy Hash: 6c18f661cc3424ce397c31e54551d6d015b0716988a4e5d3a6ed7b7cffdc6f91
                                                              • Instruction Fuzzy Hash: 1511CE703002045FC340EBBAF095B2ABAD5AFC9798750447DEA0ADB762DF62EC058B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%